Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Authors Saket Bajoria

RSA NetWitness Platform

10 Posts authored by: Saket Bajoria Employee

RSA SecurID Access (Cloud Authentication Service) is an access and authentication platform with a hybrid on-premise and cloud-based service architecture. The Cloud Authentication Service helps secure access to SaaS and on-premise web applications for users, with a variety of authentication methods that provide multi-factor identity assurance. The Cloud Authentication Service can also accept authentication requests from a third-party SSO solution or web application that has been configured to use RSA SecurID Access as the identity provider (IdP) for authentication.

 

For More details:

RSA SecurID Access Overview 

Cloud Authentication Service Overview 

 

 

The RSA NetWitness Platform uses the Plugin Framework to connect with the RSA SecurID Access (Cloud Authentication Service) RestFul API to periodically query for Admin activity. This provides visibility into all the administrative activities like: Policy, Cluster, User, Radius Server and various other configuration changes.  

 

Here is a detailed list of all the administrative activity that can monitored via this integration

Administration Log Messages for the Cloud Authentication Service 

 

Downloads and Documentation:

 

Configuration Guide: RSA SecurID Access Event Source Configuration Guide

(Note: This is Only supported on RSA NetWitness 10.6.6 currently.  And it will be in 11.2 (Coming Soon..))

Collector Package on RSA Live:  "RSA SecurID"

Parser on RSA Live: "CEF". (device.type=rsasecuridaccess) 

Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads. The service analyzes Amazon CloudTrail, AWS VPC Flow Log data and other services to look for issues such as inbound port scans, possible backdoor access to your systems, unauthorized use of your account, and many other potential problems. GuardDuty can be used to monitor a group of AWS accounts and have their findings routed to another AWS account—the master account—that is owned by a security team. Amazon GuardDuty starts to generate customized threat intelligence for you.

 

GuardDuty is a regional service. So, when GuardDuty is enabled for a particular AWS Region, findings are generated and delivered for that region only. Each region needs to be configured individually.

 

 

 

The RSA NetWitness Plugin framework uses the AWS Python SDK to access the GuardDuty logs.

 

This plugin supports different finding types alerted by Guardduty, all types are explained here:
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types.html

The following are Amazon GuardDuty limits per AWS account per region:
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_limits.html

 

RSA NetWitness can already collect native cloudtrail logs and with this integration with GuardDuty it further expands its visibility into advanced threat detection provided by Amazon which not only monitors cloudtrail logs but also AWS VPC  and flow logs. Combined with the complete visibility that RSA NetWitness Platform delivers for threat detection and response across logs, network, and endpoints for both private and public cloud environments – securing the cloud is simplified.

 

Downloads and Documentation:

 

Configuration Guide: Amazon GuardDuty 

Collector Package on RSA Live: "Amazon GuardDuty"

Parser on RSA Live: CEF (device.type="amazonguardduty")

Dropbox is a file hosting service that offers cloud storage, file synchronization and personal cloud services. Dropbox allows its users access to files and folders anytime from desktop, web and mobile clients or even through applications connected to Dropbox. This presents a huge challenge for enterprises to closely monitor daily activities and look for malicious file activity, ex filtration of data.unauthorized file access, sharing, etc. 

 

                                    

 

RSA Netwitness Plugin framework can be used to connect to Dropbox via API v2 to collect all user activity. Here are some of the common scenarios that can be monitored using this integration:

 

  • Monitoring Sharing Policy.  Statistics around number of shares, number of shares with users outside of the organization (as indicated by the corresponding flag on the event in the sharing category), domains being shared with, etc.
  • Aggregate information on content being added & deleted (file operations category), and logins (login category). Reporting bursts of file deletes/renames, large number of attempted/failed logins, etc.
  • App linkages & behaviors around apps (apps are noted as an actor in actions they perform)

 

For more details on what can be collected please refer to this link: https://www.dropbox.com/developers/documentation/http/teams#team_log-get_events

 

Here are some of the use-cases that can be built on NetWitness Platform:

 

Reports/Dashboards:

1. Content Sharing Activity (Internal vs External)

2. Login Activity from various localities

3. Top 10 File Uploaded/Downloaded

4. Third-Party App activity.

5. Summary of File activity per user

6. Top User Activities

 

Alerts:

1. Login from suspicious Locality 

2. Rapid Renames of Files 

3. Sharing of file with more than the allowed number of users

4. External Sharing of Business sensitive files

 

Combined with the complete visibility that the RSA NetWitness Platform delivers for threat detection and response across logs, network, and endpoints for both private and public cloud environments – securing the cloud is simplified.

 

Downloads and Documentation:

 

Configuration Guide: Dropbox 

Collector Package on RSA Live: "Dropbox"

Parser on RSA Live: CEF (device.type="dropbox")

VMware AppDefense is a data center endpoint security product that protects applications running in virtualized environments. AppDefense leverages the unique context provided by its position in the vSphere hypervisor to understand what applications are supposed to look like, and then monitors the applications for unauthorized changes to their intended state. When AppDefense detects anomalies representative of malicious activity, it can automatically remediate them using vSphere and NSX. 

 

There are four main behaviors that AppDefense monitors:

  • Inbound Communications
  • Outbound Communications
  • Guest OS Integrity
  • Host Module Integrity

 

For more details please refer to this link: https://www.vmware.com/products/appdefense.html   

  

                          

 

The RSA NetWitness Platform uses the Plugin Framework to connect with the AppDefense RestFul API to periodically query for alarms. The alarms provides deep visibility and context of malicious activity in the vshpere environment, which can be used to co-relate with events collected from multiple data sources via the RSA NetWitness Platform.  Combined with the complete visibility that the RSA NetWitness Platform delivers for threat detection and response across logs, network, and endpoints for both private and public cloud environments – securing the cloud is simplified.

 

Downloads and Documentation:

 

Configuration Guide: VMware AppDefense 

Collector Package on RSA Live:  "VMware AppDefense"

Parser on RSA Live: "CEF". (device.type=vmwareappdefense) 

Microsoft Azure Network Security Group Flow Logs are a feature of Azure Network Watcher that provide information about ingress and egress IP traffic through a configured Network Security Group. The NetWitness plugin built for Azure NSG can authenticate and pull flow logs from Azure storage in real time.

 

“While Virtual Network (VNET) is the cornerstone of Azure networking model and provides isolation and protection. Network Security Group (NSG) is the main tool you need to use to enforce and control network traffic rules at the networking level. Customers can control access by permitting or denying communication between the workloads within a virtual network, from systems on customer’s networks via cross-premises connectivity, or direct Internet communication. In the diagram below, both VNETs and NSGs reside in a specific layer in the Azure overall security stack, where NSGs, UDR, and network virtual appliances can be used to create security boundaries to protect the application deployments in the protected network.”

 

What is a Network Security Group (NSG)?

https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg

 

 

 

 

How does it work?

These flow logs are written in JSON format and show outbound and inbound flows on a per rule basis.

 

It provides the following information: 

  • MAC Address of the NIC, flow applies to
  • 5-tuple information about the flow (Source IP, Destination IP, Source Port, Destination Port, Protocol),
  • And if the traffic was allowed or denied.

 

Flow logs are stored only within a storage account and follow the logging path as shown below:

https://{storageAccountName}.blob.core.windows.net/insights-logs-networksecuritygroupflowevent/resourceId%3D/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/microsoft.network/networksecuritygroups/{nsgName}/{year}/{month}/{day}/{hour}/m=00/{macAddress}/PT1H.json

 

Logs have a retention policy that can be set from 1 day to 365 days. If a retention policy is not set, the logs are maintained foreverRSA Netwitness uses Shared Access Signature (SAS Token) to authenticate and pull flow logs from Azure storage in real time.

Use Cases:

With the visibility into Network Flow traffic in the Azure framework, multiple use-cases can be built. For example: 

 

  1. See the overall stats of Allowed vs Denied Traffic in your network, and based on what’s normal, setup alerts if its above or below a certain threshold.
  2. Summary of Protocol usage in the environment, set alerts for abnormal protocol usage. 
  3. Top Destination Address Reached out to from your environment.
  4. Set Alerts against blacklisted IP Addresses
  5. Setup rules based on IP range to determine Inbound vs Outbound vs Lateral traffic and then build a dashboard to see the pattern.

 

Downloads and Documentation:

 

Configuration Guide: Microsoft Azure NSG Event Source Configuration Guide 

 

Collector Package on RSA Live: "MS Azure NSG Flow Logs"

 

Parser on RSA Live: CEF (device.type="msazurensg")

 

The Salesforce event monitoring product gathers information about an organization's Salesforce operational events.  This information can be used to analyze usage trends and user behavior. Event monitoring allows querying fields on the EventLogFile object (such as Event Type and LogDate). The Event Type determines the schema of this field. For more information, see EventLogFile Supported Event Types on the Salesforce Developers Website. 

 

RSA NetWitness uses OAuth Username-password flow to authenticate between a Connected App and the Salesforce API. Creating a read-only custom profile restricts the users to have read-only access to Salesforce API logs.

 

RSA provides steps to configure the Salesforce event source using either the Classic View or the Lightning Experience View.

 

 

 

 

This plugin supports all the 45 different Event Types provided by Salesforce, for Login, LoginAS, Logout etc. All the types are explained here:

https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_supportedeventtypes.htm

 

Also, the raw events in Salesforce only exposes User Ids and not the actual user names. Salesforce maintains a separate mapping of UserID to username. This integration polls the UserID to user mapping on a configurable time interval so that it can  provide the actual user names for every userID given in the events. 

 

Configuration GuideSalesforce Event Source Configuration Guide 

Collector Package on RSA Live: "Salesforce Log Collector Configuration"

Parser on RSA Live: CEF (Parsed as device.type=salesforce)

Microsoft Office 365 is a Web-based version of Microsoft's Office suite of enterprise-grade productivity applications. Office 365 is delivered to users through the cloud and includes Exchange Online for email, SharePoint Online for collaboration, Lync Online for unified communications, and a suite of Office Web Apps (web-based versions of the traditional Microsoft Office suite of applications).

 


The Office 365 integration consumes activity logs using the Office 365 Management Activity API. The Office 365 Management Activity API aggregates actions and events into tenant-specific content blobs, which are classified by the type and source of the content they contain. Currently, the following content types are supported by this API:

 

  • Audit.AzureActiveDirectory
  • Audit.Exchange
  • Audit.SharePoint
  • Audit.General (includes all other workloads not included in the previous content types)
  • DLP.All (DLP events only for all workloads)

 

Please note that only the Common schema and Exchange Mailbox schema is supported by default. All other schemas can be added manually as needed. 

 

Configuration GuideMicrosoft Office 365 Event Source Configuration Guide 

Collector Package on RSA Live: "MS Office 365 Log Collector Configuration"

Parser on RSA Live: CEF

The RSA Live Content team has published updates for 6 more Log Parsers that generate the largest number of, “Unknown Message Defect” support cases. Earlier in October 2016 (Log Parser Improvements ) 15 parsers were published. 

 

These enhancements are part of a strategic initiative to drive improvements to Log Parsers.

 

Benefits from these improvements result in:

  • Fewer Unknown Messages
  • Improved Device Discovery
  • Better Adaptability to newer versions of an Event Source
  • Reduced Parser Maintenance

 

To take advantage of these improvements you will need to download the latest versions of the parsers listed below from the Live Portal.

 

 

S.No.

Event Source

Log Parser

Improvements

1

Fortinet FortiGate

fortinet

This parser has been redesigned to parse all event ids generated by the event source. We have made the parser future proof to parse newer event ids that may be introduced in newer versions of the product. It can also accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

2

Microsoft Exchange Server

msexchange

This parser can now identify all Microsoft Excahnge events coming in via Windows Collection. 

3

F5 Big-IP Application Security Manager

bigipasm

This event source has a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

4

Bit9 Security Platform

bit9

This parser has been redesigned to parse all event ids generated by the event source coming in via Syslog. We have made the parser future proof to parse newer event ids that may be introduced in newer versions of the product.

This event source has a structured log format and uses tag=value format. It can also accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

5

Cisco IronPort Email Security Appliance

ciscoiportesa

This parser has been made future proof to identify all events coming in via File Reader or Syslog.

6

Trend Micro Control Manager

trendmicro

This parser has been redesigned to parse all event ids generated by the event source. It has been made future proof to parse newer event ids that may be introduced in newer versions of the product.

This event source has a structured log format and uses tag=value format. It can also accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

 

RSA Live Content team will be powering similar improvements for more parsers over the next two quarters.

Saket Bajoria

Log Parser Improvements

Posted by Saket Bajoria Employee Oct 12, 2016

The RSA Live Content team has published updates for 15 Log Parsers that generate the largest number of, “Unknown Message Defect” support cases.

 

These enhancements are part of a strategic initiative to drive improvements to Log Parsers.

 

Benefits from these improvements result in:

  • Fewer Unknown Messages
  • Improved Device Discovery
  • Better Adaptability to newer versions of an Event Source
  • Reduced Parser Maintenance

 

To take advantage of these improvements you will need to download the latest versions of the parsers listed below from the Live Portal.

 

 

S.No.

Event Source

Log Parser

Improvements

1

Microsoft Windows using Event Collection

winevent_nic

This parser can now identify all Windows Security, System and Application log events. 

 

Note: Application channel events are parsed with the standard fields needed for basic analytics. Some applications are parsed in more detail for specific use-cases.

2

Microsoft Windows using Adiscon Event Reporter

winevent_er

This parser can now identify all Windows Security, System and Application log events. 

 

Note: Application channel events are parsed with the standard fields needed for basic analytics. Some applications are parsed in more detail for specific use-cases.

3

Microsoft Windows using Intersect Alliance Snare

winevent_snare

This parser can now identify all Windows Security, System and Application log events. 

 

Note: Application channel events are parsed with the standard fields needed for basic analytics. Some applications are parsed in more detail for specific use-cases.

4

FireEye Web Malware Protection System

fireeyewebmps

This event source has a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

5

McAfee Network Security Platform

intrushield

Certain types of events generated by this event source has a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

6

Voltage Secure Data

voltagesecuredata

This parser has been redesigned to parse all event ids generated by the event source. It has been made future proof to parse newer event ids that may be introduced in newer versions of the product. It can also accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

7

Cisco IronPort Web Security Appliance (WSA)

ciscoiportwsa

This parser has been improved to parse all web methods for Squid and Apache log formats.  It has been improved to accommodate New/Unknown tags as well, which significantly reduces the number of unknown messages.

8

Cisco Adaptive Security Appliance

ciscoasa

This parser can now support all event ids from the event source. 

 

The log format is semi-structured and the event source registers a unique ID for each type of event. We do detailed parsing for most of the documented event ids. It has been made future proof to identify newer event ids that may be introduced in newer versions of the product.

9

Cisco Identity Services Engine & Cisco Secure Access Control Server

ciscosecureacs

This event source has a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

10

Microsoft Internet Information Services

microsoftiis

This event source has a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

11

UnboundID Identity Data Store

unboundidids

This event source has a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages. It has also been made future proof to parser new types of events that may be introduced in newer versions of the product.

12

IBM WebSphere

ibmwebsphere

Certain types of events generated by this event source have a structured log format. The parser has been improved to identify and parse newer events of that log format.

13

IBM iSeries AS400

iseries

This event source has a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

14

Blue Coat ProxySG SGOS

cacheflowelff

This event source has 2 types of logs. Web Logs and Audit Logs.

 

Web logs follows a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

 

Audit logs have a semi-structured format and we do a detailed parsing of most of the audit events. It has also been made future proof to parser new types of audit events that may be introduced in newer versions of the product.

15

Juniper Networks SSL VPN

junipervpn

This event source has a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

 

RSA Live Content team will be powering similar improvements for more parsers over the next two quarters.

 

The RSA Content team is pleased to announce the addition of the following new features along with new and updated content to the RSA Live Content Library. 

 

Live Content Search Tags

A new set of Advanced Security Operations Center (ASOC) tags have been introduced in Live to provide an easier way to search for relevant content. These tags are used to organize Live content and to deliver an accurate path to information security incident response. The tags are found in the Tags field in the Live Search Criteria view. The objective of a tag is to catalog existing content for deployment according to an incident response approach. RSA LINK.

 

Traffic Flow- Directionality

Decoders can now derive the directionality of traffic using the source and destination hosts referenced within a session. This information provides the context of whether a session was initiated from an internal host to an external host (outbound), from an external host to an internal host (inbound), or was between two internal hosts (lateral). RSA LINK.

 

Ransomware Indicators in Feeds

Ransomware continues to be a significant threat to our customers, so this is a very timely addition.  Abuse.ch has added a ransomware tracker which tracks the following families of ransomware:

TeslaCrypt

CryptoWall

TorrentLocker

PadCrypt

Locky

CTB-Locker

FAKBEN

PayCrypt

 

We’ve added these indicators to the following feeds in LIVE:

 

1.    Third Party IOC Domains

2.    Third Party IOC IPs

 

Here is the link to the Blog Post.

 

10.6.1 Related Updates

 

Enhanced Log Parsing functionality

An enhancement has been made to the transfer of logs from the Log Collector to the Log Decoder which can minimize the chances of incorrect parsing. As part of the Log Collector configuration of certain types of event sources, such as File or ODBC, the Administrator can now specify the event source type, such as Apache or Oracle. The Log Collector now passes this information to the Log Decoder so that the Log Decoder can directly use the specified parser. No configuration changes are necessary, but new Log Collector content will need to be applied from Live in order to benefit from this enhancement.

 

Enhanced Content Deprecation

All the content on Live has been reviewed to see if there is any that is outdated and can be discontinued. Individual services can be scanned for discontinued content.  The discontinued resources are displayed in red on the UI. Refer to the Live Services Management guide for more details.

 

Here is a list of all Discontinued Content on Live. RSA LINK. 

 

Out of the Box Content Updates

 

RSA Security Analytics Content team has updated the following parsers and analytical content based on feedback from our customers and partners:

 

For a full breakdown please go to RSA LINK.

 

Analytical Content

Application Rules

1 New Rules has been added.

1 Rule has been updated.

 

Feeds

4 Feeds have been updated.

 

Security Analytics Rules

4 New Rules have been added.

2 Rules have been updated.

 

Security Analytics Reports

1 New Report has been added.

 

Parser Content

Packet Parsers

3 New Parsers have been added.

15 Parsers have been updated.

 

Log Parsers

45 parsers have been updated

 

Additional Information

The entire content library can be viewed here:

https://sadocs.emc.com/0_en-us/300_RSA_ContentAndResources

 

Content requests can be made here:

https://sadocs.emc.com/0_en-us/300_RSA_ContentAndResources/RSA_Content_Resources/40_Request_Portals

 

Regards,

The ASOC Content Team ( ASOC.Content@rsa.com )

Filter Blog

By date: By tag: