NetWitness Community

VishamRawat · ‎2019-07-25

So, we have this requirement to consolidate processed/normalised logs and/or alerts from various SIEM platforms, all into Splunk.

Is this a possibility with RSA SA? Does RSA SA have an option to forward processed/normalised logs and/or alerts to another SIEM platform, specifically Splunk? Can we integrate RSA SA with Splunk in this manner?

DaveGlover · ‎2019-07-25

Visham

It is not a direct integration. However you could script a hourly/daily extract of the parsed data and inject the exported data into splunk.

Alerts however can be sent to Splunk as the alerts get triggered. This is done by configuring a syslog output of the rule, with the target being the splunk system.

If you wanted raw data that can be relayed out as soon as it is captured.

Hope this helps

Dave

VishamRawat · ‎2019-07-30

Hi Dave,

Thanks for that.

'An extract of parsed data' - what exactly is the output? Is this what we get when we Export All Meta from the investigation tab of SA?

For instance, if I were to click on the no. of sessions (>100,000 - 0%) for gbl9vrsvlcoll01 under the Collector ID metakey, and then select Export All Meta? Also, if I do extract the meta for such a session count, will it extract the meta for all sessions, given that >100,000 is usually an approximate representation of the actual count?

Collector ID (3 values)
gbl9vrsvlcoll01 (>100,000 - 0%) - gbl6vrsvlcoll01 (>100,000 - 0%) - ip-10-237-1-190 (>100,000 - 11%)

NetWitness Community

Sending processed logs / alerts to Splunk from RSA SA