You can configure the use of RSA NetWitness Endpoint data in RSA NetWitness Suite to provide NetWitness Endpoint alerts through Syslog into Log Decoder sessions. This generates metadata that is used by NetWitness Suite Investigation, Alerts, and Reporting Engine.
For NetWitness Suite networks that are consuming logs, this integration of NetWitness Endpoint with NetWitness Suite pushes NetWitness Endpoint events to the Log Decoder through common event format (CEF) syslog messages and generates metadata that is used by NetWitness Suite Investigation, Alerts, and Reporting Engine. The use case for this integration is SIEM Integration to allow centralized event management, correlation of NetWitness Endpoint events with other Log Decoder data, NetWitness Suite reporting on NetWitness Endpoint events, and NetWitness Suite alerting of NetWitness Endpoint events.
The following are required for this integration:
- Version 22.214.171.124, 126.96.36.199, 4.4, 188.8.131.52, or later NetWitness Endpoint UI.
- NetWitness Server Version 11.1 is installed.
- Version 10.4 or later RSA Log Decoder and Concentrator connected to the NetWitness Server in the network.
- Port UDP- 514 or TCP - 1514 open from NetWitness Endpoint server to Log Decoder in the firewall.
- Deploy the required parser (CEF or rsaecat) to the Log Decoder as described in the "Manage Live Resources" topic in Live Services Management. After you deploy the parser, make sure the parser is enabled. For more information, see Services Config View - General Tab.
- Configure NetWitness Endpoint to send syslog output to NetWitness Suite and generate NetWitness Endpoint alerts to the Log Decoder.
- (Optional) Edit the table mapping in table-map-custom.xml and the index-concentrator-custom.xml to add fields based on user preferences for metadata to be mapped to NetWitness Suite.
Configure NetWitness Endpoint to Send Syslog Output to NetWitness Suite
To add the Log Decoder as a Syslog external component and generate NetWitness Endpoint alerts to the Log Decoder:
- Open the NetWitness Endpoint user interface and log on using the proper credentials.
From the menu bar, select Configure > Monitoring and External Components.
The External Components Configuration dialog is displayed.
The SYSLOG Server dialog is displayed.
- In the NetWitness Suite panel, in On, enter the descriptive name for the Log Decoder.
- In the Syslog Connection panel, perform the following to enable Syslog messaging:
Server Hostname/IP = The hostname DNS or IP address of the RSA Log Decoder
Port = 514
Transport Protocol = Select UDP or TCP as appropriate for your Syslog server for the transport protocol.
- Click Save.
Open the InstantIOCs window in the NetWitness Endpoint UI and, in the Alertable column, click to enable each IIOC for which you want alerts sent to the Log Decoder.
When the instant IOCs are triggered, Syslog alerts from the NetWitness Endpoint server are sent to the Log Decoder. Log Decoder alerts are then aggregated to the Concentrator. These events are injected into the Concentrator as metadata.