Archer Integ: Configure NetWitness to Work With Archer

Document created by RSA Information Design and Development on Sep 15, 2017Last modified by RSA Information Design and Development on Sep 12, 2018
Version 17Show Document
  • View in full screen mode
  

The RSA Archer® Cyber Incident & Breach Response solution enables you to aggregate all actionable security alerts, allowing you to become more effective, proactive, and targeted in your incident response and SOC management. For more information on RSA Archer® Cyber Incident & Breach Response capabilities, see RSA Archer documentation on the RSA Archer Community or on the RSA Archer Exchange Community

This version of RSA Archer determines how NetWitness Platform will be integrated. For supported Archer platforms, see the SecOps Installation Guide

RSA Archer® Cyber Incident & Breach Response1.3.1.2 integrates with NetWitness Platform using the RSA UCF (Unified Collector Framework), which comprises of NetWitness Respond integration service and RSA Archer® Cyber Incident & Breach Response Watchdog service.

This figure represents the flow of NetWitness Platform 11.x integration with RSA Archer® Cyber Incident & Breach Response 1.3.1.2.

Create RSA Archer User Accounts for Push and Pull

 

You must create a user account for the web service client to transfer data to the RSA Archer GRC Platform.

 

You require two RSA Archer user accounts to avoid conflicts while sending and receiving data from RSA NetWitness Platform.

To create a user account for push and pull:

  1. On the RSA Archer UI, click Administration > Access Control > Users > Add New.
  2. In the First Name and Last Name fields, enter a name that indicates that the Unified Collector Framework (UCF) uses this account to push data into RSA Archer GRC. For example, UCF User, Push.

    Note: When configuring the Pull account, enter a name that indicates that the UCF uses this account to pull data from RSA Archer GRC. For example, UCF User, Pull.

  3. (Optional) Enter a user name for the new user account.

    Note: If you do not specify a user name, the RSA Archer GRC Platform creates the user name from the first and last name entered when you save the new user account.

  4. In the Contact Information panel, in the Email field, enter an email address to associate with the new user account.
  5. In the Localization section, change the time zone to (UTC) Coordinated Universal Time.

    Note: The UCF uses UTC time to baseline all the time-related calculations.

  6. In the Account Maintenance section, enter and confirm a new password for the new user account.

    Note: Make a note of the user name and password for the new user account that you created. You need to enter these credentials when you set up the UCF to communicate with the RSA Archer GRC Platform through the web service client.

  7. Clear the Force Password Change On Next Sign-In option.
  8. In the Security Parameter field, select the security parameter that you want to use for this user.

    Note: If you assign a default security parameter with a password change interval of 90 days, you also must update the user account password stored in the SA IM integration service every 90 days. To avoid this, you can optionally create a new security parameter for the SA IM integration service user account, and set the password change interval to the maximum value allowed by your corporate standards.

  9. Click the Groups tab, and perform the following:

    1. In the Groups panel, click Lookup.
    2. In the Available Groups window, expand Groups.
    3. Scroll down and select SOC: Solution Administrator and EM: Read Only.
    4. Click OK.
  10. Click Apply and click Save.
  11. If the machine language and regional settings of your RSA Archer GRC system are set to anything other than English-US, perform the following:

    1. Open the user account you just created, and in the Localization section, in the Locale field, select English (United States), and click Save.
    2. On the Windows system hosting your RSA Archer GRC Platform, open Internet Information Services (IIS) Manager.
    3. Expand your RSA Archer GRC site, click .Net Globalization, in both the Culture and UI Culture fields, select English (United States), and click Apply.
    4. Restart your RSA Archer GRC site.
  12. Repeat steps 1 – 11 to create a second user account for the UCF to pull data from RSA Archer GRC.

Integrate NetWitness Platform With RSA Archer Cyber Incident & Breach Response

You have to configure the system integration settings to manage incident workflow in RSA Archer® Cyber Incident & Breach Response.

For information on how to configure system integration settings, see the "Manage Incidents in RSA Archer® Cyber Incident & Breach Response" in the NetWitness Respond Configuration Guide.

RSA Unified Collector Framework

RSA NetWitness Platform integrates with RSA Archer® Cyber Incident & Breach Response 1.3.1.2 using the RSA UCF. The RSA UCF integrates with all supported SIEM tools and the RSA Archer® Cyber Incident & Breach Response solution. After you configure the system integration settings, all incidents are managed in RSA Archer® Cyber Incident & Breach Response instead of NetWitness Respond. Incidents created before the integration will not be managed in RSA Archer® Cyber Incident & Breach Response.

Note:
• You must configure the same option in both RSA NetWitness Platform and the Unified Collector Framework. 
• Integration of the RSA NetWitness Respond module with Reporting Engine or Event Stream Analysis can result in duplicate events, alerts, and incidents created in RSA Archer® Cyber Incident & Breach Response.

UCF supports multiple SIEM tools connections at the same time, such as supporting NetWitness Platform Reporting Engine, HP ArcSight, and NetWitness Respond. However, different instances of the same SIEM tool are not supported, such as two NetWitness Platform servers connected to the same UCF.

Prerequisites

  • Install the RSA Archer® Cyber Incident & Breach Response package on Archer. See RSA Archer documentation RSA Archer Community or on the Content Tab at https://community.emc.com/community/connect/grc_ecosystem/rsa_archer_exchange

  • Install RSA Archer® Cyber Incident & Breach Response 1.3.1.2.
  • Ensure you have NetWitness Platform 11.1 as it is compatible with RSA Archer® Cyber Incident & Breach Response 1.3.1.2.

  • Ensure that Respond is configured in RSA NetWitness Platform. 

The RSA UCF allows you to integrate your RSA Archer® Cyber Incident & Breach Response system with the following:

  • NetWitness Respond
  • NetWitness Platform Reporting Engine
  • NetWitness Platform Event Stream Analysis
  • Archer Feeds

Configure Respond for Integration with RSA Archer® Cyber Incident & Breach Response

Step 1: Select the Mode for NetWitness Respond

  1. Go to ADMIN > Services, select the Respond Server service, and then select Action icon > Config > Explore.
  2. Navigate to respond/integration/export.
  3. Set the archer-sec-ops-integration-enabled field to true.

  4. Restart the Respond service by running the following command:
    systemctl restart rsa-nw-respond-server

Step 2: Configure NetWitness Respond to Forward Alerts to UCF

  1. Navigate to C:\Program Files\RSA\SA IM integration service\cert-tool\certs in the SecOps Middleware box.

  2. Copy both keystore.crt.pem and rootcastore.crt.pem from the certs folder (to the import folder of NetWitess server):
    cp rootcastore.crt.pem /etc/pki/nw/trust/import

    cp keystore.crt.pem /etc/pki/nw/trust/import

    Note: Before you copy the files from UCF to NetWitness Admin server, examine the files to remove any blank lines and save them.

  3. SSH to NW-server box

    1. Run the update-admin-node command:
      orchestration-cli-client --update-admin-node

    2. Restart the RabbitMQ service:

      systemctl restart rabbitmq-server

    3. Restart the SMS service:

      systemctl restart rsa-sms.service

      Note: This step is mandatory to avoid receiving the "message bus down" error message which indicates that the EventSourceMessagePublisher has failed to reconnect to RabbitMQ on restart. This can cause some features such as deleting event sources to function improperly.

    4. Create user archer and set permissions for the virtual host ‘/rsa/system
      rabbitmqctl add_user archer archer

      rabbitmqctl clear_password archer

      rabbitmqctl set_permissions -p /rsa/system archer ".*" ".*" ".*"

Step 3: Forward Alerts to the NetWitness Respond

  • To forward NetWitness Platform Event Stream Analysis alerts to the NetWitness Respond:

    1. Go to ADMIN > Services > ESA service.
    2. Select an Event Stream Analysis service and then select Actions icon > View > Config.
    3. Click the Advanced tab.
    4. Make sure that the Forward Alerts on Message Bus checkbox is selected by default. If not, select the Forward Alerts on Message Bus checkbox, and click Apply
  • To forward NetWitness Platform Reporting Engine alerts to NetWitness Respond:

    1. Go to ADMIN > Services > Reporting Engine service.
    2. Select the Reporting Engine service, and then select Actions icon > View > Config.
    3. Click the General tab.
    4. In the System Configuration section, select the Forward Alerts to Respond checkbox and click Apply.
  • To forward NetWitness Platform Malware Analysis alerts to NetWitness Respond:

    1. Go to ADMIN > Services > Malware Analysis service
    2. Select the Malware Analysis service, and then select Actions icon > View > Config.
    3. Click the Auditing tab.
    4. In the Respond Alerting panel, verify that the Enabled Config Value checkbox is selected. If the checkbox is not selected, select the checkbox, and click Apply.

Step 4: Forward Endpoint Alerts to the NetWitness Respond

You can forward Endpoint alerts to the RSA Archer GRC through NetWitness Respond. For more information on how to Configure NetWitness Endpoint Alerts via Message Bus, see "Configure NetWitness Endpoint Alerts via Message Bus" in the NetWitness Endpoint Integration Guide.

Step 5: Aggregate Alerts into Incidents

The Respond Server service consumes alerts from the message bus and normalizes the data to a common format (while retaining the original data) to enable simpler rule processing. It periodically runs rules to aggregate multiple alerts into an incident and set some attributes of the Incident (for example, severity, category, and so on). For more information on aggregating alerts, see the "Configure Alert Sources to Display Alerts in Respond View" topic in the NetWitness Respond Configuration Guide

To configure alert aggregation:

  1. Go to CONFIGURE > Incident Rules.
  2. To enable the rules provided out-of- the-box:

    1. Double-click the rule.
    2. Select Enabled.
    3. Click Save.
    4. Repeat steps a-c for each rule.
  3. To add a new rule:

    1. Click Add button.
    2. Select Enabled.
    3. Enter the values in the following fields:

      • Rule Name
      • Action
      • Match Conditions
      • Grouping Options
      • Incident Options
      • Priority
      • Notifications
  4. Click Save.

Configure Endpoints in RSA Unified Collector Framework

Endpoints provide the connection details required for the UCF to reach both your RSA NetWitness Platform and RSA Archer GRC systems.

Note: Some endpoints are necessary to use different integrations. The following list shows the mandatory endpoints.

Mandatory Endpoint Integration

  • Archer Push endpoint
  • Archer Pull endpoint
  • Mode selection: SecOps or Non SecOps mode.

Note:
• If Non SecOps mode is selected, incidents are managed in NetWitness Respond instead of RSA Archer® Cyber Incident & Breach Response.
• You must configure the port depending on the protocol (TCP, UDP, or secure TCP).
• Make sure the certificate subject name for your RSA Archer GRC server matches the hostname.

Procedure

  1. On the UCF system, open the Connection Manager, as follows:
    1. Open a command prompt.
    2. Change directories to <install_dir>\SA IM integration service\data-collector.
    3. Enter runConnectionManager.bat.

  2. In the Connection Manager, enter 1 for Add Endpoint.
  3. Add an endpoint for pushing data to RSA Archer® Cyber Incident & Breach Response, as follows:

    1. Enter the number for Archer.

      Note: Enable SSL to add the RSA Archer endpoints.

    2. For the endpoint name, enter push.
    3. Enter the URL of your RSA Archer GRC system.
    4. Enter the instance name of your RSA Archer GRC system.
    5. Enter the user name of the user account you created to push data into your RSA Archer GRC system.
    6. Enter the password for the user account you created to push data into your RSA Archer GRC system, and confirm the password.
    7. When prompted if this account is used for pulling data, enter False.
  4. Add an endpoint for pulling data from RSA Archer® Cyber Incident & Breach Response, as follows:

    1. Enter the number for Archer.

      Note: SSL must be enabled to add the RSA Archer endpoints.

    2. For the endpoint name, enter pull.
    3. Enter the URL of your RSA Archer GRC system.
    4. Enter the instance name of your RSA Archer GRC system.
    5. Enter the user name of the user account you created to pull data from your RSA Archer GRC system.
    6. Enter the password for the user account you created to pull data from your RSA Archer system, and confirm the password.
    7. When prompted if this account is used for pulling data, enter True.
  5. Add an endpoint for RSA NetWitness Platform:

    • For RESPOND
      1. Enter the number for NetWitness Platform IM.

      2. Enter a name for the endpoint.
      3. Enter the SA Host IP address.
      4. For SA Messaging Port, enter 5671.
      5. Enter the target queue for remediation tasks. Selecting All processes both the RSA Archer Integration (GRC) and IT Helpdesk (Operations).
      6. When prompted to automatically add certificates to the SA trust store, enter No.
        The certificates are added manually in previous steps.

      7. In UCF connection manager, select the mode, as follows:
        1. Enter the number for Mode Selection.
        2. Select Manage incident workflow exclusively in RSA Archer® Cyber Incident & Breach Response from the drop-down.

    Note: Make sure you select the second option as the first option is not supported in NetWitness Platform 11.x release.

    • For Reporting Engine and Event Stream Analysis
      1. To use third-party integrations, add the Syslog Server Endpoint, as follows:
        1. Enter the number for Syslog Server Endpoint.
        2. Enter the following:
          • User defined name

          • SSL Configured TCP port number

            Note: Defaults to 1515. If you do not want to host the Syslog server in this mode, enter 0.

          • TCP port number - Enter the TCP port if the Syslog client sends the Syslog message in TCP mode.

            Note: Defaults to 1514. If you do not want to host the Syslog server in this mode, enter 0.

          • UDP port number - Enter the UDP port if the Syslog client sends the Syslog message in UDP mode.

            Note: Defaults to 514. If you do not want to host the Syslog server in this mode, enter 0.

          By default, the Syslog server runs in the above three modes, unless it is disabled by entering 0.

      2. To test the Syslog client, enter the number for Test Syslog Client. Use the Test Syslog client with the files from <install_dir>\SA IM integration service\config\mapping\test-files\.
  6. In the Connection Manager, enter 5 to test each endpoint.

Configure Reporting Engine for Integration with RSA Archer® Cyber Incident & Breach Response

To configure Syslog Output Action for the Reporting Engine:

  1. Select ADMIN > Services.
  2. Select the Reporting Engine Service, and click View > Config.
  3. Click the Output Actions tab.
  4. In the NetWitness Platform Configuration panel, in the Host Name field, enter the host name or IP address of the Reporting Engine server.
  5. In the Syslog Configuration section, add the Syslog Configuration as follows:
    1. In the Server Name field, enter the host name of the UCF.
    2. In the Server Port field, enter the port that you selected in the UCF Syslog configuration.
    3. In the Protocol field, select the transport protocol.

      Note: Configure SSL if you select Secure TCP.

  6. Click Save.

To configure NetWitness Platform Reporting Engine SSL for Secure Syslog Server:

  1. Copy the certificate keystore.crt.der from the UCF machine to NetWitness Platform server box at /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-0.b14.el7_4.x86_64/jre/lib/security.
  2. Run the following command:

    keytool -import -file keystore.crt.der -alias ucf-syslog -keystore /etc/pki/nw/trust/truststore.jks -storepass changeit

    Note: Do not copy and paste the above command. Type the command to avoid errors.

  3. Enable ServerCertificateValidationEnabled to true:

    • Navigate to ADMIN > Service.
    • Click > View > Explore of the Reporting Engine service .
    • Expand com.rsa.soc.re > Configuration > SSLContextConfiguration.
    • Expand SSLContextConfiguration and set ServerCertificateValidationEnabled to true.
  4. Restart the Reporting Engine service by running the following command:
    service rsasoc_re restart

To configure rules in NetWitness Platform:

  1. Click MONITOR > Reports > Manage.
    The Manage tab is displayed.
  2. In Rule Groups panel, click Add button.
  3. Enter a name for the new group.
  4. Select the group you created, and in the Rule toolbar, click Add button.
  5. In the Rule Type field, select NetWitness DB.
  6. Enter a name for the rule.
  7. Enter values in the Select and Where fields based on the rule that you want to create.

    Note: Add the Syslog configuration with the Syslog name set above.

  8. Click Save.

Note: To see the same number of alerts in the Reporting Engine and RSA Archer GRC, make sure that you have selected Once for execute in both the Syslog and Record tabs.

To add Alert Templates for the Reporting Engine in NetWitness Platform:

The UCF syslog configuration contains out-of-the-box alert templates that you can use to create an alert with a syslog output action. These templates define the criteria used to aggregate alerts into incidents in your RSA Archer GRC Platform.

The sample templates are located in the following location on the UCF system:

<install_dir>\SA IM integration service\config\mapping\templates\SecOps_SA_Templates

  1. Click MONITOR > Reports > Manage > Alerts.
  2. Click the Template tab.
  3. Click Add button.

Note: After you copy the template in the Create/Modify Template window, make sure to replace cs25=${sa.host} cs25Label=sahost to cs25=${nw.host} cs25Label=nwhost.

  1. In the Name field, enter a name for the alert template.
  2. In the Message field, enter the alert message.
  3. Click Create.
  4. Repeat steps 3 to 6 for each alert template that you want to add.

To Configure Alerts in NetWitness Platform:

In RSA NetWitness Platform Reporting Engine, an alert is a rule that you can schedule to run on a continuous basis and log its findings to several different alerting outputs.

  1. Click MONITOR > Reports > Manage > Alerts.
  2. Click Add button.
  3. Select Enable.
  4. Select the rule you created.
  5. Select Push to Decoders.

    Note: If you do not enter a value in this field, the link in the RSA Archer Security Alerts application to RSA NetWitness Platform does not work.

  6. From the Data Sources list, select your data source.
  7. In the Notification section, select Syslog.
  8. Click Add button.
  9. Complete the Syslog configuration fields.
  10. In the Body Template field, select the template that you want to use for this Syslog alert.
  11. Click Save.

Configure Event Stream Analysis for Integration with RSA Archer® Cyber Incident & Breach Response

To configure Event Stream Analysis Syslog Notification Settings in NetWitness Platform:

  1. Click ADMIN > System > Global Notifications.
  2. Click the Output tab.
  3. Define and enable an Event Stream Analysis Syslog notification.
  4. Click the Servers tab.
  5. Define and enable a Syslog notification server.
  6. In the Syslog Server Configuration section, enter the following:

    Field Description:

    • Name - Specify the custom name.
    • Server IP (Hostname) - Specify the hostname or IP Address of the system on which you installed the UCF.
    • Port - Specify the port number on which you want the UCF to listen.
    • Facility - Specify the Syslog facility.
    • Protocol - Select the protocol.
  7. Click Save.

To configure NetWitness Platform Event Stream Analysis SSL for Secure Syslog Server:

If the Syslog server is configured with Secure TCP, configure the SSL.

  1. Select ADMIN > Services.
  2. Select the Event Stream Analysis service.
  3. Go to Explore > Configuration > SSL .
  4. Set ServerCertificateValidationEnabled to true.
  5. Copy the rootcastore.cert.pem from the UCF machine to the Event Stream Analysis server to /etc/pki/ca-trust/source/anchors.
  6. Run the following command:

    update-ca-trust

  7. Restart the Event Stream Analysis server by running the following command:
    service rsa-nw-esa-server restart

To Add Event Stream Analysis Alert Templates

The UCF syslog configuration contains out-of-the-box alert templates that you can use to create an alert with a syslog output action. These templates define the criteria used to aggregate alerts into incidents in your RSA Archer GRC Platform.

The sample templates are located in the following location on the UCF system:

<install_dir>\SA IM integration service\config\mapping\templates\SecOps_SA_

Templates\SecOps_SA_ESA_templates.txt

  1. Select ADMIN > System > Global Notifications.
  2. Click the Templates tab.
  3. Click Add button.
  4. In the Template Type field, select Event Stream Analysis.
  5. In the Name field, enter the name for the template.

  6. 6. (Optional) In the Description field, enter a brief description for the template.

  7. 7. In the Template field, enter the alert message.

  8. 8. Click Save.

  9. 9. Repeat steps 3 – 8 for each alert template that you want to add.

To Create Event Stream Analysis Rules

  1. Click CONFIGURE > ESA Rules.
  2. In the Rule Library, click Add button.
  3. Select Rule Builder.
  4. In the Rule Name field, enter a name for the rule.
  5. In the Description field, enter a description for the rule.
  6. Select the Severity.
  7. In the Condition panel:

    1. Click Add button to build a statement.
    2. Enter a name, select a condition type, and add meta data/value pairs for the statement.
    3. Click Save.
    4. Repeat steps a – c until you have built all the statements for the rule.
  8. In the Notifications section, select Syslog.
  9. Select the notification, Syslog server, and template that were created previously.
  10. Click Save and click Close.
  11. Click Configure > Deployments.
  12. Click Add button for Event Stream Analysis services section.
  13. Select the Event Stream Analysis Service.
  14. Click Deploy Now.
  15. In the Event Stream Analysis Rules section, click Add button to select the Event Stream Analysis Rule that you created, and click Deploy Now.

RSA Archer Feeds

By default, only the IP address and Criticality Rating fields in the RSA Archer Devices application are fed into RSA NetWitness Platform by the SA IM Integration Service. You can customize the Enterprise Management plug-in to include the Business Unit and Facility fields that are cross-referenced in the Devices application in the feed. For more details, see Archer documentation at https://community.emc.com/community/connect/grc_ecosystem/rsa archer or https://community.emc.com/community/connect/grc_ecosystem/rsa_archer_exchange.

Note: If you want to feed Business Unit and Facility information from your RSA Archer GRC Platform into Live, you must also add keys for these fields in the index-concentrator-custom.xml file.

Update the Concentrator and Decoder Services

The SA IM Integration Service in RSA Archer® Cyber Incident & Breach Response manages the files for a custom feed and deposits these files in a local folder that you specify when you configure the Enterprise Management Endpoint. The Live module of RSA NetWitness Platform retrieves the feed files from this folder. Live then pushes the feed to the Decoders, which start creating metadata based on the captured network traffic and the feed definition. To enable the Concentrator to detect a new metadata created by the Decoders, make sure to edit the index-concentrator-custom.xml, index-logdecoder-custom.xml, and index-decoder-custom.xml files.

  1. Select ADMIN > Services.
  2. Select the Concentrator, and select  Actions drop-down menuView > Config.
  3. Click the Files tab.
  4. From the drop-down list, select the index-concentrator-custom.xml file. Do one of the following:
    • If content already exists in the file, add a key for the new metadata element:

      <key description="Criticality" format="Text" level="IndexValues"

      name="criticality" defaultAction="Open"/>

      Note: Do not copy and paste above command . Type the command to avoid errors.

    • If the file is blank, add the following content:

      <?xml version="1.0" encoding="utf-8"?>
      <language level="IndexNone" defaultAction="Auto">
      <key description="Criticality" format="Text" level="IndexValues"
      name="criticality" defaultAction="Open"/>
      </language>

  5. Click Apply.
  6. To add multiple devices:

    1. Click Push.
    2. Select the devices to which you want to push this file.
    3. Click OK.
  7. Repeat steps 1 to 6 for the Log Decoders and Index Decoders, using index-logdecoder-custom.xml and index-decoder-custom.xml.
  8. Restart the Concentrator and Decoder services by running the following commands:
    service nwdecoder restart
    service nwconcentrator restart

 

Add the RSA Archer Enterprise Management Endpoint in UCF

  1. In the UCF connection manager, select the mode:

    1. Enter the number for Mode Selection.

    2. Select one of the following options:

      • Manage incident workflow in RSA NetWitness Platform.
      • Manage incident workflow exclusively in RSA Archer® Cyber Incident & Breach Response.
  2. Add the RSA Archer Enterprise Management Endpoint:

    1. Enter the number for Enterprise Management.
    2. Enter the values in the fields as described in the table below.

                                             
      FieldDescription
      Endpoint NameOptional endpoint name.
      Web Server PortDefaults to 9090. You can configure this to host the web server url by providing the URL with the port number as in the NetWitness Platform live feed: http://hostname:port/archer/sa/feed.
      Criticality

      Criticality of the assets to be pulled from RSA Archer GRC.

      If false, pull assets with any criticality.

      If true, pull assets with only high criticality.

      To configure this manually, edit the em.criticality property in the collector-config properties file to provide a comma-separated list of criticalities: LOW, MEDIUM, HIGH. 

      Feed Directory

      Directory where the assets CSV file from RSA Archer GRC are saved.

      Note: The directory path provided must exist.

      Web Server Username

      Username for authenticating to the EM web server.

      Web Server Password

      Password for authenticating to the EM web server.

      SSL Mode

      Defaults to No.

      If No, the URL uses http mode: http://hostname:port/archer/sa/feed

      If you have not updated the host file, see "Update the RSA NetWitness Platform Host File" section.

      Note: NetWitness Platform currently does not support Archer recurring feeds in SSL mode.

Update the RSA NetWitness Platform Host File

  1. Edit the host file on the NetWitness Platform server at the following location: vi /etc/hosts.
  2. Enter the following for the UCF host IP address:

    <ucf-host-ip> <ucf-host-name>

  3. Restart NetWitness Platform server by running the following command:

    service jetty restart

  4. While configuring the NetWitness Platform live feed, enter the host name for the URL instead of the IP address and the port number configured for Enterprise Management endpoint in the UCF:

    http: //<ucf-host-name> : <EM_Port>/archer/sa/feed.

  5. Verify that the connection works.

Create a Recurring Feed Task

For RSA NetWitness Platform to download feed files from the NetWitness Respond Integration Service and push the feeds to Decoders, you must create a recurring feed task and define the feed settings.

Note: For RSA Archer® Cyber Incident & Breach Response 1.2: For RSA NetWitness Platform to download feed files from the UCF machine and push the feeds to Decoders, you must create a recurring feed task and define the feed settings. The procedure is similar to RSA Archer® Cyber Incident & Breach Response 1.3, with a few exceptions. See documentation on the RSA Archer Exchange Community for details. 

  1. Select CONFIGURE > Custom Feeds.
  2. In the Feeds view, Click Add button.
  3. Select Custom Feed, and click Next.
  4. Select Recurring.
  5. Enter a name for the feed.
  6. In the URL field, enter the following:

    http://ucf_hostname/archer/sa/feed

    where, http :ucf_hostname_or_ip:port is the address of the NetWitness Respond Integration Service system. For example: http://<ucf-host-name> .

  7. Select Authenticated.
  8. In the User Name and Password fields, enter the credentials of the user account you created in the Add the RSA Archer Enterprise Management Endpoint in UCF procedure.
  9. Define the recurrence interval for the feed.
  10. In the Date Range panel, define a start and end date for the feed, and click Next.
  11. Select each Decoder to which you want to push this feed, and click Next.
  12. In the Type field, amke sure that IP is selected.
  13. In the Index Column field, select 1.
  14. In the second column, set the Key value to criticality, and click Next.
  15. Review your feed configuration details and click Finish.
Previous Topic:RSA Archer Integration
You are here
Table of Contents > Configure NetWitness Suite to Work With Archer

Attachments

    Outcomes