This procedure is required to integrate NetWitness Endpoint with NetWitness Suite so that the NetWitness Endpoint alerts are picked up by the Respond component of NetWitness Suite and displayed in the RESPOND > Alerts view.
The diagram below represents the flow of NetWitness Endpoint alerts to the Respond Incident List view of NetWitness Suite and its display in the RESPOND > Alerts view.
Ensure that you have the following:
- The Respond service is installed and running on NetWitness Suite 11.0.
- NetWitness Endpoint 184.108.40.206, 220.127.116.11, or 4.4 is installed and running.
Configure NetWitness Endpoint to Forward NetWitness Endpoint Alerts
To configure NetWitness Endpoint to send alerts over the message bus to the NetWitness Suite user interface:
In the NetWitness Endpoint user interface, click Configure > Monitoring and External Components.
- From the components listed, select Incident Message Broker and click + to add a new IM broker.
Enter the following fields:
- Instance Name: Enter a unique name to identify the IM broker.
- Server Hostname/IP address: Enter the Host DNS or IP address of the IM broker (NetWitness Server).
- Port number: The default port is 5671.
- Click Save.
- Navigate to the ConsoleServer.exe.config file in C:\Program Files\RSA\ECAT\Server.
Modify the virtual host configurations in the file as follows:
<add key="IMVirtualHost" value="/rsa/system" />
Restart the API Server and Console Server.
To set up SSL for Respond Alerts, perform the following steps on the NetWitness Endpoint primary console server to set the SSL communications:
- Export the NetWitness Endpoint CA certificate to .CER format (Base-64 encoded X.509) from the personal certificate store of the local computer (without selecting the private key).
Generate a client certificate for NetWitness Endpoint using the NetWitness Endpoint CA certificate. (You MUST set the CN name to ecat.)
makecert -pe -n "CN=ecat" -len 2048 -ss my -sr LocalMachine -a sha1 -sky exchange -eku 18.104.22.168.22.214.171.124.2 -in "NweCA" -is MY -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -cy end -sy 12 client.cer
Make a note of the thumbprint of the client certificate generated in step b. Enter the thumbprint value of the client certificate in the IMBrokerClientCertificateThumbprint section of the ConsoleServer.Exe.Config file as shown.
<add key="IMBrokerClientCertificateThumbprint" value="896df0efacf0c976d955d5300ba0073383c83abc"/>
On the NetWitness Server, copy the NetWitness Endpoint CA certificate file in .CER format into the import folder:
Issue the following command to initiate the necessary Chef run:
This appends all of those certificates into the truststore.
Restart the RabbitMQ server:
systemctl restart rabbitmq-server
The NetWitness Endpoint account should automatically be available on RabbitMQ.
- Import the /etc/pki/nw/ca/nwca-cert.pem and /etc/pki/nw/ca/ssca-cert.pem files from the NetWitness Server and add them to the Trusted Root Certification stores in the Endpoint Server.
This section suggests how to resolve problems you may encounter when you configure NetWitness Endpoint alerts via Message Bus.