Step 1. Forwarding events from RSA NetWitness

This section describes how to configure RSA NetWitness so that it will forward the received events to Kaspersky CyberTrace Service.

To forward events from RSA NetWitness to Kaspersky CyberTrace Service:

1. In the RSA NetWitness main window, select Administration > Services.
2. In the Services table, below, select the relevant Log Decoder (the Log Decoder that receives events containing a URL, hash, or IP address).

   

   Selecting a Log Decoder

   If more than one Log Decoder is used for receiving events, repeat the following steps for each Log Decoder.

3. For the selected Log Decoder, in the Actions column, select the Settings split button () and in the drop-down list select View > Config.
4. Select the App Rules tab and click the Add button ().

   The Rule Editor window opens.

5. Specify the following data:
   • Rule Name: cybertrace
   • Condition: device.type='%DEVICE_NAME_1%'

     This is an example of a condition, in which the %DEVICE_NAME_1% string represents the name of the device whose events must be sent to Kaspersky CyberTrace Service. Following is another example of a condition, according to which events from Cisco™ ASA and Check Point Firewall must be sent to Kaspersky CyberTrace Service:

     device.type='ciscoasa' || device.type='checkpointfw1'

     If an event meets the condition specified here, it will be sent to Kaspersky CyberTrace Service.

   • Alert: Selected
   • Forward: Selected

   

   Rule Editor window

   For information on how to create rules, refer to https://community.rsa.com/t5/rsa-netwitness-platform-online/configure-application-rules/ta-p/592148.

6. Click OK.
7. Click Apply.
8. Next to the Log Decoder name, select Config > Explore.
9. Specify the destination:
   • For RSA NetWitness versions 11.2 and above:

     For the /decoder/config/logs.forwarding.destination parameter, specify the following destination:

     cybertrace=tcp:[IP]:[port]:rfc3164

     Here, [IP] is the IP address of the computer on which Kaspersky CyberTrace Service is installed, and [port] is the port that Kaspersky CyberTrace Service listens on for events (by default, the port 9999 is used). The IP address and port are the same as specified on the Settings > Service tab of Kaspersky CyberTrace Web.

   • For RSA NetWitness versions below 11.2:
     1. For the /decoder/config/logs.forwarding.destination parameter, specify the following destination:

        cybertrace=tcp:[IP]:[port]

        Here, [IP] is the IP address of the computer on which Kaspersky CyberTrace Service is installed, and [port] is the port that Kaspersky CyberTrace Service listens on for events (by default, the port 9999 is used). The IP address and port are the same as specified on the Settings > Service tab of Kaspersky CyberTrace Web.

     2. In the EventDelimeter parameter, in the Kaspersky CyberTrace Service configuration file, specify the <![CDATA[(\<\d+\>)]]> value.

   

   Log events forwarding settings

10. In the /decoder/config/logs.forwarding.enabled parameter, specify true.

After these actions are performed, RSA NetWitness will forward the events that satisfy the cybertrace rule to the address that you specified in the logs.forwarding.destination parameter.

For more information on event forwarding, refer to https://community.rsa.com/t5/rsa-netwitness-platform-online/decoder-configure-syslog-forwarding-to-destination/ta-p/572084.