Live: Create and Manage an Identity Feed

Document created by RSA Information Design and Development on Jun 26, 2017Last modified by RSA Information Design and Development on Jul 28, 2017
Version 2Show Document
  • View in full screen mode
  

You can easily create an Identity feed and populate it to selected Decoders and Log Decoders. After completing this procedure, you will have created an Identity feed.

Prerequisites

In order to create an identity feed, you need to have: 

  • A Log Collector service with an Identity Feed Event Processor
  • A Log Collector service with Windows Collection configured and enabled.

Create an Identity Feed

  1. Add a destination for the feed.

    1. In the Security Analytics menu, select Administration > Services.
    2. In the Services grid, select a Log Collector service.
    3. Click AdvcdExpandBtn.PNGunder Actions and select View > Config.
    4. Select the Event Destinations tab.
    5. In the Select Event Destinations field, select Identity Feed.

    6. Click Icon-Add.png and enter a unique name for the feed.

      The Queue name identifies the feed within the log collector. Use the name of the feed for the Queue.

    7. Click OK.
  2. Test generation of messages.

    1. Have users log into Windows boxes on the domain to generate the appropriate log messages on the domain controllers for testing.
    2. Verify that data is written to the feed files. SSH to the Log Decoder/Collector or Virtual Log Collector being configured. Navigate to /var/netwitness/logcollector/runtime/identity-feed and verify that the Identity_deploy files are getting populated with data.

    3. Open up a web browser (Non-Internet Explore browsers preferred) and log in to the REST interface of the Log Collector. Use administrative credentials when logging in. For example, if the IP address of your log collector is 192.168.99.66, the URL would be:

      The browser screen should look like this:

      Notice the screen contains the name of the identity feed you created earlier (infonetd_domain, in this example).

      For the identity feed to function correctly, port 50101 must be active on the Log Collector, and you must determine whether SSL encryption is active.

    4. From the Security Analytics menu, select Administration > Services > <Log Collector being setup> > Actions > View > Explore.
    5. In the left pane, expand rest > config.

      For REST to be active, enabled must be set to 1.

    6. Note the value for ssl. If SSL should be enabled for your environment, this must be set to on.

      Note: If you changed the setting for either the enabled or ssl option you must restart the Log Collector service before moving forward.

  3. In the Security Analytics menu, select Live > Feeds.

    The Feeds grid is displayed.

    idfeed1.png

  4. In the toolbar, click add.png.

    The Setup Feed dialog is displayed, with Identity Feed selected by default.

    104SetupIdentityFeed.png

  5. Select Identity Feed and click Next.

    The Configure Identity Feed panel opens with the Define Feed tab displayed.

  6. (Conditional) You can create an on-demand or recurring feed.

    • To define an on-demand Identity feed task that executes once, select Adhoc in the Feed Task Type field, type the feed Name, and browse for and open the feed.
    • To define a recurring Identity Feed task that executes on a recurring basis, select Recurring in the Feed Task Type field.

      The Define Feed form includes the fields for a recurring feed.

      conf_id_feed1.png

      Note: Security Analytics verifies the location where the file is stored, so that Security Analytics can check for the latest file automatically before each recurrence.

  7. Fill in and verify the URL field.

    1. In the URL field, enter the URL where the feed data file is located. This is the REST API interface that was setup earlier. You need to know the following information to construct the URL:

      • The IP address of the log collector being used to construct the Identity Feed file.
      • The identity queue name, as set in step 2c.
      • Whether or not SSL is enabled on the log collector REST port, as set in step 2f.

      You construct this value as follows:

      • SSL enabled: https://<LogCollector>:50101/event-processors/<ID Event processor name>?msg=getFile&force-content-type=application/octet-stream&expiry=600
      • SSL not enabled: http://<LogCollector>:50101/event-processors/<ID Event processor name>?msg=getFile&force-content-type=application/octet-stream&expiry=600

      So, using our example from earlier, the complete value that you would enter into this field is as follows:

      http://192.168.99.66:50101/event-processors/infonetd_domain?msg=getFile&force-content-type=application/octet-stream&expiry=600?msg=getFile&force-content-type=application/octet-stream&expiry=600

    2. For the URL verification to work correctly, it is important that the Security Analytics UI server can access the log collector’s REST API port (50101). This can be tested by going to the Security Analytics UI server via SSH. Once there, run the following command:

      • SSL enabled: curl -vk https://<ip of log collector>:50101
      • SSL not enabled: curl -v http://<ip of log collector>:50101

      If the curl command does not connect then there may be a network firewall or routing issue between the Security Analytics UI server and the Log Collector.

      Example of Bad connection:

      * About to connect() to 192.168.99.66 port 50105 (#0)

      * Trying 192.168.99.66... No route to host

      * couldn't connect to host

      * Closing connection #0

      curl: (7) couldn't connect to host

      Example of Good connection:

      * About to connect() to 192.168.99.66 port 50105 (#0)

      * Trying 192.168.99.66... connected

      * Connected to 192.168.99.66 (192.168.99.66) port 50105 (#0)

      > GET / HTTP/1.1

      > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2

      > Host: 192.168.99.66:50105

      > Accept: */*

      >

      < HTTP/1.1 401 Unauthorized

      < Content-Length: 71

      < Connection: Keep-Alive

      < Pragma: no-cache

      < Expires: -1

      < Cache-Control: no-cache, no-store, must-revalidate

      < WWW-Authenticate: Basic realm="NetWitness"

      < Content-Type: text/xml; charset=utf-8

      <

      <?xml version="1.0" encoding="utf-8"?>

      <error>401 Unauthorized</error>

      * Connection #0 to host 192.168.99.66 left intact

      * Closing connection #0

  8. The REST API requires a username and password when attempting to pull the identity_deploy.csv file from the log collector. This can be any username and password that is available on the service itself. For details, see the "Services Security View" topic in the Hosts and Services Guide.

    To see which accounts are available, navigate to Administration > Services > <log collector being setup> > Actions > View > Security.

    Under the Users table, you see all the users that can be used in this step. It is suggested that a separate user account is created specifically for this setup, and is used nowhere else in the environment, for added security. For details, see the "Add a User and Assign a Role" topic in the System Security and User Management Guide.

  9. To define the interval for recurrence, do one of the following:

    • Specify the number of minutes, hours, or days between recurrences of the feed.
    • To define the date range for the execution of the feed to recur, specify the Start Date and time and the End Date and time.
  10. If using SSL encryption, you need to install the REST API SSL certificate for the log Collector into the Security Analytics UI server. For details, see Import the SSL Certificate.

    If, after importing the SSL certificate, the verification of the URL still fails, see Cannot Verify Identity Feed URL.

  11. Click Verify to verify your identity feed configuration before you proceed to the Select Services form.
  12. Click Next.

    The Select Services form is displayed.

    104CIFSelectServices.png

  13. To identify services on which to deploy the feed, select one or more Decoders and Log Decoders and click Next.
  14. Click the Groups tab, select a group, and click Next.

    The Review form is displayed.

    104CIFReview.png

    Note: If a group of devices with Decoders and Log Decoders is used to create recurring or custom feeds and this group is deleted, you can edit the feed and add a new group to the feed.

  15. Anytime before you click Finish, you can:

    • Click Cancel to close the wizard without saving your feed definition.
    • Click Reset to clear the data in the wizard.
    • Click Next to display the next form (if not viewing the last form).
    • Click Prev to display the previous form (if not viewing the first form).
  16. Review the feed information, and if correct, click Finish.

Upon successful creation of the feed definition file, the Create Feed wizard closes, and the feed and corresponding token file are listed in the Feed grid and progress bar tracks completion. You can expand or collapse the entry to see how many services are included, and which services were successful.

104AddedCustomFeed.png

Import the SSL Certificate

If SSL is configured on the Identity feed’s Log Collector, follow these steps to import the Log Collector’s SSL certificate into the Security Analytics UI server key store. If this certificate is not imported, the Security Analytics UI server will be unable to pull the Identify feed file from the Log Collector.

  1. To pull the SSL certificate off the log collector, SSH into the Security Analytics UI server and run the following command:

    echo -n | openssl s_client -connect <HOST>:<PORT> | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/<SERVERNAME>.cert

    This command saves the SSL certificate to /tmp/<SERVERNAME>.cert.

    For example:

    echo -n | openssl s_client -connect 192.168.99.66:50101 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/logcollector.cert

  2. To import the SSL certificate into the Security Analytics UI server, SSH into the UI server and run the following command:

    keytool -importcert -alias <name an alias for the cert> -file <the cert file pathname> -keystore /etc/pki/java/cacerts

    For example:

    keytool -importcert -alias logcollector01 -file /tmp/logcollector.cert -keystore /etc/pki/java/cacerts

  3. The system requests a password. Enter the password for the keystore on the Security Analytics UI server, not for the jetty keystore. The default password is changeit.
  4. Restart jettysrv to allow jetty to read the new certificate in the store.

Cannot Verify Identity Feed URL

If the Identity feed URL cannot be verified, and you are using SSL, make sure you followed the steps in Import the SSL Certificate.

If there are still issues, it is possible that the internal name of the certificate does not match the hostname of the log collector. The following procedure checks this.

  1. SSH to the Security Analytics UI server.
  2. Run the following command to output the CN name of the SSL cert:

    echo -n | openssl s_client -connect <log decoder>:50101 | sed -ne '/BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

    Example:

    echo -n | openssl s_client -connect salogdecoder01:50101 | sed -ne '/BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

  3. Retrieve the CN name of the SSL certificate.

  4. Edit the /etc/hosts file and add the IP address and CN name to the file.

  5. Restart the network service on the appliance.
  6. Confirm that the name placed in the /etc/hosts file is used instead of the FQDN or IP address in the Identity feed URL.
  7. Re-verify the Identity feed URL.

Investigate an Identity Feed

An identity feed tracks interactive log on events from the Windows operating system. Identity feeds do not track interactive log off events. 

In order for an identity feed to process events and tag them, the events need to be collected using a Windows Log Collection module where an Active Domain Controller/non-Domain Controller is configured. Note that identity feeds can only be processed via an Identity Feed Event Processor. 

Note: An identity feed only tracks one log in at a time. If two users log in to a system at the same time, the second user will overwrite the first user's data in the identity feed.  

Once you have created an identity feed, you can view the results by investigating on the feed.

To investigate a configured identity feed:

  1. Go to the Security Analytics menu.
  2. Select Investigate > Navigate.

    The Investigation screen is displayed.

    invest_event.png

  3. Select Conc (Concentrator) and select Navigate.
  4. Select Load Values to retrieve Meta Keys.

In the lower panel, scroll down to find the Meta Keys shown in the following illustration.

active.PNG

The identity feed provides information to "selected" Decoders and Log Decoders. It associates the Host IP data from the Windows operating system to the user logging in to that Host in order to tag all logs associated with that IP and investigate.

Previous Topic:Create a Custom Feed
Next Topic:Edit a Feed
You are here
Table of Contents > Additional Procedures > Manage Custom Feeds > Create an Identity Feed

Attachments

    Outcomes