000036037 - How to enable Threat Insights live connect for context-hub in RSA NetWitness

Document created by RSA Customer Support Employee on Feb 27, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036037
Applies ToRSA Product Set: NetWitness Logs and Packets
RSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 10.6.x.x & 11.0.x.x
 
Issue- This article is helpful in case you want to:
  • Have "Live Connect" as data-source to your RSA Context-Hub service.
  • Properly configure RSA Automated Threat Detection "ATD".
Cause
  • ESA Appliance MUST have connectivity to RSA's Live URL "cms.netwitness.com"
  • A connection from the ESA host to the Whois service (same location as RSA Live cms:netwitness.com:443) must be opened on port 443
Resolution
  • Notice that you have a valid RSA Live account and have both "Threat-Insights" and "Analyst Behaviour" enabled. 
  • However only Analyst Behavior is enabled as depicted below:

User-added image


  • When you got to Context-Hub service config-page you won't find Live-Connect as an available data-source as shown below:

User-added image


  • You need to SSH into ESA appliance and do below checks and config amendment to ensure that ESA is able to reach "cms.netwitness.com" as below:


> Notice that there is no connectivity from ESA to cms.netwitness.com:

[root@esa conf]# curl -v 69.195.204.202:80
* About to connect() to 69.195.204.202 port 80 (#0)
*   Trying 69.195.204.202... Connection timed out
* couldn't connect to host
* Closing connection #0
curl: (7) couldn't connect to host
[root@esa conf]# curl -v 69.195.204.202:443
* About to connect() to 69.195.204.202 port 443 (#0)
*   Trying 69.195.204.202... Connection timed out
* couldn't connect to host
* Closing connection #0
curl: (7) couldn't connect to host
[root@esa conf]# wget http://69.195.204.202
--2018-02-18 15:03:17--  http://69.195.204.202/
Connecting to 69.195.204.202:80...

> Configure iptables to allow communication with cms.netwitness.com:

[root@esa conf]# iptables -I INPUT -s 69.195.204.202  -j ACCEPT
[root@esa conf]# iptables -I OUTPUT -s 69.195.204.202  -j ACCEPT
[root@esa conf]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

> Validating communication with cms.newitness.com:

[root@esa conf]# curl -V  69.195.204.202:80
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
[root@esa conf]# curl -v  69.195.204.202:80
* About to connect() to 69.195.204.202 port 80 (#0)
*   Trying 69.195.204.202... connected
* Connected to 69.195.204.202 (69.195.204.202) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: 69.195.204.202
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Sun, 18 Feb 2018 15:14:03 GMT
< Content-Type: text/html
< Content-Length: 2
< Last-Modified: Tue, 25 Jul 2017 15:48:17 GMT
< Connection: keep-alive
< ETag: "59776841-2"
< Accept-Ranges: bytes
<


* Connection #0 to host 69.195.204.202 left intact
* Closing connection #0
[root@esa conf]# curl -v  69.195.204.202:443
* About to connect() to 69.195.204.202 port 443 (#0)
*   Trying 69.195.204.202... connected
* Connected to 69.195.204.202 (69.195.204.202) port 443 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: 69.195.204.202:443
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< Server: nginx
< Date: Sun, 18 Feb 2018 15:14:07 GMT
< Content-Type: text/html
< Content-Length: 264
< Connection: close
<
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx</center>
</body>
</html>
* Closing connection #0
[root@esa conf]# wget  https://69.195.204.202
--2018-02-18 15:14:05--  https://69.195.204.202/
Connecting to 69.195.204.202:443... connected.
    ERROR: certificate common name “cms.netwitness.com” doesn't match requested host name “69.195.204.202”.
To connect to 69.195.204.202 insecurely, use ‘--no-check-certificate’.
[root@esa conf]# wget  http://69.195.204.202
--2018-02-18 15:14:10--  http://69.195.204.202/
Connecting to 69.195.204.202:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2 [text/html]
Saving to: “index.html”

100%[===============================================================================================================>] 2           --.-K/s   in 0s

2018-02-18 15:14:10 (155 KB/s) - “index.html” saved [2/2]


  • Now go back to your RSA NetWitness UI where you should be able to see "Threat Insights" automatically green/enabled.

User-added image


  • Also, you should be able to see that "Live Connect" has been automatically added as data-source to your "Context-Hub" service:

User-added image



 

Attachments

    Outcomes