Endpoint Integ: Configure Endpoint Alerts via Syslog into a Log Decoder

Document created by RSA Information Design and Development on Sep 15, 2017Last modified by RSA Information Design and Development on Sep 17, 2018
Version 18Show Document
  • View in full screen mode
 

You can configure the use of RSA NetWitness Endpoint data in RSA NetWitness Platform to provide NetWitness Endpoint alerts through Syslog into Log Decoder sessions. This generates metadata that is used by NetWitness Platform Investigation, Alerts, and Reporting Engine.

For NetWitness Platform networks that are consuming logs, this integration of NetWitness Endpoint with NetWitness Platform pushes NetWitness Endpoint events to the Log Decoder through common event format (CEF) syslog messages and generates metadata that is used by NetWitness Platform Investigation, Alerts, and Reporting Engine. The use case for this integration is SIEM Integration to allow centralized event management, correlation of NetWitness Endpoint events with other Log Decoder data, NetWitness Platform reporting on NetWitness Endpoint events, and NetWitness Platform alerting of NetWitness Endpoint events.

Prerequisites

The following are required for this integration:

  • Version 4.3.0.4, 4.3.0.5, 4.4, 4.4.0.2, or later NetWitness Endpoint UI.
  • NetWitness Server Version 11.1 is installed.
  • Version 10.4 or later RSA Log Decoder and Concentrator connected to the NetWitness Server in the network.
  • Port UDP- 514 or TCP - 1514 open from NetWitness Endpoint server to Log Decoder in the firewall.

Procedure

  1. Deploy the required parser (CEF or rsaecat) to the Log Decoder as described in the "Manage Live Resources" topic in Live Services Management. After you deploy the parser, make sure the parser is enabled. For more information, see "Services Config View - General Tab" in the Malware Analysis Configuration Guide.

Note: Use only one of these parsers. When the CEF parser is deployed, it supersedes the NetWitness Endpoint parser, and all CEF messages into NetWitness Platform are processed by the CEF parser. Enabling both parsers is an unnecessary burden on performance.

  1. Configure NetWitness Endpoint to send syslog output to NetWitness Platform and generate NetWitness Endpoint alerts to the Log Decoder.
  2. (Optional) Edit the table mapping in table-map-custom.xml and the index-concentrator-custom.xml to add fields based on user preferences for metadata to be mapped to NetWitness Platform.

Configure NetWitness Endpoint to Send Syslog Output to NetWitness Platform

To add the Log Decoder as a Syslog external component and generate NetWitness Endpoint alerts to the Log Decoder:

  1. Open the NetWitness Endpoint user interface and log on using the proper credentials.
  2. From the menu bar, select Configure > Monitoring and External Components.

    The External Components Configuration dialog is displayed.

  3. In SYSLOG Server, click Add Icon.

    The SYSLOG Server dialog is displayed.

    Syslog Server Dialog

  4. In the NetWitness Platform panel, in On, enter the descriptive name for the Log Decoder.
  5. In the Syslog Connection panel, perform the following to enable Syslog messaging:

Server Hostname/IP = The hostname DNS or IP address of the RSA Log Decoder
Port = 514
Transport Protocol = Select UDP or TCP as appropriate for your Syslog server for the transport protocol.

  1. Click Save.
  2. Open the InstantIOCs window in the NetWitness Endpoint UI and, in the Alertable column, click to enable each IIOC for which you want alerts sent to the Log Decoder.

    Instant IOCs Endpoint

When the instant IOCs are triggered, Syslog alerts from the NetWitness Endpoint server are sent to the Log Decoder. Log Decoder alerts are then aggregated to the Concentrator. These events are injected into the Concentrator as metadata.

You are here
Table of Contents > Configure Endpoint Alerts via Syslog into a Log Decoder

Attachments

    Outcomes