Endpoint: Configure Metadata Forwarding for the NetWitness Endpoint 11.1 Agents

Document created by RSA Information Design and Development on Mar 16, 2018Last modified by RSA Information Design and Development on Nov 2, 2018
Version 7Show Document
  • View in full screen mode
 

You can view the Endpoint metadata in the NetWitness Platform Investigate (Navigate and Event Analysis views) similar to Logs and Packets. You must enable the metadata forwarding to forward the following categories:

                       
Operating SystemCategories
Windows File, Service, DLL, Process, Task, Autorun, and Machine
Linux File, Autrorun, Loaded Library, Systemd, Process, Cron, Initd, Machine
MacFile, Daemon, Process, Task, Loaded Library, Autorun, Machine

Configuring Metadata Forwarding

  1. Go to ADMIN > Services.
  2. In the Services view, select the Endpoint Server service.
  3. Click and select > View > Config.
  4. Click the General tab.
    Configure the Endpoint Meta
  5. Click Add Endpoint Meta in the toolbar.
    The Available Services dialog is displayed.
  6. Select the Log Decoder service and click OK.
    The Add Service dialog is displayed. You can add only one Log Decoder service.
    Add Services
  7. Enter the administrator credentials for authentication.

  8. (Optional) If you enable Raw Data, a brief summary of the session along with the metadata is sent.

  9. (Optional) If you have enabled SSL on the REST port in the Log Decoder, select the REST SSL option. By default, the REST port for non-SSL is 50202 and SSL is 56202.

  10. Select the Protobuf SSL option to enable SSL on Protobuf. By default, the Protobuf port is 50202.
  1. Click Save.

After configuring the metadata forwarding, make sure to:

  • Start the capture on the Log Decoder
  • Start the aggregation on the Concentrator
  • Add the Log Decoder as a service in the Concentrator

Starting Metadata Forwarding to the Log Decoder

  1. In the Endpoint Meta config view, select the service.
  2. Click
    The Endpoint Server starts forwarding the metadata to the Log Decoder.

Stopping Metadata Forwarding to the Log Decoder

  1. In the Endpoint Meta config view, select the service.
  2. Click
    The Endpoint Server stops forwarding the metadata to the Log Decoder.

Removing Metadata Forwarding

Note: Make sure you stop the service, before removing the metadata forwarding.

  1. In the Endpoint Meta config view, select the service.
  2. Click .
  3. Click Apply.

Endpoint Metadata Mappings

You can view the default metadata mappings or modify the metadata mappings for endpoints.

JSON Schema for Metadata Mappings

All metadata mappings is configured using the JSON schema. The following is a sample JSON schema:

{

"metaKeyPairs" : [

{

"metaKeyPairsCategory" : "",

"keyPairs" : [

{

"endpointJpath" : "",

"metaName" : "",

"type" : "",

"enabled" : true

},

{

"endpointJpath" : "",

"metaName" : "",

"type" : "",

"enabled" : true

}

]

}

]

}

The following APIs are used to view or modify the metadata mappings:

  • get-default - Returns the default configurations for the endpoint metadata mappings.
  • get-custom - Returns the custom configurations for the endpoint metadata mappings.
  • set-custom – Helps customize the endpoint metadata mappings.

Viewing the Metadata Mappings

To view the endpoint metadata mappings:

  1. On the NW server, run the nw-shell command from the command line.
  2. Run the login command and enter the credentials.
  3. Connect to the Endpoint Server using the following command:
    connect --host <IP address> --port <number>

Note: The default port is 7050.

  1. Run the following commands:
    cd endpoint/meta
    cd get-default
    invoke

The following screen shows the default metadata mappings:

Default meta mappings

To disable a default metadata mapping:

Enter the same endpointJpath value and set the enabled parameter to false.

For example, if the endpointJpath is Category and enabled parameter is true, enter the same endpointJpath and set the enable parameter to false.

Disable default meta mapping

Note: Do not modify the metaKeyPairsCategory in the schema; “COMMON”, “COMMON_MACHINE”, “COMMON_MACHINE_FOR_EVENTS”.

To change the metadata name or metadata type:

Enter the same endpointJpath value and specify values for the metaName and type.

Note: The metaName must exist in the table-map.xml of the Log Decoder, index-concentrator.xml or index-concentrator-custom.xml file of the Concentrator, for the metaName to appear on the Investigate view.

Adding or Modifying Metadata Mappings

To add or modify the metadata mappings, run the set-custom API. The metaKeyPairs configuration provided in the JSON file should match the JSON schema of the default configuration received through the get-default API.

  1. On the NW server, run the nw-shell command from the command line.
  2. Run the login command and enter the credentials.
  3. Connect to the Endpoint Server using the following commands:
    connect --host <IP address> --port <number>

Note: The default port number is 7050.

  1. Run the following commands:

    cd endpoint/meta
    cd set-custom
    invoke –file <json file>

You can add new metaKeys by adding entries to the file that will be uploaded using the set-custom API. The following example shows how to add a new metadata mapping:

Add custom meta mapping

Viewing the Custom Metadata Mappings

To view the custom metadata mappings, run the get-custom API.

Note: The get-custom API will return values only if the metadata mappings are modified using the set-custom API.

You are here
Table of Contents > Setup Meta Forwarding to Log Decoder

Attachments

    Outcomes