Step 2. Sending events from Feed Service to RSA NetWitness

This section describes the actions to take so that Feed Service will send events to RSA NetWitness.

Note that Feed Service sends events to a Log Decoder service.

To send events from Feed Service to RSA NetWitness:

  1. In the Feed Service configuration file, in the OutputSettings > ConnectionString element specify the following value:

    [IP]:514

    Here [IP] is the IP address of the Log Decoder service to which Feed Service will send events.

    As an alternative, you can perform this step by using Kaspersky CyberTrace Web.

    If there are several Log Decoder services, perform the integration with only one of the Log Decoders.

  2. In directory /etc/netwitness/ng/envision/etc/devices of the computer on which Log Decoder runs, create a subdirectory cybertrace and copy to the subdirectory the following files from the %service_dir%/integration/cybertrace directory:
    • cybertrace.ini

      This is a configuration file that contains declaration of Feed Service for RSA NetWitness.

    • v20_cybertracemsg.xml

      This is a configuration file that contains parsing rules for events that are sent from Feed Service to RSA NetWitness. See below in this section for a description of the contents.

    You can find these files in the integration/cybertrace directory of the distribution kit.

  3. Restart Log Decoder.

    For this purpose, in the Services view, for the selected Log Decoder click the Settings split button (200203) and from the drop-down list select Restart.

  4. Make sure that the cybertrace service parser is turned on in RSA NetWitness.

    You can do this as follows:

    1. In the RSA NetWitness menu, select Administration > Services.
    2. In the Services grid, select the Log Decoder, and from the Actions menu, choose View > Config.
    3. In the Service Parsers Configuration panel, search for cybertrace, and ensure that the Config Value field in this row is selected.

    service_parsers_configuration

    Service Parsers Configuration grid

  5. Restart Feed Service.

    You can restart Feed Service by running the kl_feed_service script as follows:

    %service_dir%/etc/init.d/kl_feed_service restart

    You can do this by using Kaspersky CyberTrace Web too.

Integration files' contents

The v20_cybertracemsg.xml file contains the following rule for parsing service events from Feed Service:

alert=<action>,context=<msg>

The v20_cybertracemsg.xml file contains several rules for parsing detection events from Feed Service:

The fields of the cybertrace.ini file and the v20_cybertracemsg.xml file correspond to the following format of service events and detection events from Feed Service:

<AlertFormat><![CDATA[<232>%CyberTrace:ALERT_EVENT alert=%Alert%,context=%RecordContext%]]></AlertFormat>

<EventFormat><![CDATA[<232>%CyberTrace:MATCH_EVENT category=%Category%,detected=%MatchedIndicator%,url=%RE_URL%,hash=%RE_HASH%,dst=%DST_IP%,src=%SRC_IP%,dvc=%DeviceIp%,dev_name=%Device%,dev_action=%DeviceAction%,user=%UserName%,actF:%ActionableFields%,context=%RecordContext%]]></EventFormat>

In the v20_cybertracemsg.xml file, the format of events from Feed Service is provided in the HEADER/content element and in the MESSAGE/content element. Make sure that the following fields are present in the index files of Log Decoder and Concentrator: virusname, url, checksum, and ip.src, ip.dst. As for the fields other than virusname, url, checksum, and ip.src, ip.dst in the MESSAGE/content element, you may or may not use them in the index files of Log Decoder and Concentrator. Also, make sure that the value of the flags attribute is None for each of these fields in the table-map-custom.xml file. If any of these conditions are not met, refer to section "RSA NetWitness troubleshooting".

The following tables describe the fields used in the v20_cybertracemsg.xml and kl_feed_service.conf files, and describe how fields in one file correspond to fields in the other. If you want to constantly use some new field in detection events, contant your technical account manager (TAM).

The following tables describe the actionable fields used in the feeds and in the v20_cybertracemsg.xml file, and describe how fields in a feed correspond to fields in the file:

Page top