This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Windows Integrate in RSA SA

Go to solution
pranavsankar1
Beginner
Beginner

‎2016-03-29 05:05 AM

Hi All,

 

Due to a regulatory requirement,i need to integrate some windows devices in RSA SA.Even though im new to RSA, please help and provide what all per-requisite i need to be done.RSA SA version is 10.4.

 

Eagerly waiting for valuable reverts.

 

Regards

Pranav Sankar

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
KEVINDIENST
Beginner
Beginner

‎2016-03-31 01:02 PM

Pranav -

 

There are usually three major methods I see people collecting Windows Logs:

 

Agent based - Windows Snare/Nxlog/etc

Remote Pull - WinRM

Other - WEF with Subscription Servers

 

For example with Windows Snare you'd have the collectors in SA accept syslog and enable the Syslog Collection method, then enable the windows_snare parser on the upstream log decoder.

 

For example with WinRM, we have global GPO's deployed for all systems in specific OU's in Active Directory, these GPO's setup the WinRM listener on the servers, what methods are supported, accounts that have access, etc.

In this case example dependencies -

  • GPO
  • WinRM service running
  • Listening on 5985 or 5986 (TLS)
  • Application Account/Service Account used for remote collection of logs from each server
  • DNS and Kerberos integration with collector
  • Firewall rules that allow cross-domain collection if your collectors are not in the same network segment

 

WEF = Windows Event Forwarding and Microsoft Subscription Servers. I don't know much about this method yet as my org is PoC testing it.

 

There are tons of documentation on utilizing either Snare for log forwarding or WinRM for log collection. From there SA Docs should show you how to setup Windows Log collection (WinRM) vs Windows Snare (Syslog).

View solution in original post

8 REPLIES 8

Go to solution
Anonymous
Not applicable

‎2016-03-29 11:35 AM

I assume you mean Windows Logs?  Did you look at sadocs.emc.com?

0 Likes

Go to solution
pranavsankar1
Beginner
Beginner

‎2016-03-29 11:50 AM

ya i go through that but i could find any per-requisite for integrating windows devices in SA 10.4

0 Likes

Go to solution
Anonymous
Not applicable
In response to pranavsankar1

‎2016-03-29 12:04 PM

Hi Pranav,

what do you mean by pre-requisite ?

you can check the link below for different windows versions that RSA Security Analytics  support and the  different ways for integrations

https://sadocs.emc.com/0_en-us/300_RSA_ContentAndResources/03_Supported_Event_Sources#W

Go to solution
pranavsankar1
Beginner
Beginner
In response to Anonymous

‎2016-03-30 12:50 PM

Hi Rachid ,

 

Thanks for the update.

 

When i check the above link it shows various types of event source that supported by RSA SA.But for "Microsoft Windows using Eventing Collection" i could see how to configure the Windows Event Sources.Whether this is the way we will integrate windows devices in RSA SA?

 

Rachid, pre-requisite is nothing but before integrating devices we need to follow some basic instructions like whether the devices is pinging,port listening,EV access etc.Since when i worked in Arcsight, integration with windows devices i have gone through all such pre-requisite.So kindly confirm before integrating window device in RSA SA does we require any such pre-requisite?

 

I hope this could clear for you. Awaiting for your revert.

 

Regards

Pranav Sankar

0 Likes

Go to solution
pranavsankar1
Beginner
Beginner
In response to Anonymous

‎2016-03-31 04:44 AM

Hi Rachid ,

 

Waiting for your update.

 

Regards

Pranav

0 Likes

Go to solution
KEVINDIENST
Beginner
Beginner

‎2016-03-31 01:02 PM

Pranav -

 

There are usually three major methods I see people collecting Windows Logs:

 

Agent based - Windows Snare/Nxlog/etc

Remote Pull - WinRM

Other - WEF with Subscription Servers

 

For example with Windows Snare you'd have the collectors in SA accept syslog and enable the Syslog Collection method, then enable the windows_snare parser on the upstream log decoder.

 

For example with WinRM, we have global GPO's deployed for all systems in specific OU's in Active Directory, these GPO's setup the WinRM listener on the servers, what methods are supported, accounts that have access, etc.

In this case example dependencies -

  • GPO
  • WinRM service running
  • Listening on 5985 or 5986 (TLS)
  • Application Account/Service Account used for remote collection of logs from each server
  • DNS and Kerberos integration with collector
  • Firewall rules that allow cross-domain collection if your collectors are not in the same network segment

 

WEF = Windows Event Forwarding and Microsoft Subscription Servers. I don't know much about this method yet as my org is PoC testing it.

 

There are tons of documentation on utilizing either Snare for log forwarding or WinRM for log collection. From there SA Docs should show you how to setup Windows Log collection (WinRM) vs Windows Snare (Syslog).

Go to solution
pranavsankar1
Beginner
Beginner
In response to KEVINDIENST

‎2016-03-31 01:10 PM

Much appreciated Kevin.This clears my doubt about windows device integration pre-requisite and configuration.

Once again thank you .

0 Likes

Go to solution
JohnTyson1
Beginner
Beginner

‎2016-11-21 04:19 PM

Below is a course link about WinRM and other things found during my search.  All good references, may not pertain to the specific version inquiry but may lead others to good resources.

 

https://community.rsa.com/docs/DOC-54577  WinRM configuration and T/S

Test and Troubleshoot Microsoft WinRM Guide 

WinRM Diagnostic Tool 

https://community.rsa.com/message/772329#comments

000031285 - Winrm Log Collection: Can I use multiple accounts for the same domain when collecting logs via winrm? 

last but not least the attachment.

Preview file
2571 KB
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.