The RSA NetWitness Platform has an integrated agent available that currently does base Endpoint Detection and Response (EDR) functions but will shortly have more complete parity with ECAT (in V 11.x). One beneficial feature of the Insights agent (otherwise called NWE Insights Agent) is Windows Log collection and forwarding.
Here is the agent Install Guide for v11.2:
The Endpoint packager is built from the Endpoint Server (Admin > Services) where you can define your configuration options. To enable windows log collection check the box at the bottom of the initial screen
This expands the options for Windows log collection...
Define one or more Log Decoder/Collector services in the current RSA NetWitness deployment to send the endpoint logs to (define a primary and secondary destination)
Define your channels to collect from
The default list includes 4 channels (System, Security, Application and ForwardedEvents)
You can also add any channel you want as long as you know the EXACT name of it
In the Enter Filter Option in the selection box enter the channel name
In this case Windows PowerShell (again, make sure you match to the exact Event Channel run into issues)
We could also choose to add some other useful event channels
You can choose to filter these channels to include or exclude certain events as well.
Finally, set the protocol to either UDP/TCP or TLS.
Generate Agent generates the download that includes the packager and the config files that define the agent settings.
From there you can build the agents for Windows, Linux and Mac from a local windows desktop.
Agents are installed as normal using local credentials or your package management tool of choice.
Now that you have windows events forwarded to your log decoders, make sure you have the Windows parser downloaded from RSA Live and deployed to your log decoders to start parsing the events.
The Windows parser is slightly different than the other windows log parsers (nic, snare, er) in that there are only 7 message sections (one each for the default channels and a TestEvent and Windows_Generic).
For the OOTB channels the Message section defines all the keys that could exist and then maps them to the table-map.xml values as well as the ec tags.
The Windows_Generic is the catchall for this parser and any channel that is added custom will only parse from this section. This catchall needs some help to make use of the keys that will come from the channels that we have selected which is where a windowsmsg-custom.xml (custom addition to the windows parser) comes in (internal feature enhancement as been added to make these OOTB)
Get the windows-custom parser from here:
Add to your windows parser folder on the log decoder(s) that you configured in the endpoint config
Reload your parsers.
Now you should have additional meta available for these additional event channels.
What happens if you want to change your logging configuration but don't want to re-roll an agent? In the Log Collection Guide here you can see how to add a new config file to the agent directory to update the channel information
Currently the free NW Endpoint Insights agent doesn't have agent config management included so this needs to be manual at the moment. Future versions will include config management to make this change easier.
Now you can accomplish things like this:
Without needing a WEC/WEF server especially if you are deploying Sysmon and want to use the NWE agent to pull back the event channel.
While you are in the Log Collection frame of mind, why not create a Profile in Investigation for NWE logs.
Pre-Query = device.type='windows'
In 11.2 you can create a profile (which isn't new) as well as meta and column groups that are flexible (new in 11.2). Which means the pre-query is locked but you are able to switch metagroups within the profile (very handy)
Hopefully this helpful addition to our agent reduces friction to collecting windows events. If there are specific event channels that are high on the priority list for collection add them to the comments below and i'll get them added to internal RFE.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.