You can configure the use of RSA NetWitness Endpoint data in RSA NetWitness Platform to provide NetWitness Endpoint alerts through Syslog into Log Decoder sessions. This generates metadata that is used by NetWitness Platform Investigation, Alerts, and Reporting Engine.
For NetWitness Platform networks that are consuming logs, this integration of NetWitness Endpoint with NetWitness Platform pushes NetWitness Endpoint events to the Log Decoder through common event format (CEF) syslog messages and generates metadata that is used by NetWitness Platform Investigation, Alerts, and Reporting Engine. The use case for this integration is SIEM Integration to allow centralized event management, correlation of NetWitness Endpoint events with other Log Decoder data, NetWitness Platform reporting on NetWitness Endpoint events, and NetWitness Platform alerting of NetWitness Endpoint events.
The following are required for this integration:
- Version 18.104.22.168, 22.214.171.124, 4.4, 126.96.36.199, or later NetWitness Endpoint UI.
- NetWitness Server Version 11.1 is installed.
- Version 10.4 or later RSA Log Decoder and Concentrator connected to the NetWitness Server in the network.
- Port UDP- 514 or TCP - 1514 open from NetWitness Endpoint server to Log Decoder in the firewall.
- Deploy the required parser (CEF or rsaecat) to the Log Decoder as described in the "Manage Live Resources" topic in Live Services Management. After you deploy the parser, make sure the parser is enabled. For more information, see "Services Config View - General Tab" in the Malware Analysis Configuration Guide.
- Configure NetWitness Endpoint to send syslog output to NetWitness Platform and generate NetWitness Endpoint alerts to the Log Decoder.
- (Optional) Edit the table mapping in table-map-custom.xml and the index-concentrator-custom.xml to add fields based on user preferences for metadata to be mapped to NetWitness Platform.
Configure NetWitness Endpoint to Send Syslog Output to NetWitness Platform
To add the Log Decoder as a Syslog external component and generate NetWitness Endpoint alerts to the Log Decoder:
- Open the NetWitness Endpoint user interface and log on using the proper credentials.
From the menu bar, select Configure > Monitoring and External Components.
The External Components Configuration dialog is displayed.
The SYSLOG Server dialog is displayed.
- In the NetWitness Platform panel, in On, enter the descriptive name for the Log Decoder.
- In the Syslog Connection panel, perform the following to enable Syslog messaging:
Server Hostname/IP = The hostname DNS or IP address of the RSA Log Decoder
Port = 514
Transport Protocol = Select UDP or TCP as appropriate for your Syslog server for the transport protocol.
- Click Save.
Open the InstantIOCs window in the NetWitness Endpoint UI and, in the Alertable column, click to enable each IIOC for which you want alerts sent to the Log Decoder.
When the instant IOCs are triggered, Syslog alerts from the NetWitness Endpoint server are sent to the Log Decoder. Log Decoder alerts are then aggregated to the Concentrator. These events are injected into the Concentrator as metadata.