This section describes the actions to take so that Feed Service will send events to RSA NetWitness.
Note that Feed Service sends events to a Log Decoder service.
To send events from Feed Service to RSA NetWitness:
[IP]:514
Here [IP]
is the IP address of the Log Decoder service to which Feed Service will send events.
If there are several Log Decoder services, perform the integration with only one of the Log Decoders.
/etc/netwitness/ng/envision/etc/devices
directory of the computer on which Log Decoder runs, create a cybertrace
subdirectory and copy to the subdirectory the following files from the %service_dir%/integration/rsa/cybertrace
directory:This is a configuration file that contains declaration of Feed Service for RSA NetWitness.
This is a configuration file that contains parsing rules for events that are sent from Feed Service to RSA NetWitness. See below in this section for a description of the contents.
You can find these files in the integration/cybertrace
directory of the distribution kit.
For this purpose, in the Services view, for the selected Log Decoder click the Settings split button () and from the drop-down list select Restart.
cybertrace
service parser is turned on in RSA NetWitness.You can do this as follows:
Service Parsers Configuration grid
You can restart Feed Service by running the kl_feed_service script as follows:
systemctl restart cybertrace.service
You can do this by using Kaspersky CyberTrace Web too.
Contents of integration files
The v20_cybertracemsg.xml file contains the following rule for parsing service events from Feed Service:
alert=<action>,context=<msg> |
The v20_cybertracemsg.xml file contains several rules for parsing detection events from Feed Service:
The fields of the cybertrace.ini file and the v20_cybertracemsg.xml file correspond to the following format of service events and detection events from Feed Service:
<AlertFormat><![CDATA[<232>%CyberTrace:ALERT_EVENT alert=%Alert%,context=%RecordContext%]]></AlertFormat> <EventFormat><![CDATA[<232>%CyberTrace:MATCH_EVENT category=%Category%,detected=%MatchedIndicator%,url=%RE_URL%,hash=%RE_HASH%,dst=%DST_IP%,src=%SRC_IP%,dvc=%DeviceIp%,dev_name=%Device%,dev_action=%DeviceAction%,user=%UserName%,cnf=%Confidence%,actF:%ActionableFields%,context=%RecordContext%]]> </EventFormat> |
In the v20_cybertracemsg.xml file, the format of events from Feed Service is provided in the HEADER/content
element and in the MESSAGE/content
element. Make sure that the following fields are present in the index files of Log Decoder and Concentrator: virusname
, url
, checksum
, and ip.src
, ip.dst
. As for the fields other than virusname
, url
, checksum
, and ip.src
, ip.dst
in the MESSAGE/content
element, you may or may not use them in the index files of Log Decoder and Concentrator. Also, make sure that the value of the flags
attribute is None
for each of these fields in the table-map-custom.xml file. If any of these conditions are not met, refer to the section about RSA NetWitness troubleshooting.
The following tables describe the fields used in the v20_cybertracemsg.xml and kl_feed_service.conf files, and describe how fields in one file correspond to fields in the other. If you want to constantly use some new field in detection events, constant your technical account manager (TAM).
Field in kl_feed_service.conf |
Field in v20_cybertracemsg.xml |
Description |
<232> |
- |
Service string for RSA NetWitness. |
%CyberTrace: |
%CyberTrace: |
Informs RSA NetWitness that an event is sent from Feed Service. |
ALERT_EVENT |
<messageid> |
The event type. |
- |
<!payload> |
Notifies RSA NetWitness that the event has additional information, the format of which is provided in the |
%Alert% |
<action> |
The service event (for example, KL_ALERT_ServiceStarted). |
%RecordContext% |
<msg> |
Context information about the service event. |
Field in kl_feed_service.conf |
Field in v20_cybertracemsg.xml |
Description |
<232> |
- |
Service string for RSA NetWitness. |
%CyberTrace: |
%CyberTrace: |
Informs RSA NetWitness that an event is sent from Feed Service. |
MATCH_EVENT |
<messageid> |
The event type. |
- |
<!payload> |
Notifies RSA NetWitness that the event has additional information, the format of which is provided in the |
%Category% |
<virusname> |
Category of the detected object. |
%MatchedIndicator% |
<kl_detected_indicator%gt; |
The detected indicator. |
%RE_URL% |
<url> |
The URL specified in the event from RSA NetWitness. |
%RE_HASH% |
<checksum> |
The hash specified in the event from RSA NetWitness. |
%DST_IP% |
<daddr> |
The IP address to which the request is sent. |
%SRC_IP% |
<saddr> |
The IP address from which the request is sent. |
%DeviceIp% |
<hostip> |
The IP address from which the event is sent. |
%Device% |
<event_source> |
The name of the device that has sent the event. |
%DeviceAction% |
<action> |
The action that the device has performed. |
%UserName% |
<c_username> |
The name of the user on whose account the action described in the event is performed. |
%ActionableFields% |
The fields' names are discussed below in this section. |
Fields of the feed record involved in the detection process that are displayed apart from the context. |
%RecordContext% |
<fld1> |
Context of the feed record that was involved in the detection process. To view the contents of this field, open the event in RSA NetWitness and select the View Log tab. |
%Confidence% |
<kl_confidence> |
The level of confidence in the indicators of the feed, in percent. |
The following tables describe the actionable fields used in the feeds and in the v20_cybertracemsg.xml file, and describe how fields in a feed correspond to fields in the file:
Field in the feed |
Field in v20_cybertracemsg.xml |
mask |
kl_mask |
first_seen |
kl_first_seen |
last_seen |
kl_last_seen |
popularity |
kl_popularity |
threat |
kl_threat |
Field in the feed |
Field in v20_cybertracemsg.xml |
MD5 |
kl_md5 |
SHA1 |
kl_sha1 |
SHA256 |
kl_sha256 |
first_seen |
kl_first_seen |
last_seen |
kl_last_seen |
popularity |
kl_popularity |
file_type |
kl_file_type |
file_size |
kl_file_size |
threat |
kl_threat |
Field in the feed |
Field in v20_cybertracemsg.xml |
ip |
kl_ip |
first_seen |
kl_first_seen |
last_seen |
kl_last_seen |
popularity |
kl_popularity |
threat_score |
kl_threat_score |
category |
kl_category |
threat |
kl_threat |
Field in the feed |
Field in v20_cybertracemsg.xml |
mask |
kl_mask |
first_seen |
kl_first_seen |
last_seen |
kl_last_seen |
popularity |
kl_popularity |
files/threat |
kl_threat |
category |
kl_category |
Field in the feed |
Field in v20_cybertracemsg.xml |
MD5 |
kl_md5 |
SHA1 |
kl_sha1 |
SHA256 |
kl_sha256 |
first_seen |
kl_first_seen |
last_seen |
kl_last_seen |
popularity |
kl_popularity |
threat |
kl_threat |
file_size |
kl_file_size |
Field in the feed |
Field in v20_cybertracemsg.xml |
mask |
kl_mask |
first_seen |
kl_first_seen |
last_seen |
kl_last_seen |
popularity |
kl_popularity |
industry |
kl_industry |
Field in the feed |
Field in v20_cybertracemsg.xml |
Date |
kl_first_seen |
AV Verdict |
kl_verdict |
When Vulnerability Data Feed is involved in a detection process, the AV Verdict
field contains one of the following values:
warning
high
critical
Field in the feed |
Field in v20_cybertracemsg.xml |
threat |
kl_threat |
Field in the feed |
Field in v20_cybertracemsg.xml |
mask |
kl_mask |
first_seen |
kl_first_seen |
last_seen |
kl_last_seen |
popularity |
kl_popularity |
Field in the feed |
Field in v20_cybertracemsg.xml |
detection_date |
kl_detect_date |
publication_name |
kl_pub_name |
Field in the feed |
Field in v20_cybertracemsg.xml |
detection_date |
kl_detect_date |
publication_name |
kl_pub_name |
SHA1 |
kl_sha1 |
SHA256 |
kl_sha256 |
Field in the feed |
Field in v20_cybertracemsg.xml |
first_seen |
kl_first_seen |
popularity |
kl_popularity |