Saket Bajoria

VMware AppDefense and RSA NetWitness Integration

Blog Post created by Saket Bajoria Employee on Apr 13, 2018

VMware AppDefense is a data center endpoint security product that protects applications running in virtualized environments. AppDefense leverages the unique context provided by its position in the vSphere hypervisor to understand what applications are supposed to look like, and then monitors the applications for unauthorized changes to their intended state. When AppDefense detects anomalies representative of malicious activity, it can automatically remediate them using vSphere and NSX. 


There are four main behaviors that AppDefense monitors:

  • Inbound Communications
  • Outbound Communications
  • Guest OS Integrity
  • Host Module Integrity


For more details please refer to this link:   




The RSA NetWitness Platform uses the Plugin Framework to connect with the AppDefense RestFul API to periodically query for alarms. The alarms provides deep visibility and context of malicious activity in the vshpere environment, which can be used to co-relate with events collected from multiple data sources via the RSA NetWitness Platform.  Combined with the complete visibility that the RSA NetWitness Platform delivers for threat detection and response across logs, network, and endpoints for both private and public cloud environments – securing the cloud is simplified.


Downloads and Documentation:


Configuration Guide: VMware AppDefense 

Collector Package on RSA Live:  "VMware AppDefense"

Parser on RSA Live: "CEF". (device.type=vmwareappdefense)