RSA customers who are using RSA NetWitness Endpoint 184.108.40.206, 220.127.116.11, or 4.4 can integrate NetWitness Endpoint and RSA NetWitness Suite in several different ways. This guide is for RSA NetWitness Suite version 11.1.
Built-in NetWitness Endpoint Lookup
With the RSA NetWitness Endpoint user interface (UI) installed on the same machine where the analyst is using a browser to access NetWitness Suite, the built-in NetWitness Endpoint Lookup from NetWitness Suite Investigation and NetWitness Suite Respond provides right-click access to the NetWitness Endpoint console server for the following meta keys: IP address (ip-src, ip-dst, ipv6-src, ipv6-dst, orig_ip), host (alias-host, domain.dst), client, and file-hash. These are described in the "Launch an External Lookup of a Meta Key" topic in Investigation and Malware Analysis User Guide and the "View Alerts" topic in NetWitness Respond User Guide.
NetWitness Suite configuration is not required for endpoint lookup when you are using one of the built-in parsers, NetWitness Endpoint or CEF, and you have not customized the default meta keys used when loading metadata in Investigation. For more information, see "Manage and Apply Default Meta Keys in an Investigation" topic in the Investigation and Malware Analysis User Guide.
With an RSA NetWitness Endpoint 18.104.22.168, 22.214.171.124, or 4.4 console server installed on a Windows host and proper configuration of NetWitness Endpoint and NetWitness Suite by an administrator, three additional integrations of NetWitness Endpoint analysis data are possible.
The following are the RSA NetWitness Endpoint integration methods:
- Configure Endpoint Alerts via Message Bus
- Configure Contextual Data from Endpoint via Recurring Feed
- Configure Endpoint Alerts via Syslog into a Log Decoder
Endpoint alerts via message bus into NetWitness Respond. This integration provides the capability for forwarding Endpoint alerts to Respond via message bus.
Contextual data from Endpoint via a NetWitness Suite Live recurring feed. This integration can enrich the session displayed in NetWitness Suite Investigation with contextual information; some examples include the host operating system, MAC address, IIOC score, and other data that may not be present in the log or packet data.
NetWitness Endpoint alerts via Syslog (CEF) into NetWitness Suite Log Decoders. This integration provides the capability to forward Endpoint events via Syslog and to correlate the events with other log or packet metadata in the NetWitness Suite ecosystem.
NetWitness Endpoint Meta Integration
The NetWitness Endpoint Meta Integration with RSA NetWitness Suite offers customers that have both products a way to more easily take advantage of their products in a single user interface. The following diagram illustrates how NetWitness Endpoint integrates with the NetWitness Suite. The NetWitness Endpoint metadata is collected and published from all machines where NetWitness Endpoint agents are deployed, and then sent to the NetWitness Suite Log Decoder.
The meta can then be viewed in the associated NetWitness Suite Concentrator and also in NetWitness Suite Investigate.
NetWitness Endpoint Alerts and Indicators of Compromise
NetWitness Endpoint IIOC (Instant Indicator of Compromise) is a database query that NetWitness Endpoint runs on collected NetWitness Endpoint scan data to determine the presence of potential malware on scanned hosts. RSA NetWitness Endpoint 4.1.2 or later ships with IOCs that users can enable and mark as alertable. RSA NetWitness Endpoint runs IOC queries regularly on new scan data, which is collected and stored in the database. If the IOC query is satisfied, this indicates a potential indicator of compromise, and the event can be reported to a user or sent to an external system as an alert.
Possible types of alerts are:
- Machine alert: This alert indicates that the machine in question is suspicious.
- Module alert: This alert indicates that a module, such as a file, a DLL, or an executable, is suspicious. It contains details about the module in question.
- Event alert: This alert represents any other suspicious activity detected by NetWitness Endpoint that does not fall into the above categories.
Each of these alert types can be sent to NetWitness Suite.