search
    search
      6 Apr, 2017

      Recently RSA NetWitness (NW) added the ability to report on the IMDB component of the platform.  Based on some recent questions it seemed useful to create a few template rules and reports that could be used to create a starter pack for reporting on IMDB data.

      RSA IMDB reporting syntax

      https://community.rsa.com/docs/DOC-64586

      Included at the bottom is the rule and report pack that cover a few scenarios that should get you started reporting on data that you might want to see.

      Some things that I have found out during this development.

      • in the alerts table the alert.host_summary is visible as an option, but the alert.user_summary is not visible.  You can add alert.user_summary to report on that data manually and it works for me (10.6.2.2) - Bug reported for that to fix.
      • in the incidents table the 'name' of the incident is not visible as a usable meta value.  if you add 'name' manually you can add the incident name to the report. Bug reported for that to fix as well.

      S you can create rules that provide data like this for alerts:

      pastedImage_1.png

      Like this for incidents

      pastedImage_2.png

      or pretty close to this

      pastedImage_3.png

      The rules in the included pack

      IMDB>

      pastedImage_4.png
      Topic:
      0 Comment
        CATEGORIES
        RECENT POST
        Amazon Cloudwatch Event Source Log Configuration Guide
        3 Dec, 2025
        F5 Source Code Breach: Hunting UNC5221's BRICKSTORM with NetWitness
        31 Oct, 2025
        MSAzureGraph Universal Plugin for Microsoft Graph API
        17 Oct, 2025