Endpoint: Integrating NetWitness Endpoint 4.4.0.2 or Later with NetWitness Endpoint 11.1

Document created by RSA Information Design and Development on Mar 19, 2018Last modified by RSA Information Design and Development on Nov 2, 2018
Version 5Show Document
  • View in full screen mode
 

You can configure the Endpoint Metadata for the NetWitness Endpoint 4.4.0.2 in one of the following ways:

In addition to the categories mentioned for the NetWitness Endpoint 11.1 agents, the following categories are also forwarded for the NetWitness Endpoint 4.4.0.2 or later agents - File event, Network event, Registry event, and Process event.

(Option 1) Configuring the NetWitness Endpoint 4.4.0.2 Console Server

Configuring the Client Certificate on the NetWitness Endpoint 4.4.0.2 Console Server

The NetWitness Endpoint 4.4.0.2 Console Server must use the same client certificate that the NetWitness Endpoint 11.1 agents use to forward the metadata to the Endpoint Server.

  1. Download the agent packager. For more information, see Endpoint Insights Agent Installation Guide.
  2. Extract AgentPackager.zip and from the Config folder, obtain the client certificate.
  3. Copy the client certificate to the NetWitness Endpoint 4.4 Console Server.

    Location of client certificate

  4. Double-click on the client file.

    The Certificate Import Wizard dialog is displayed.

  5. Select the store location as Local Machine and click Next.

    Select store location

  6. Browse the file you want to import and click Next.
  7. Enter the same password used while generating the agent packager.

    Enter the password

  8. Click Next and Finish.

    The certificate is listed under Personal, Intermediate Certificate Authorities > Certificate and Trusted Root Certification Authorities in the Console Server.

    Location to view certificate

Enabling the Metadata Forwarding in the NetWitness Endpoint 4.4.0.2

To enable the metadata forwarding for the selected NetWitness Endpoint 4.4.0.2 agents, run the following command:

ConsoleServer.exe /nw-investigate set-endpointdecoder baseuri <ENDPOINT LOG HYBRID> certificate <CERTIFICATE DISPLAY NAME> filepath c:\Json 

For example, ConsoleServer.exe /nw-investigate set-endpointdecoder baseuri https://10.20.10.40 certificate rsa-nw-endpoint-agent filepath c:\Json

Enabling Machines to Forward Metadata from the NetWitness Endpoint 4.4.0.2 to the NetWitness Endpoint Server

After you enable the Metadata Forwarding using any one of the above options, perform the following to enable the machines to forward metadata.

  1. Open the NetWitness Endpoint 4.4.0.2 user interface.
  2. Click Machines from the left panel. The list of available machines are displayed.

    List of available machines

  3. Select machines for which you want to forward metadata to the NetWitness Endpoint Server.
  4. Right-click and select the NetWitness Investigate option.

    The Change NetWitness Investigate Status dialog is displayed.

    Investigate status window

  5. Select the Enable NetWitness Investigate option.
  6. Click Apply.
  7. To verify if the Enable NetWitness Investigate option is enabled, repeat step 4.

(Option 2) Configuring the NetWitness Endpoint 4.4.0.2 Console Server

Enabling the NetWitness Endpoint 4.4.0.2 Meta Forwarding to the Log Decoder

To enable the Metadata Integrator service for the selected NetWitness Endpoint 4.4.0.2 agents, run the following command:
ConsoleServer.exe /nw-investigate enable

Note: When prompted for the Log Decoder Rest user name and password, enter the credentials that you used to configure the Log Decoder.

Enabling Machines to Forward Metadata from the NetWitness Endpoint 4.4.0.2 to the NetWitness Endpoint Server

For more information, see Enabling Machines to Forward Metadata from the NetWitness Endpoint 4.4.0.2 to the NetWitness Endpoint Server.

Disabling the Configuration

To disable the configuration, run the following command:

ConsoleServer.exe /nw-investigate disable

Previous Topic:Manage Inactive Agents
You are here
Table of Contents > Integrating NetWitness Endpoint 4.4.0.2 with NetWitness Endpoint 11.1

Attachments

    Outcomes