RSA NetWitness Network and Splunk® Integration

Document created by Elena Komarova Employee on Jan 31, 2017Last modified by Connor Mccarthy on Aug 8, 2018
Version 8Show Document
  • View in full screen mode

Access Training

 

 

In order to register for a class, you need to first create an EMC account

If you need further assistance, contact us

 

Summary

This on-demand learning describes how to integrate RSA NetWitness Network with Splunk to allow sharing of relevant data between the two products for reporting, alerting and investigation purposes.

 

Overview

This on-demand learning provides students with the knowledge and skills to configure Splunk® Enterprise and RSA NetWitness Network to view security logs in Splunk, view Splunk metatdata in RSA NetWitness Network, link to Splunk data through a context menu, send logs to Splunk via an ESA alert, and send Reporting Engine logs to Splunk.

 

Note: Splunk Enterprise is a registered trademark of Splunk Inc.

 

Audience

Anyone interested in configuring Splunk

 

Delivery Type

On-Demand Learning (self-paced eLearning)

 

Duration

1.5 hours

 

Prerequisite Knowledge/Skills

Students should have familiarity with RSA NetWitness Network Splunk Enterprise

 

Learning Objectives

Upon successful completion of this course, participants should be able to:

• Describe the benefits of integration with Splunk

• Describe the integration options

• Create Context Actions to pivot from NetWitness investigations to Splunk

• Forward Security/Audit Logs to Splunk

• Configure Splunk to point to RSA NetWitness

• Forward ESA Alert Syslog Notifications to Splunk

• Forward Security/RE Logs to Splunk

 

Course Outline

  • Module 1 Integration Overview
    • Benefits of Splunk integration
    • Integration methods
  • Module 2 Creating Context Menus
    • Context action menus in RSA NetWitness Network
    • How to create a context menu action
    • Using a context menu in an investigation
    • Creating a Context Menu Action demonstration
  • Module 3 Configuring Syslog Notification
    • Configuration Splunk as a notification server
    • Viewing security/audit logs in Splunk
    • Configuring Syslog Notification demonstration
  • Module 4 Configuring ESA Alert Notification
    • Set up a TCP collector for Splunk data
    • Configure syslog notification for the Splunk server
    • Configure an ESA alert to send logs to Splunk
    • Configuring ESA Alert Notification demonstration
  • Module 5 Configuring Reporting Engine Logs
    • Set up a TCP collector for Splunk data
    • Create a Reporting Engine output action
    • Create a Reporting rule
    • Configuring Reporting Engine Logs demonstration

 

 

 

 

 

 

Access Training

 

 

In order to register for a class, you need to first create an EMC account

If you need further assistance, contact us

Attachments

    Outcomes