NetWitness Community

DevarajMohan1 · ‎2020-03-23

Hi Team,

We would like to know how the multi-tenant model works for alerts and incidents in RSA Netwitness 11.3. Lets we have 2 sites in different geographical location, We want to see the alerts and incidents separately. Is there any options please let us know.

Regards,

Devaraj Mohan

Inspirisys Solutions Limited, India.

MaxFauda · ‎2020-03-24

Hi,

You can try in this way:

at decoder level tag all the traffic with site name

If you use also Archer/Secops add 1 queue for each site

In this way you have one meta with sitename and you can separate everything according to your preference.

Regards

Scarica Outlook per iOS<https://aka.ms/o0ukef>

JeremyKerwin · ‎2020-03-25

Out of curiosity, how would you tag all the traffic at the decoder level.

Just through an app rule that matches based on the decoder id or hostname?

MaxFauda · ‎2020-03-25

Hi,

Sure,can be a solution.

You can also add a custom meta tag and fill with feed of sitename,decodername for example.

Obviously you need a decoder of each different site.

But basically the way you cam simply follow is the meta tag.

I’ve used for many years,in my previous work, with 14 different entity and 23 different site all around the world, and work.

Regards

Scarica Outlook per iOS<https://aka.ms/o0ukef>

JohnSnider · ‎2020-03-25

The only issue with using decoder ID (did) is that it does not exist on the decoder, so you can't use a feed or app rule to tag using that metakey, as it is only created when a concentrator aggregates from the decoder (the concentrator creates the did meta). you could put a special app rule that created and ID that id unique to on every decoder, or at least on each sites decoders.

MaxFauda · ‎2020-03-25

Hi,

Try to see if that article can help in your environment:

https://community.rsa.com/docs/DOC-80195

This is just one example, for the beast solution, is better to contact your account or ps and discuss with him the best solution to apply on your environment.

Regards

Scarica Outlook per iOS<https://aka.ms/o0ukef>

DevarajMohan1 · ‎2020-03-30

Massimiliano Faudarole‌ In RSA Netwitness 11.4 there is a new component called "Analyst UI". I have a below query.

As per my original post we are in the state to achive multi-tenent in alerts and incident data.

1) When we tried this component "Analyst UI" in our test environment. It contains dependent services like Broker, Reporting Engine, Respond Server, Investigation Server. Is there any option to seperate Alerts and Incidents per customer using this component ?

2) I believe that all the incident data's are storing in the respond server in this case Netwitness Server has the inbuilt respond server (Where currently all our incident data are storing). Is there any option to store incident data separately like customer A data in Netwitness Respond Server and Customer B data in Analyst UI Respond Server.

Regards,

Devaraj

MaxFauda · ‎2020-03-30

Dell Customer Communication - Confidential

Hi Devaraj,

in my experience I have always used NetWitness for the generation of alarms and accidents, but always forwarded and managed with Archer / SecOps.

In this way you have the possibility to differentiate, for example, with different queues, despite the fact that the sql instance is always the same.

The multitenant is not a matter of a single flag, but it is a complex study of the whole environment, in which you have to choose the right quantity

boxes and their correct positioning in your environment. So it's a general discussion, where I can't say "with a flag you can do it".

I can suggest you discuss the entire environment you are working on, with your assigned PS / Account / Engineer to find with them the best solution to implement in your environment.

Regards

NetWitness Community

Multi-Tenant Support for Alerts and Incidents in RSA Netwitness