Endpoint: Integrating NetWitness Endpoint 4.4.0.2 or Later with NetWitness Endpoint 11.1

Document created by RSA Information Design and Development on Mar 19, 2018Last modified by RSA Information Design and Development on Sep 12, 2018
Version 4Show Document
  • View in full screen mode
 

You can configure the Endpoint Metadata for the NetWitness Endpoint 4.4.0.2 in one of the following ways:

  • (Option 1) Integrate the NetWitness Endpoint 4.4.0.2 Console Server to an Endpoint Hybrid or Endpoint Log Hybrid - The NetWitness Endpoint 4.4.0.2 or later agents data will be available in the Investigate > Hosts and Files view, and you can view the Endpoint metadata in the Investigate > Navigate and Event Analysis view. For this option, make sure the Endpoint sever is configured for meta forwarding.
  • (Option 2) Integrate the Meta Integrator service in the NetWitness Endpoint 4.4.0.2 directly to a Log Decoder - You can view the Endpoint metadata in the Investigate > Navigate and Event Analysis view. The NetWitness Endpoint 4.4 agents data will not be available in the Investigate > Hosts and Files view.

In addition to the categories mentioned for the NetWitness Endpoint 11.1 agents, the following categories are also forwarded for the NetWitness Endpoint 4.4.0.2 or later agents - File event, Network event, Registry event, and Process event.

Configuring the NetWitness Endpoint 4.4.0.2 Console Server

Configuring the Client Certificate on the NetWitness Endpoint 4.4.0.2 Console Server (for Option 1)

The NetWitness Endpoint 4.4.0.2 Console Server must use the same client certificate that the NetWitness Endpoint 11.1 agents use to forward the metadata to the Endpoint Server.

  1. Download the agent packager. For more information, see Endpoint Insights Agent Installation Guide.
  2. Extract AgentPackager.zip and from the Config folder, obtain the client certificate.
  3. Copy the client certificate to the NetWitness Endpoint 4.4 Console Server.

    Location of client certificate

  4. Double-click on the client file.

    The Certificate Import Wizard dialog is displayed.

  5. Select the store location as Local Machine and click Next.

    Select store location

  6. Browse the file you want to import and click Next.
  7. Enter the same password used while generating the agent packager.

    Enter the password

  8. Click Next and Finish.

    The certificate is listed under Personal, Intermediate Certificate Authorities > Certificate and Trusted Root Certification Authorities in the Console Server.

    Location to view certificate

Enabling the Metadata Forwarding in the NetWitness Endpoint 4.4.0.2 (for Option 1)

To enable the metadata forwarding for the selected NetWitness Endpoint 4.4.0.2 agents, run the following command:

ConsoleServer.exe /nw-investigate set-endpointdecoder baseuri <ENDPOINT HOST> certificate rsa-nw-endpoint-agent filepath c:\Json

Console server view

For example:

ConsoleServer.exe> /nw-investigate set-endpointdecoder baseuri https://10.255.255.255 certificate rsa-nw-endpoint-agent filepath c:\Json

Enabling the NetWitness Endpoint 4.4.0.2 Meta Forwarding to the Log Decoder (for Option 2)

To enable the Metadata Integrator service for the selected NetWitness Endpoint 4.4.0.2 agents, run the following command:
ConsoleServer.exe /nw-investigate enable.

Enabling Machines to Forward Metadata from the NetWitness Endpoint 4.4.0.2 to the NetWitness Endpoint Server (for Option 1 and 2)

After you enable the Metadata Forwarding using any one of the above options, perform the following to enable the machines to forward metadata.

  1. Open the NetWitness Endpoint 4.4.0.2 user interface.
  2. Click Machines from the left panel. The list of available machines are displayed.

    List of available machines

  3. Select machines for which you want to forward metadata to the NetWitness Endpoint Server.
  4. Right-click and select the NetWitness Investigate option.

    The Change NetWitness Investigate Status dialog is displayed.

    Investigate status window

  5. Select the Enable NetWitness Investigate option.
  6. Click Apply.
  7. To verify if the Enable NetWitness Investigate option is enabled, repeat step 4.
Previous Topic:Manage Inactive Agents
You are here
Table of Contents > Integrating NetWitness Endpoint 4.4.0.2 with NetWitness Endpoint 11.1

Attachments

    Outcomes