NetWitness Respond Configuration Overview

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Oct 6, 2017
Version 8Show Document
  • View in full screen mode
 

RSA NetWitness® Suite NetWitness Respond consumes Alert data from various sources via the Message Bus and displays these alerts on the NetWitness Suite user interface. The Respond Server service allows you to group the alerts logically and start a NetWitness Respond workflow to investigate and remediate the security issues raised. 

The Respond Server service consumes alerts from the message bus and normalizes the data to a common format (while retaining the original data) to enable simpler rule processing. It periodically runs rules to aggregate multiple alerts into an incident and set some attributes of the Incident (for example, severity, category, and so on). The incidents are persisted into MongoDb by the Respond Server service. Incidents are also posted onto the message bus for consumption by other systems (for example, Archer integration).

Note: NetWitness Respond requires an ESA primary server that contains the MongoDb. Alerts, Incidents, and Task records are persisted into this MongoDb by the Respond Server.

The following diagram illustrates the high level flow of alerts.

High-level Alert Data Flow Diagram

You have to configure various sources from which the alerts are collected and aggregated by the Respond Server service.

Previous Topic:About this Document
You are here
Table of Contents > About this Document > NetWitness Respond Configuration Overview

Attachments

    Outcomes