This topic introduces the Feedback and Data Sharing features of NetWitness Suite.
The settings for these features are available in ADMIN > SYSTEM > Live Services view, in the Additional Live Services section.
Additional Live Services
Participation in the Additional Live Services is configured in the ADMIN > SYSTEM > Live Services view.
Live Feedback is intended to help improve RSA NetWitness Suite.
Once you set up and configure a Live account, usage data is shared with RSA. This data is automatically shared only if Live account is configured and shall be protected in accordance with the applicable license agreement. All such data shall be anonymized and shall not have any Personally Identifiable Information.
Before data is sent to RSA, all Personally Identifiable Information is removed. Thus, only anonymous usage data gets transferred to RSA.
For more information, see the Live Feedback Overview topic in the System Configuration Guide.
RSA Live Connect
RSA Live Connect is a cloud based threat intelligence service. This service collects, analyzes, and assesses threat intelligence data such as IP addresses, domains, and files collected from various sources including the RSA NetWitness Suite and RSA ECAT customer community.
RSA Live Connect consists of the following features:
- Threat Insights
- Analyst Behaviors
Threat Insights provides analysts the opportunity to pull threat intelligence data such as IP related information from the Live Connect service to be leveraged by the analysts during investigation.
By default, Threat Insights is enabled in Additional Live Services section. If Context Hub service is configured, Live Connect is automatically added as a data source for Context Hub. For more information, see the Configure Live Connect Data Source for Context Hub topic in the Context Hub Configuration Guide.
With Live Connect as a data source for context hub, you can use the Context Lookup option in Investigation > Navigate view or Investigation > Events view to fetch contextual information. For instructions, see View Additional Context for a Data Point.
Analyst Behaviors is a feature where analysts participate in sharing data to RSA community. This is an automated data collection service. Its goal is to share potential threat intelligence data to the RSA Live Connect cloud service for analysis. The type of data that could be shared from your network to RSA Live Connect includes various types of meta data captured by NetWitness Suite such as ip.src, ip.dst, ip.addr, device.ip, alias.ip, alias.host, paddr, sessionid, domain.dst, domain.src.
Live Connect Threat Data Sharing has been developed as a Community based threat intelligence sharing platform.
It has the following characteristics and goals:
- Crowd-sourced: the RSA community contributes to the entire collection of intelligence
- Centrally collect and analyze data from the RSA community
- Reduce the intelligence cycle time from days to minutes
Some details to consider:
- We are leveraging analyst investigation activity
- We are harvesting meta data such as IP addresses and domain names
- We are doing deep data analysis: Trending, correlation, anomaly detection
- Remember, this feature is currently in Beta
Customer participation is optional. Upon initial install or upgrade to NetWitness Suite 11.0, you are presented with a confirmation screen. By default, you are entered into the program, but you can opt out at any time.
Authentication for the program is done in the NetWitness Suite UI, where you configure the Live account in the Live services section.
To view or change the settings for Live Connect Threat Data Sharing, in the main menu, select ADMIN > SYSTEM > Live Services. Check or clear the Enable box to participate or stop participating in the program.
Data is collected as follows:
- Data Attribution: Anonymous
- Data Source: Subset of meta keys and meta values of a NetWitness Suite analyst's page views from the NetWitness Suite Core Query logs.
Query Log Harvesting Process:
- Timing: Batch mode every 24 hours (4 AM – 6 AM UTC)
- Log Collection: NetWitness Suite server collects NetWitness Suite core device log entries for the previous 24 hours
- Log Entries: Only SDK-Value and SDK-Query API calls that contain a where clause are collected
- Log Attribute Parsing: Each entry must have one of the following meta key indicators present: ip.src, ip.dst, ip.addr, device.ip, alias.ip, alias.host, paddr, sessionid, domain.dst, or domain.src. If so, meta keys and meta values from the entry will be collected.
The log report is sent in JSON format, over SSL. It contains:
- Live CMS username (sha256)
- NetWitness Suitelicense server ID (sha256)
- List of SA endpoint IDs (sha256)
- Harvested meta values (MD5 and SHA256 hashed)
This section lists entries from a log, and then the corresponding section of extrapolated data.
Section from a log file:
User admin (session 204298, 10.4.50.60:57454) has issued values (channel 205237) (thread 2332): fieldName=filter id1=1 id2=23138902 threshold=100000 size=20 flags=sessions,sort-total,order-descending,ignore-cache where="(alias.host = 'mail.google.com') && (ip.src = 184.108.40.206) && time=\"2015-12-07 18:08:00\"-\"2015-12-07 21:07:59\"“
Data extrapolation with hashing:
This section discusses a bit about troubleshooting Live Connect Threat Data Sharing.
Query Log Retrieval Sample
To retrieve a sample of threat intelligence data sent to Live Connect, you construct a URL by setting the following parameters:
- sendReport: value is true or false: true to send this report to the Live Connect server. False to just create the report for viewing. The value defaults to false.
- hashValues: value is true or false: true to hash the values as md5/sha256. False to show values in clear text – should use only for manual viewing. Defaults to false.
- startDate / endDate: Dates for time boundaries for log entries. Format: YYYY-MM-DD HH:mm:ss
The following is an example of the URL to use to retrieve query logs:
System Logging: Debug
You can access some debug information as follows.
- Select ADMIN > SYSTEM > System Logging.
- Select the Settings tab.
- In the Package Configuration section, select com > netwitness > platform > server > liveconnect > service (DEBUG).