Step 5 (optional). Importing a preconfigured report to RSA NetWitness

This section explains how to import a preconfigured report to RSA NetWitness. To learn how to create a report manually, see section "Creating and viewing reports in RSA NetWitness".

This step requires importing Feed Service rules (Step 4). For more information, see Integration steps.

The distribution kit contains the CyberTrace_Reports.zip file. This file contains a preconfigured report, CyberTrace Report.

The CyberTrace Report report contains the following data:

• Detection statistics during the last 24 hours
• Statistics on users that issued detection events during the last 24 hours
• Top 10 URLs, Top 10 IP addresses, and Top 10 Hashes during the last 24 hours

You can import this file in the same way that you import the CyberTrace_Rules.zip file (which contains rules). After the report is imported, you must specify the data source.

To specify the data source for the "CyberTrace Report" report:

1. On the RSA NetWitness menu, select Dashboard > Reports. (In RSA NetWitness 11, you select Monotor > Reports.)

   The Manage tab is displayed.

2. Click Reports.

   The Reports view is displayed.

3. In the Reports view, in the Actions column, for the CyberTrace Report report click the Settings split button () and then select Schedule Report.

   The Schedule Report form appears.

4. In the Schedule Report form, specify the following data:
   • Schedule name
   • Data source (database from the NetWitness DB drop-down list)

     Select either the Concentrator that receives events from Feed Service or the Log Decoder that stores events from Feed Service.

5. Click the Schedule button.

Page top