Step 1. Forwarding events from RSA NetWitness

This section describes how to configure RSA NetWitness so that it will forward the received events to Feed Service.

To forward events from RSA NetWitness to Feed Service:

  1. In the RSA NetWitness main window, select Administration > Services.
  2. In the Services table, below, select the relevant Log Decoder (the Log Decoder that receives events containing a URL, hash, or IP address).

    rsasa01

    Selecting a Log Decoder

    If more than one Log Decoder is used for receiving events, repeat the following steps for each Log Decoder.

  3. For the selected Log Decoder, in the Actions column, select the Settings split button (Settings split button in RSA NetWitness) and in the drop-down list select View > Config.
  4. Select the App Rules tab and click the Add button (06).

    The Rule Editor window opens.

  5. Specify the following data:
    • Rule Name: cybertrace
    • Condition: device.type='%DEVICE_NAME_1%'

      This is an example of a condition, in which the %DEVICE_NAME_1% string represents the name of the device whose events must be sent to Feed Service. Following is another example of a condition, according to which events from Cisco ASA and Check Point Firewall must be sent to Feed Service:

      device.type='ciscoasa' || device.type='checkpointfw1'

      If an event meets the condition specified here, it will be sent to Feed Service.

    • Alert: Selected
    • Forward: Selected

    02

    Rule Editor window

    For information on how to create rules, refer to https://community.rsa.com/t5/rsa-netwitness-platform-online/configure-application-rules/ta-p/592148.

  6. Click OK.
  7. Click Apply.
  8. Next to the Log Decoder name, select Config > Explore.
  9. Specify the destination:
    • For RSA NetWitness versions 11.2 and above:

      For the /decoder/config/logs.forwarding.destination parameter, specify the following destination:

      cybertrace=tcp:[IP]:[port]:rfc3164

      Here, [IP] is the IP address of the computer on which Feed Service is installed, and [port] is the port that Feed Service listens on for events (by default, the port 9999 is used). The IP address and port are the same as specified on the Settings > Service tab of Kaspersky CyberTrace Web.

    • For RSA NetWitness versions below 11.2:
      1. For the /decoder/config/logs.forwarding.destination parameter, specify the following destination:

        cybertrace=tcp:[IP]:[port]

        Here, [IP] is the IP address of the computer on which Feed Service is installed, and [port] is the port that Feed Service listens on for events (by default, the port 9999 is used). The IP address and port are the same as specified on the Settings > Service tab of Kaspersky CyberTrace Web.

      2. In the EventDelimeter parameter, in the Feed Service configuration file, specify the <![CDATA[(\<\d+\>)]]> value.

    rsasa04

    Log events forwarding settings

  10. In the /decoder/config/logs.forwarding.enabled parameter, specify true.

After these actions are performed, RSA NetWitness will forward the events that satisfy the cybertrace rule to the address that you specified in the logs.forwarding.destination parameter.

For more information on event forwarding, refer to https://community.rsa.com/t5/rsa-netwitness-platform-online/decoder-configure-syslog-forwarding-to-destination/ta-p/572084.

Page top