Configure Contextual Data from Endpoint via Recurring Feed

Document created by RSA Information Design and Development on Sep 15, 2017Last modified by RSA Information Design and Development on Nov 16, 2017
Version 11Show Document
  • View in full screen mode
  

You can configure RSA NetWitness Endpoint data in RSA NetWitness Suite to provide contextual data from NetWitness Endpoint to Decoder and Log Decoder sessions. This configuration adds contextual meta values in addition to the instant IOC alerts that can be used to build correlations to other metadata in the NetWitness Suite ecosystem.

Administrators can configure NetWitness Suite to consume system scan contextual data from NetWitness Endpoint via a NetWitness Suite Live recurring feed. This integration can enrich the session from a Decoder or Log Decoder with contextual information displayed in NetWitness Suite Investigation; some examples include the host operating system, MAC address, IIOC score, and other data that may not be present in the log or packet data into sessions from a Decoder or Log Decoder.

Note: Although this feature is targeted for customers with a packet Decoder, a recurring feed can also be implemented in Log Decoders.

Caution: In environments with many NetWitness Endpoint hosts, use of this recurring feed may result in decreased performance on the NetWitness Suite ingest devices (Decoder and Log Decoder).

Prerequisites

  • Version 4.3.0.4, 4.3.0.5, or 4.4 NetWitness Endpoint Console server and NetWitness Server Version 10.4 and above installed.
  • Version 11.0 RSA Decoder and Concentrator connected to the NetWitness Server in the network.

To Configure Contextual Data from NetWitness Endpoint via Recurring Feed, perform the following:

  1. Enable the NetWitness Endpoint Feed for NetWitness Suite in the NetWitness Endpoint User Interface.
  2. Export the NetWitness Endpoint CA Certificate from the NetWitness Endpoint Console server and Import it into NetWitness Suite trust store.
  3. Configure the NetWitness Suite Concentrator service to define which meta keys are indexed.
  4. Create a recurring feed in NetWitness Suite Live.

Enable the NetWitness Endpoint Feed for NetWitness Suite

  1. In the NetWitness Endpoint user interface, create SQL user in NetWitness Endpoint:
    1. Open the NetWitness Endpoint user interface and log on using the proper credentials.
    2. From the menu bar, select Configure > Manage Users and Roles, right-click in the pane, and select create sql user.
      The Create a new SQL User dialog is displayed.
      Create a new SQL server dialog
    3. Enter the Login Name and Password and click Create.
  2. From the menu bar, select Configure > Monitoring External Components.
    The External Components Configuration dialog is displayed. External Components Configuration dialog

  3. In NetWitness Suite, click +.
    The NetWitness Suite dialog is displayed.
    NetWitness Suite Dialog
  4. In the NetWitness Suite panel, in On, enter the name to identify the NetWitness Suite component.
  5. In the NetWitness Suite Connection panel, perform the following.
    1. In the Server Hostname/IP field, enter the host name or IP address of the NetWitness Server.
    2. In the Port field, enter the port number. By default port number is 443.
  6. In the Configure NetWitness Suite panel, perform the following:
    1. In the Servers Time Zone field, select the time zone for the component from the drop-down list.
    2. In the Device Identifier field, enter the NetWitness Suite concentrator device ID.
  7. Note: You can find the Device Identifier in NetWitness Suite when you look up a Concentrator or Broker in Investigation > Navigate ><Concentrator or Broker Name>. The Device Identifier is the number in the URL after "investigation." For example, in the URL https://<IP address>investigation/319/navigate/values, the Device Identifier is 319.

The URI field is populated when you click Save.

  1. In the Query Optimization panel, in the Do Not Perform Query Older Than field, enter the number of days to limit the query period. Enter 0 if you want to discard this feature.
  2. In the Query Time Range panel, perform the following:
    1. In the Minimum field, enter the number of minutes for the minimum query time range. This value is used to automatically increase the time range submitted to NetWitness Suite. This ensures that a query returns a positive response if the NetWitness Endpoint Agent's reported time is slightly different than NetWitness Endpoint's time.

    2. In the Maximum field, enter the number of minutes to limit the time range. This value is used to automatically limit the time range submitted to NetWitness Suite, so that a query does not overload the NetWitness Server.
  3. In the Configure RSA NetWitness Endpoint Feeds for NetWitness Suite panel, perform the following:
    1. Select Enable RSA NetWitness Endpoint Feed.
    2. In the URL field, enter the SQL Username and Password (configured in step 1) to access the location of the feed.
      The URL field is populated when you click Save.
    3. Enter the time interval for the frequency at which feeds are published.
  4. In the Feed Publishing Interval panel, in the Time Interval field, select the time interval in hrs and mins for the frequency at which feeds are published.
  5. In the Enable URL access to below user to panel, enter the Username and Password of the NetWitness Endpoint user.
  6. Click Save.
    A feed is created.

Export the NetWitness Endpoint SSL Certificate

Note: This procedure works only for NetWitness Suite 10.5 and above because Java 8 support was added for 10.5. If you are using an earlier version of NetWitness Suite, refer to the applicable version of this guide.

To export the NetWitness Endpoint CA certificate from the NetWitness Endpoint Console server and copy it to the NetWitness Suite host:

  1. Log on to the NetWitness Endpoint Console.
  2. Open MMC.
  3. Add a certificate snap-in for Computer account.
  4. Export the certificate named EcatCA.
    1. Export without a private key.
    2. Export in DER encoded binary X.509 (.CER) format.
    3. Name it EcatCA.cer.
  5. Copy the NetWitness Endpoint CA certificate to the NetWitness Suite host:
    • For NetWitness Endpoint 4.3.0.4, 4.3.0.5 or 4.4 fresh installation:
      scp NweCA.cer root@<sa-machine>:.
    • For NetWitness Endpoint upgraded from previous version to 4.3.0.4 or 4.3.0.5:
      scp EcatCA.cer root@<sa-machine>:.
  1. To import the NetWitness Endpoint CA certificate into the NetWitness Suite Trusted store, perform the following:
    1. Check the Java version installed on your NetWitness Suite using the following command:
      java -version
      The openjdk version is displayed. For example, openjdk version "1.8.0_71"

    2. To set the JDK parameter, navigate to java directory. Enter the following commands:
    • JDK=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.141-1.b16.el7_3.x86_64/jre/

    • For NetWitness Endpoint fresh installation:

      $JDK/bin/keytool -import -v -trustcacerts -alias nweca -file ~/NweCA.cer -keystore $JDK/lib/security/cacerts -storepass changeit

    • For NetWitness Endpoint upgraded from previous version:

      $JDK/bin/keytool -import -v -trustcacerts -alias ecatca -file ~/EcatCA.cer -keystore $JDK/lib/security/cacerts -storepass changeit

    When prompted for certificate update confirmation, enter Yes.

  2. On the NetWitness Suite host, do one of the following:
    • For NetWitness Endpoint 4.3.0.4, 4.3.0.5, or 4.4 fresh installation, edit/etc/hosts to map the IP address of the NetWitness Endpoint Console server to the name NweServerCertificate by adding the following line to the file:

      <ip-address-ecat-cs> NweServerCertificate

    • For NetWitness Endpoint upgraded from previous version to 4.3.0.4 or 4.3.0.5, edit /etc/hosts to map the IP address of the upgraded NetWitness Endpoint Console server to the name ecatserverexported by adding the following line to the file:

      <ip-address-ecat-cs> ecatserverexported

  3. To restart NetWitness Suite, enter the following command:

    service jetty restart

Configure the NetWitness Suite Concentrator Service

  1. Log on to NetWitness Suite and go to ADMIN > Services.
  2. Select a Concentrator from the list and select View > Config.
  3. Select the Files tab, and from the Files to Edit drop-down menu, select index-concentrator-custom.xml.
  4. Add the following NetWitness Endpoint meta keys to the file and click Apply. Make sure that this file contains the XML sections already; if the lines are not included, add them. The following lines are examples; make sure the values match your configuration and the column names you included in the feed definition, where:
    description is the name of the meta key you want to display in NetWitness Suite Investigation.
    level is "IndexValues"
    name matches the column name of the CSV file that NetWitness Suite uses while defining the recurring feed (see the table in Configure the Recuring Custom Feed Task in NetWitness Suite below).

    <key description="Gateway" format="Text" level="IndexValues" name="gateway" valueMax="250000" defaultAction="Open"/>

    <key description="Risk Number" format="Float64" level="IndexValues" name="risk.num" valueMax="250000" defaultAction="Open"/>

    <key description="Strans Addr" format="Text" level="IndexValues" name="stransaddr" valueMax="250000" defaultAction="Open"/>

    <key description="Domain" format="Text" level="IndexValues" name="domain" valueMax="250000" defaultAction="Open"/>

    <key description="User Account" format="Text" level="IndexValues" name="username" valueMax="250000" defaultAction="Open"/>

    <key description="Ecat Connectiontime" format="Text" level="IndexValues" name="ecat.ctime" valueMax="250000" defaultAction="Open"/>

    <key description="Ecat Scantime" format="Text" level="IndexValues" name="ecat.stime" valueMax="250000" defaultAction="Open"/>

  5. Restart the Concentrator to activate the custom key updates.

Configure the Recurring Custom Feed Task in NetWitness Suite

  1. Log on to NetWitness Suite and go to CONFIGURE > Custom Feeds.
    The Feeds view is displayed.
  2. In the toolbar, click Add Icon.
    The Setup Feed dialog is displayed.
  3. In the Setup Feed dialog, select Custom Feed and click Next.
    The Configure a Custom Feed wizard is displayed, with the Define Feed form open.
  4. In the Define Feed, perform the following:
    1. Enable the checkbox Authenticated and enter the username and password as noted in Enable the ECAT Feed above.
    1. Click Verify to check if NetWitness Suite can reach the web resource.
    1. Define the schedule and click Next.Define Feed
  5. In the Select Services tab, select the Decoder or groups to consume the feed. Click Next.
  6. In the Define Columns tab, enter the column names as shown in the table below and save the feed.Define Columns

The following table shows the columns in the CSV file for the NetWitness Endpoint feed.

                                                                                   
ColumnNameDescriptionColumn Name in NetWitness Suite (Meta Key Name)
1MachineNameHost name of the Windows agentalias.host
2LocalIpIPv4 addressIP type (indexed column)
3RemoteIpFar end IP as seen by the routerstransaddr
4GatewayIpIP of the gatewaygateway
5MacAddressMAC addresseth.src
6OperatingSystemOperating system used by the Windows AgentOS
7AgentIDAgent ID of the host (unique ID assigned to the agent)client
8ConnectionUTCTimeLast time when the agent connected to NetWitness Endpoint serverecat.ctime
9Source DomainDomaindomain.src
10ScanUTC timeLast time when the agent was scannedecat.stime

11

UserName

Username of the client machine

username

12Machine ScoreScore of the agent indicating the suspicious levelrisk.num

Note: In the table, the recommended index setting is LocalIp. However, if the LocalIp for NetWitness Endpoint Agent PC is allocated by a DHCP Server and the DHCP lease has expired, and if the IP is then re-allocated to another PC, the metadata created by the feed will be incorrect. To avoid this risk, use the machine name or the Mac address instead of the localIP address as the Feed's index. For example, to use a Mac address, you could enter the values as shown in the following figure.

Mac address for the endpoint feed

Result

When viewing feed data in NetWitness Suite, upon a match of the indexed value (ip.src), meta data is populated in Investigation, Reporting, and Alerting Interfaces.

You are here
Table of Contents > Configure Contextual Data from Endpoint via Recurring Feed

Attachments

    Outcomes