Step 1. Forwarding events from RSA NetWitness

February 27, 2024

ID 167789

This section describes how to configure RSA NetWitness so that it will forward the received events to Kaspersky CyberTrace Service.

To forward events from RSA NetWitness to Kaspersky CyberTrace Service:

  1. In the RSA NetWitness main window, select Administration > Services.
  2. In the Services table, below, select the relevant Log Decoder (the Log Decoder that receives events containing a URL, hash, or IP address).

    Services window in RSA NetWitness. Selecting a Log Decoder.

    Selecting a Log Decoder

    If more than one Log Decoder is used for receiving events, repeat the following steps for each Log Decoder.

  3. For the selected Log Decoder, in the Actions column, select the Settings split button (Settings split button in RSA NetWitness.) and in the drop-down list select View > Config.
  4. Select the App Rules tab and click the Add button (Plus sign in RSA NetWitness.).

    The Rule Editor window opens.

  5. Specify the following data:
    • Rule Name: cybertrace
    • Condition: device.type='%DEVICE_NAME_1%'

      This is an example of a condition, in which the %DEVICE_NAME_1% string represents the name of the device whose events must be sent to Kaspersky CyberTrace Service. Following is another example of a condition, according to which events from Cisco™ ASA and Check Point Firewall must be sent to Kaspersky CyberTrace Service:

      device.type='ciscoasa' || device.type='checkpointfw1'

      If an event meets the condition specified here, it will be sent to Kaspersky CyberTrace Service.

    • Alert: Selected
    • Forward: Selected

    Rule Editor window in RSA NetWitness.

    Rule Editor window

    For information on how to create rules, refer to https://community.rsa.com/t5/rsa-netwitness-platform-online/configure-application-rules/ta-p/592148.

  6. Click OK.
  7. Click Apply.
  8. Next to the Log Decoder name, select Config > Explore.
  9. Specify the destination:
    • For RSA NetWitness versions 11.2 and above:

      For the /decoder/config/logs.forwarding.destination parameter, specify the following destination:

      cybertrace=tcp:[IP]:[port]:rfc3164

      Here, [IP] is the IP address of the computer on which Kaspersky CyberTrace Service is installed, and [port] is the port that Kaspersky CyberTrace Service listens on for events (by default, the port 9999 is used). The IP address and port are the same as specified on the Settings > Service tab of Kaspersky CyberTrace Web.

    • For RSA NetWitness versions below 11.2:
      1. For the /decoder/config/logs.forwarding.destination parameter, specify the following destination:

        cybertrace=tcp:[IP]:[port]

        Here, [IP] is the IP address of the computer on which Kaspersky CyberTrace Service is installed, and [port] is the port that Kaspersky CyberTrace Service listens on for events (by default, the port 9999 is used). The IP address and port are the same as specified on the Settings > Service tab of Kaspersky CyberTrace Web.

      2. In the EventDelimeter parameter, in the Kaspersky CyberTrace Service configuration file, specify the <![CDATA[(\<\d+\>)]]> value.

    Log events forwarding settings in RSA NetWitness.

    Log events forwarding settings

  10. In the /decoder/config/logs.forwarding.enabled parameter, specify true.

After these actions are performed, RSA NetWitness will forward the events that satisfy the cybertrace rule to the address that you specified in the logs.forwarding.destination parameter.

For more information on event forwarding, refer to https://community.rsa.com/t5/rsa-netwitness-platform-online/decoder-configure-syslog-forwarding-to-destination/ta-p/572084.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.