Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Respond Config: Configure Threat Aware Authentication

Document created by RSA Information Design and Development Employee on Apr 11, 2019Last modified by RSA Information Design and Development Employee on Nov 11, 2020
Version 7Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness Platform Version 11.3 and later.

NetWitness Platform creates a list of suspicious users that have an incident created against them and sends it to RSA SecurID Access. The list contains the email IDs of the corresponding suspicious users associated with the incident. RSA SecurID Access maintains this high-risk users list and reduces the access levels or blocks such users using defined policies. When an incident is closed in RSA NetWitness Platform, the associated email IDs are automatically removed from the RSA SecurID high-risk user list.

By default this configuration is disabled in the NetWitness Server. You can enable this feature by editing the yml file located at /etc/netwitness/respond-server/respond-server.yml.

Enable Threat Aware Authentication

To enable this configuration:

  1. Create a yml file at /etc/netwitness/respond-server/respond-server.yml
  2. Edit and enter rsa.respond.securid-integration.enabled: true
  3. Enter rsa.security.pki.use-jvm-trust: true to enable the configuration.

  4. Save the yml file and restart the Respond Server service.

Note: Make sure you perform the above configuration if you have enabled a stand-by NW server. In case the primary NW server fails and goes offline, this configuration will allow the standby NW server to connect to RSA SecurID.

Obtain SecurID API Key

A super administrator must generate and download a SecurID API key, and connect to RSA SecurID Access.

To obtain the API key from RSA SecurID Access:

  1. Log in to the RSA SecurID Access Cloud Administration Console.

  2. Click Platform > API Key Management.

  3. Click ADD.
    The new key is displayed.

  4. Change the Administrator role to Super Administrator.

  5. Click Save and Download to download and save the API key file.

For more information about generating the API Keys and other related details, see "Manage the Cloud Administration API Keys" at https://community.rsa.com/docs/DOC-94440 and "Determining Access Requirements for High-Risk Users in the Cloud Authentication Service" topic at https://community.rsa.com/docs/DOC-90586.

Configure RSA SecurID Access API Key

To configure RSA SecurID Access API key using RSA NetWitness Shell:

  1. SSH to the NetWitness Server.
  2. Type the command nw-shell.
    A console window is displayed.
    Configure Threat Aware Authentication
  3. Type connect --service respond-server.<service-id> to connect to the Respond Server.
    For example: connect --service respond-server.36334277-9f93-4402-9523-ed15ad543bfa.
    You can obtain the <service_id> from cat /etc/netwitness/respond-server/service-id.
  4. Type login and enter admin username and password.

  5. To set the API key:

      1. Navigate to set-api-key node: cd /rsa/respond/securid/set-api-key

      2. type: invoke --file <path to api key>

        Note: The path to the API key is the location on the NetWitness Server.

  6. Test the connection using the command:
    1. cd /rsa/respond/securid/test-secur-id-connection
    2. Type invoke.
      A "Connection OK" message is displayed if test connection is successful.
  7. To start the process use the command:
    1. cd /rsa/respond/securid/process-incidents

    2. invoke.

    For more information on how to define policies, see the RSA SecurID Access Guide on RSA link.

Configure Sync Frequency

By default, the sync frequency is set to 15 minutes.

To edit the frequency:

  1. Log in to NetWitness Platform.
  2. Go to (Admin) > Services, select the Respond Server service, and then select > Actions icon > View > Explore.
  3. Edit the duration at rsa/respond/securid.

Configure Meta

You can configure a respond specific meta in an alert to identify a user to be added to SecurID high-risk user's list.  By default, the meta is set to email_address. Currently, the Respond Server supports metas such as ad_username, and email_address.

To add a Respond Server supported meta:

  1. Log in to NetWitness Platform.
  2. Go to (Admin) > Services, select the Respond Server service, and then select > Actions icon > View > Explore.
  3. In the Explore view node list, select respond/securid.
  4. Edit and enter a meta in the user-meta field.

Note: If at any time you change the meta configuration from email address to ad_username, make sure to run Step 7 from Configure RSA SecurID Access API Key to process the older incidents. In case of a multi-analyst deployment, make sure you configure the same meta on all Respond servers. For example, if you update the meta to ad_username, then the same must be updated on all Respond servers.

You are here
Table of Contents > Additional Procedures for Respond Configuration > Configure Threat Aware Authentication

Attachments

    Outcomes