Configure Endpoint Alerts via Syslog into a Log Decoder

Document created by RSA Information Design and Development on Sep 15, 2017Last modified by RSA Information Design and Development on Nov 16, 2017
Version 10Show Document
  • View in full screen mode
  

You can configure the use of RSA NetWitness Endpoint data in RSA NetWitness Suite to provide NetWitness Endpoint alerts via Syslog into Log Decoder sessions. This generates metadata that is used by NetWitness Suite Investigation, Alerts, and Reporting Engine.

For NetWitness Suite networks that are consuming logs, this integration of NetWitness Endpoint with NetWitness Suite pushes NetWitness Endpoint events to the Log Decoder via common event format (CEF) syslog messages and generates metadata that is used by NetWitness Suite Investigation, Alerts, and Reporting Engine. The use case for this integration is SIEM Integration to allow centralized event management, correlation of NetWitness Endpoint events with other Log Decoder data, NetWitness Suite reporting on NetWitness Endpoint events, and NetWitness Suite alerting of NetWitness Endpoint events.

Prerequisites

The following are required for this integration:

  • Version 4.3.0.4, 4.3.0.5, or 4.4 NetWitness Endpoint UI.
  • NetWitness Server Version 11.0 is installed.
  • Version 10.4 or later RSA Log Decoder and Concentrator connected to the NetWitness Server in the network.
  • Port UDP- 514 or TCP - 1514 open from NetWitness Endpoint server to Log Decoder in the firewall.

Procedure

  1. Deploy the required parser (CEF or rsaecat) to the Log Decoder as described in the "Manage Live Resources" topic in Live Services Management. After you deploy the parser, make sure the parser is enabled. For more information, see Services Config View - General Tab.

Note: Use only one of these parsers. When the CEF parser is deployed, it supersedes the NetWitness Endpoint parser, and all CEF messages into NetWitness Suite are processed by the CEF parser. Enabling both parsers is an unnecessary burden on performance.

  1. Configure NetWitness Endpoint to send syslog output to NetWitness Suite and generate NetWitness Endpoint alerts to the Log Decoder.
  2. (Optional) Edit the table mapping in table-map-custom.xml and the index-concentrator-custom.xml to add fields based on user preferences for metadata to be mapped to NetWitness Suite.

Configure NetWitness Endpoint to Send Syslog Output to NetWitness Suite

To add the Log Decoder as a Syslog external component and generate NetWitness Endpoint alerts to the Log Decoder:

  1. Open the NetWitness Endpoint user interface and log on using the proper credentials.
  2. From the menu bar, select Configure > Monitoring and External Components.

    The External Components Configuration dialog is displayed.

  3. In SYSLOG Server, click Add Icon.

    The SYSLOG Server dialog is displayed.

    Syslog Server Dialog

  4. In the NetWitness Suite panel, in On, enter the descriptive name for the Log Decoder.
  5. In the Syslog Connection panel, perform the following to enable Syslog messaging:

Server Hostname/IP = The hostname DNS or IP address of the RSA Log Decoder
Port = 514
Transport Protocol = Select UDP or TCP as appropriate for your Syslog server for the transport protocol.

  1. Click Save.
  2. Open the InstantIOCs window in the NetWitness Endpoint UI and, in the Alertable column, click to enable each IIOC for which you want alerts sent to the Log Decoder.

    Instant IOCs Endpoint

When the instant IOCs are triggered, Syslog alerts from the NetWitness Endpoint server are sent to the Log Decoder. Log Decoder alerts are then aggregated to the Concentrator. These events are injected into the Concentrator as metadata.

Edit the Table Mapping in table-map-custom.xml

In the default RSA table-map.xml provided by RSA, the meta keys in the table-map.xml file are set to Transient. In order to view the meta keys in Investigation, the keys must be set to None. To make changes to the mapping, you must add the entries to the table-map-custom.xml on the Log Decoder.

This is the list of meta keys in table-map.xml.

                                                                                                                                                                                                        
NetWitness Endpoint FieldsNetWitness Suite MappingTransient in NetWitness Suite
agentidclientNo
CEF Header Hostname Fieldalias.hostNo
CEF Header Product VersionversionYes
CEF Header Product NameProductYes
CEF Header SeverityseverityYes
CEF Header Signature IDevent.typeNo
CEF Header Signature Nameevent.descNo
destinationDnsDomainddomainYes
deviceDnsDomaindomainYes
dhosthost.dstNo
dstip.dstNo
endendtimeYes
fileHashchecksumYes
fnamefilenameNo
fsizefilename.sizeYes
gatewayipgatewayYes
instantIOCLevelthreat.descNo
instantIOCNamethreat.categoryNo
machineOUdnYes
machineScorerisk.numNo
md5sumchecksumYes
osOSYes
portip.dstportNo
protocolprotocolYes
Raw MessagemsgYes
remoteipstransaddrYes
rtalias.hostNo
sha256sumchecksumYes
shosthost.srcNo
smaceth.srcYes
srcip.srcNo
startstarttimeYes
suseruser.dstNo
timezonetimezoneYes
totalreceivedrbytesYes
totalsentbytes.srcNo
useragentuser.agentNo
userOUorgYes

The following seven keys are not in table-map.xml; to use these keys in NetWitness Suite you need to add them to table-map-custom.xml, and set the flags to None.

                                                
NetWitness Endpoint FieldsNetWitness Suite MappingTransient in NetWitness Suite
moduleScorecs.modulescoreYes
moduleSignaturecs.modulesignYes
Target modulecs.targetmoduleYes
YARA resultcs.yararesultYes
Source modulecs.sourcemoduleYes
OPSWATResultcs.opswatresultYes
ReputationResultcs.represultYes

Here are the entries to be added to the table-map-custom.xml if required.

<mapping envisionName="cs_represult" nwName="cs.represult" flags="None" envisionDisplayName="ReputationResult"/>
<mapping envisionName="cs_modulescore" nwName="cs.modulescore" format="Int32" flags="None" envisionDisplayName="ModuleScore"/>
<mapping envisionName="cs_modulesign" nwName="cs.modulesign" flags="None" envisionDisplayName="ModuleSignature"/>
<mapping envisionName="cs_opswatresult" nwName="cs.opswatresult" flags="None" envisionDisplayName="OpswatResult"/>
<mapping envisionName="cs_sourcemodule" nwName="cs.sourcemodule" flags="None" envisionDisplayName="SourceModule"/>
<mapping envisionName="cs_targetmodule" nwName="cs.targetmodule" flags="None" envisionDisplayName="TargetModule"/>
<mapping envisionName="cs_yararesult" nwName="cs.yararesult" flags="None" envisionDisplayName="YaraResult"/>

Note: Restart the Log Decoder or reload the log parsers for the changes to take effect.

Configure the NetWitness Suite Concentrator Service

  1. Log on to NetWitness Suite and go to ADMIN > Services.
    1. Select a Concentrator from the list and select View > Config.
  2. Select the Files tab, and from the Files to Edit drop-down list, select index-concentrator-custom.xml.
  3. Add the NetWitness Endpoint meta keys to the file and click Apply. Make sure that this file contains the XML sections already; if the lines are not included, add them.
  4. Restart the Concentrator.
  5. To add the Concentrator as a data source in the Reporting Engine, in the ADMIN > Services view, select the Reporting Engine and Select View> Config > Sources.
    NetWitness Endpoint meta is populated in Reporting Engine, and you can run reports by selecting the appropriate meta keys.

Example

Note: The following lines are examples; make sure the values match your configuration and the column names you included in the feed definition, where:
description is the name of the meta key you want to display in NetWitness Suite Investigation.
level is "IndexValues"
name is the NetWitness Endpoint meta key name from the table below

<language>
<key description="Product" format="Text" level="IndexValues" name="product" valueMax="250000" defaultAction="Open"/>
<key description="Severity" format="Text" level="IndexValues" name="severity" valueMax="250000" defaultAction="Open"/>
<key description="Destination Dns Domain" format="Text" level="IndexValues" name="ddomain" valueMax="250000" defaultAction="Open"/>
<key description="Domain" format="Text" level="IndexValues" name="domain" valueMax="250000" defaultAction="Open"/>
<key description="Destination Host" format="Text" level="IndexValues" name="host.dst" valueMax="250000" defaultAction="Open"/>
<key description="End Time" format="TimeT" level="IndexValues" name="endtime" valueMax="250000" defaultAction="Open"/>
<key description="Checksum" format="Text" level="IndexValues" name="checksum" valueMax="250000" defaultAction="Open"/>
<key description="Filename Size" format="Int64" level="IndexValues" name="filename.size" valueMax="250000" defaultAction="Open"/>
<key description="Gateway" format="Text" level="IndexValues" name="gateway" valueMax="250000" defaultAction="Open"/>
<key description="Distinguished Name" format="Text" level="IndexValues" name="dn" valueMax="250000" defaultAction="Open"/>
<key description="Risk Number" format="Float64" level="IndexValues" name="risk.num" valueMax="250000" defaultAction="Open"/>
<key description="ReputationResult" format="Text" level="IndexValues" name="cs.represult" valueMax="250000" defaultAction="Open"/>
<key description="Module Score" format="Text" level="IndexValues" name="cs.modulescore" valueMax="250000" defaultAction="Open"/>
<key description="Module Sign" format="Text" level="IndexValues" name="cs.modulesign" valueMax="250000" defaultAction="Open"/>
<key description="opswat result" format="Text" level="IndexValues" name="cs.opswatresult" valueMax="250000" defaultAction="Open"/>
<key description="source module" format="Text" level="IndexValues" name="cs.sourcemodule" valueMax="250000" defaultAction="Open"/>
<key description="Target Module" format="Text" level="IndexValues" name="cs.targetmodule" valueMax="250000" defaultAction="Open"/>
<key description="yara result" format="Text" level="IndexValues" name="cs.yararesult" valueMax="250000" defaultAction="Open"/>
<key description="Protocol" format="Text" level="IndexValues" name="protocol" valueMax="250000" defaultAction="Open"/>
<key description="Event Time" format="TimeT" level="IndexValues" name="event.time" valueMax="250000" defaultAction="Open"/>
<key description="Source Host" format="Text" level="IndexValues" name="host.src" valueMax="250000" defaultAction="Open"/>
<key description="Start Time" format="TimeT" level="IndexValues" name="starttime" valueMax="250000" defaultAction="Open"/>
<key description="Timezone" format="Text" level="IndexValues" name="timezone" valueMax="250000" defaultAction="Open"/>
<key description="Received Bytes" format="UInt64" level="IndexValues" name="rbytes" valueMax="250000" defaultAction="Open"/>
<key description="Agent User" format="Text" level="IndexValues" name="user.agent" valueMax="250000" defaultAction="Open"/>
<key description="Source Bytes" format="UInt64" level="IndexValues" name="bytes.src" valueMax="250000" defaultAction="Open"/>
<key description="Strans Address" format="Text" level="IndexValues" name="stransaddr" valueMax="250000" defaultAction="Open"/>
</language>

Result

Analysts can:

  • Create NetWitness Suite alerts based on NetWitness Endpoint events by configuring NetWitness Endpoint events as an enrichment source.
  • Create ESA rules using NetWitness Endpoint meta as described in the "Add Rules to the Rules Library" topic in the Alerting Using ESA Guide.
  • Report on NetWitness Endpoint events using NetWitness Endpoint meta as described in the "Configure a Rule" topic in the Reporting Guide.
  • View NetWitness Endpoint alerts in NetWitness Respond as described in the "View Alerts" topic in NetWitness Respond User Guide.
  • View NetWitness Endpoint meta keys in Investigation along with standard NetWitness Suite core meta keys as described in the "Conduct an Investigation" topic in Investigation and Malware Analysis User Guide.
You are here
Table of Contents > Configure Endpoint Alerts via Syslog into a Log Decoder

Attachments

    Outcomes