NetWitness Community

DaveGlover · ‎2016-05-02

I have created a few "how to videos" that I hope you find helpful. They are posted to YouTube and I have included the links below.

They are as follows:

Demo of the new ESI tool -->https://youtu.be/_FilrZc2qLc

How to Configure IIS Collection for Security Analytics --> IIS Device Configuration - YouTube

How to Configure Windows Collection via WinRm --> WINRM Windows Collection - YouTube

How to Configure Security Analytics to Collect Log files not currently Supported via SFTP --> FileSpec Creation - YouTube

ESI Beta 3 --> RSA ESI Beta 3 - YouTube

RSA Netwitness UI Walkthrough -->

Part 1 --> RSA Netwitness UI Walkthrough Part 1 - YouTube

Part 2 --> RSA Netwitness UI Walk through Part 2 - YouTube

Lua Parser Overview --> RSA Netwitness LUA Parser Overview - YouTube

Creating Parsers when No Message ID Exists in the Log --> Parser Development When No Message ID Exists - YouTube

Building and Scheduling Reports in Netwitness --> Building and Scheduling Reports in NetWitness - YouTube

Creating and Using Feeds and App Rules --> Using Application Rules and Feeds in NetWitness - YouTube

Correlation Rule Example --> YouTube

Creating Dashboards --> Dashboard Creation - YouTube

DNS Xfil Example --> https://www.youtube.com/watch?v=3x4rnmlrHww&t=7s

DaveGlover · ‎2017-10-25

Kevin

I can get a video uploaded tomorrow that walks through how to build a parser without message IDs being present in the logs.

Dave

KevinCole · ‎2018-03-05

Dave,

Would you be able to do a short video demonstrating the the TagVal option?

I have read the LPT user guide, specifically this section:

The Name Value Pair is disabled by default and it is enabled for user input only if the message definitions satisfy the <TAGVAL> format, as shown in the following examples.

The TAGVAL format is either:
<literal><valuedelimiter><variable><pairdelimiter>….<literal><valuedelimiter><variable> format

Or

<literal><valuedelimiter><variable><pairdelimiter>….<literal><valuedelimiter><variable><pairdelimiter> format

The TAGVAL in my .XML looks like:

<TAGVALMAP
pairdelimiter="|"
valuedelimiter="^"/>

An event in my sample log file looks like the following (which to my eyes matches the format requirement). I'm setting the payload just after the | pipe after "Detection" (my message id).

CEF:0|RSA|Detection|Event Type ID^001020304|Alias Host^DESKTOP-NAME|IP Src^10.11.22.33|IP Src1^100.77.88.99|Mac^00:11:22:33:44:55|

From there, I'm stuck. The check box for "Name Value Pairs" is still not selectable.

DaveGlover · ‎2018-03-05

Kevin

I will take a look at this a little later on this evening and let you know what I find out.

Secondly... This is a CEF message which Netwitness supports OOTB. Why are you trying to parse this outside of the CEF parser?

Thanks

Dave

KevinCole · ‎2018-03-05

Dave,

I'm parsing outside of the CEF parser for a few reasons. I looked at the default CEF parser and it doesn't have the technology we're using in its vendor map. We're actually customizing the event details from this tech before it reaches the decoder to better meet the needs of our detection and response teams. Although it's in CEF format, we're dictating (and updating) the fields that arrive. Anytime we customize a parser, we create our own fork to prevent any possible accidental administrator overwrites from Live.

Does that all sound reasonable?

Regards,

Kevin

DaveGlover · ‎2018-03-05

Makes Sense.

Thanks

KevinCole · ‎2018-05-16

Short update. Dave Glover showed me that it is necessary to force a Message ID using Concatentation, then create the keys for one of the messages. At that point the checkbox for "Name Value Pairs" becomes selectable.

JoshRandall · ‎2018-05-16

This is very helpful, thanks for sharing this.

Mr. Mongo

NetWitness Community

Helpful "How To" Videos