Endpoint Integ: Configure Endpoint Alerts via Syslog into a Log Decoder

Document created by RSA Information Design and Development on Sep 15, 2017Last modified by RSA Information Design and Development on Apr 11, 2019
Version 19Show Document
  • View in full screen mode
 

You can configure the use of RSA NetWitness Endpoint data in RSA NetWitness Platform to provide NetWitness Endpoint alerts through Syslog into Log Decoder sessions. This generates metadata that is used by NetWitness Platform Investigation, Alerts, and Reporting Engine.

For NetWitness Platform networks that are consuming logs, this integration of NetWitness Endpoint with NetWitness Platform pushes NetWitness Endpoint events to the Log Decoder through common event format (CEF) syslog messages and generates metadata that is used by NetWitness Platform Investigation, Alerts, and Reporting Engine. The use case for this integration is SIEM Integration to allow centralized event management, correlation of NetWitness Endpoint events with other Log Decoder data, NetWitness Platform reporting on NetWitness Endpoint events, and NetWitness Platform alerting of NetWitness Endpoint events.

Prerequisites

The following are required for this integration:

  • Version 4.3.0.4, 4.3.0.5, 4.4, 4.4.0.2, or later NetWitness Endpoint UI.
  • NetWitness Server Version 11.1 is installed.
  • Version 10.4 or later RSA Log Decoder and Concentrator connected to the NetWitness Server in the network.
  • Port UDP- 514 or TCP - 1514 open from NetWitness Endpoint server to Log Decoder in the firewall.

Procedure

  1. Deploy the required parser (CEF or rsaecat) to the Log Decoder as described in the "Manage Live Resources" topic in Live Services Management. After you deploy the parser, make sure the parser is enabled. For more information, see "Services Config View - General Tab" in the Malware Analysis Configuration Guide.

Note: Use only one of these parsers. When the CEF parser is deployed, it supersedes the NetWitness Endpoint parser, and all CEF messages into NetWitness Platform are processed by the CEF parser. Enabling both parsers is an unnecessary burden on performance.

  1. Configure NetWitness Endpoint to send syslog output to NetWitness Platform and generate NetWitness Endpoint alerts to the Log Decoder.
  2. (Optional) Edit the table mapping in table-map-custom.xml and the index-concentrator-custom.xml to add fields based on user preferences for metadata to be mapped to NetWitness Platform.

Configure NetWitness Endpoint to Send Syslog Output to NetWitness Platform

To add the Log Decoder as a Syslog external component and generate NetWitness Endpoint alerts to the Log Decoder:

  1. Open the NetWitness Endpoint user interface and log on using the proper credentials.
  2. From the menu bar, select Configure > Monitoring and External Components.

    The External Components Configuration dialog is displayed.

  3. In SYSLOG Server, click Add Icon.

    The SYSLOG Server dialog is displayed.

    Syslog Server Dialog

  4. In the NetWitness Platform panel, in On, enter the descriptive name for the Log Decoder.
  5. In the Syslog Connection panel, perform the following to enable Syslog messaging:

Server Hostname/IP = The hostname DNS or IP address of the RSA Log Decoder
Port = 514
Transport Protocol = Select UDP or TCP as appropriate for your Syslog server for the transport protocol.

  1. Click Save.
  2. Open the InstantIOCs window in the NetWitness Endpoint UI and, in the Alertable column, click to enable each IIOC for which you want alerts sent to the Log Decoder.

    Instant IOCs Endpoint

When the instant IOCs are triggered, Syslog alerts from the NetWitness Endpoint server are sent to the Log Decoder. Log Decoder alerts are then aggregated to the Concentrator. These events are injected into the Concentrator as metadata.

Edit the Table Mapping in table-map-custom.xml

In the default RSA table-map.xml provided by RSA, the meta keys in the table-map.xml file are set to Transient. In order to view the meta keys in Investigation, the keys must be set to None. To make changes to the mapping, you must add the entries to the table-map-custom.xml on the Log Decoder.

This is the list of meta keys in table-map.xml.

                                                                                                                                                                                                        
NetWitness Endpoint FieldsNetWitness Platform MappingTransient in NetWitness Platform
agentidclientNo
CEF Header Hostname Fieldalias.hostNo
CEF Header Product VersionversionNo
CEF Header Product NameProductYes
CEF Header SeverityseverityYes
CEF Header Signature IDevent.typeNo
CEF Header Signature Nameevent.descNo
destinationDnsDomainddomainYes
deviceDnsDomaindomainYes
dhosthost.dstNo
dstip.dstNo
endendtimeYes
fileHashchecksumNo
fnamefilenameNo
fsizefilename.sizeNo
gatewayipgatewayYes
instantIOCLevelthreat.descNo
instantIOCNamethreat.categoryNo
machineOUdnNo
machineScorerisk.numNo
md5sumchecksumNo
osOSNo
portip.dstportNo
protocolprotocolYes
Raw MessagemsgYes
remoteipstransaddrYes
rtalias.hostNo
sha256sumchecksumNo
shosthost.srcNo
smaceth.srcNo
srcip.srcNo
startstarttimeNo
suseruser.dstNo
timezonetimezoneNo
totalreceivedrbytesYes
totalsentbytes.srcNo
useragentuser.agentNo
userOUorgYes

The following seven keys are not in table-map.xml; to use these keys in NetWitness Platform you need to add them to table-map-custom.xml, and set the flags to None.

                                                
NetWitness Endpoint FieldsNetWitness Platform MappingTransient in NetWitness Platform
moduleScorecs.modulescoreYes
moduleSignaturecs.modulesignYes
Target modulecs.targetmoduleYes
YARA resultcs.yararesultYes
Source modulecs.sourcemoduleYes
OPSWATResultcs.opswatresultYes
ReputationResultcs.represultYes

Here are the entries to be added to the table-map-custom.xml if required.

<mapping envisionName="cs_represult" nwName="cs.represult" flags="None" envisionDisplayName="ReputationResult"/>
<mapping envisionName="cs_modulescore" nwName="cs.modulescore" format="Int32" flags="None" envisionDisplayName="ModuleScore"/>
<mapping envisionName="cs_modulesign" nwName="cs.modulesign" flags="None" envisionDisplayName="ModuleSignature"/>
<mapping envisionName="cs_opswatresult" nwName="cs.opswatresult" flags="None" envisionDisplayName="OpswatResult"/>
<mapping envisionName="cs_sourcemodule" nwName="cs.sourcemodule" flags="None" envisionDisplayName="SourceModule"/>
<mapping envisionName="cs_targetmodule" nwName="cs.targetmodule" flags="None" envisionDisplayName="TargetModule"/>
<mapping envisionName="cs_yararesult" nwName="cs.yararesult" flags="None" envisionDisplayName="YaraResult"/>

Note: Restart the Log Decoder or reload the log parsers for the changes to take effect.

Configure the NetWitness Suite Concentrator Service

  1. Log on to NetWitness Platform and go to ADMIN > Services.
    1. Select a Concentrator from the list and select View > Config.
  2. Select the Files tab, and from the Files to Edit drop-down list, select index-concentrator-custom.xml.
  3. Add the NetWitness Endpoint meta keys to the file and click Apply. Make sure that this file contains the XML sections already; if the lines are not included, add them.
  4. Restart the Concentrator.
  5. To add the Concentrator as a data source in the Reporting Engine, in the ADMIN > Services view, select the Reporting Engine and Select View> Config > Sources.
    NetWitness Endpoint meta is populated in Reporting Engine, and you can run reports by selecting the appropriate meta keys.

Example

Note: The following lines are examples; make sure the values match your configuration and the column names you included in the feed definition, where:
description is the name of the meta key you want to display in NetWitness Platform Investigation.
level is "IndexValues"
name is the NetWitness Endpoint meta key name from the table below

<language>
<key description="Product" format="Text" level="IndexValues" name="product" valueMax="250000" defaultAction="Open"/>
<key description="Severity" format="Text" level="IndexValues" name="severity" valueMax="250000" defaultAction="Open"/>
<key description="Destination Dns Domain" format="Text" level="IndexValues" name="ddomain" valueMax="250000" defaultAction="Open"/>
<key description="Domain" format="Text" level="IndexValues" name="domain" valueMax="250000" defaultAction="Open"/>
<key description="Destination Host" format="Text" level="IndexValues" name="host.dst" valueMax="250000" defaultAction="Open"/>
<key description="End Time" format="TimeT" level="IndexValues" name="endtime" valueMax="250000" defaultAction="Open"/>
<key description="Checksum" format="Text" level="IndexValues" name="checksum" valueMax="250000" defaultAction="Open"/>
<key description="Filename Size" format="Int32" level="IndexValues" name="filename.size" valueMax="250000" defaultAction="Open"/>
<key description="Gateway" format="Text" level="IndexValues" name="gateway" valueMax="250000" defaultAction="Open"/>
<key description="Domain OU" format="Text" level="IndexValues" name="dn" valueMax="250000" defaultAction="Open"/>
<key description="Risk Number" format="Float64" level="IndexValues" name="risk.num" valueMax="250000" defaultAction="Open"/>
<key description="ReputationResult" format="Text" level="IndexValues" name="cs.represult" valueMax="250000" defaultAction="Open"/>
<key description="Module Score" format="Text" level="IndexValues" name="cs.modulescore" valueMax="250000" defaultAction="Open"/>
<key description="Module Sign" format="Text" level="IndexValues" name="cs.modulesign" valueMax="250000" defaultAction="Open"/>
<key description="opswat result" format="Text" level="IndexValues" name="cs.opswatresult" valueMax="250000" defaultAction="Open"/>
<key description="source module" format="Text" level="IndexValues" name="cs.sourcemodule" valueMax="250000" defaultAction="Open"/>
<key description="Target Module" format="Text" level="IndexValues" name="cs.targetmodule" valueMax="250000" defaultAction="Open"/>
<key description="yara result" format="Text" level="IndexValues" name="cs.yararesult" valueMax="250000" defaultAction="Open"/>
<key description="Protocol" format="Text" level="IndexValues" name="protocol" valueMax="250000" defaultAction="Open"/>
<key description="Event Time" format="TimeT" level="IndexValues" name="event.time" valueMax="250000" defaultAction="Open"/>
<key description="Source Host" format="Text" level="IndexValues" name="host.src" valueMax="250000" defaultAction="Open"/>
<key description="Start Time" format="TimeT" level="IndexValues" name="starttime" valueMax="250000" defaultAction="Open"/>
<key description="Timezone" format="Text" level="IndexValues" name="timezone" valueMax="250000" defaultAction="Open"/>
<key description="Received Bytes" format="UInt64" level="IndexValues" name="rbytes" valueMax="250000" defaultAction="Open"/>
<key description="Agent User" format="Text" level="IndexValues" name="user.agent" valueMax="250000" defaultAction="Open"/>
<key description="Source Bytes" format="UInt64" level="IndexValues" name="bytes.src" valueMax="250000" defaultAction="Open"/>
<key description="Strans Address" format="Text" level="IndexValues" name="stransaddr" valueMax="250000" defaultAction="Open"/>
</language>

Result

Analysts can:

  • Create NetWitness Platform alerts based on NetWitness Endpoint events by configuring NetWitness Endpoint events as an enrichment source.
  • Create ESA rules using NetWitness Endpoint meta as described in the "Add Rules to the Rules Library" topic in the Alerting Using ESA Guide.
  • Report on NetWitness Endpoint events using NetWitness Endpoint meta as described in the "Configure a Rule" topic in the Reporting Guide.
  • View NetWitness Endpoint alerts in NetWitness Respond as described in the "View Alerts" topic in NetWitness Respond User Guide.
  • View NetWitness Endpoint meta keys in Investigation along with standard NetWitness Platform core meta keys as described in the "Conduct an Investigation" topic in Investigation and Malware Analysis User Guide.

You are here
Table of Contents > Configure Endpoint Alerts via Syslog into a Log Decoder

Attachments

    Outcomes