Configure Contextual Data from NetWitness Endpoint Through Recurring FeedConfigure Contextual Data from NetWitness Endpoint Through Recurring Feed
You can configure NetWitness Endpoint data in NetWitness to provide contextual data from NetWitness Endpoint to Decoder and Log Decoder sessions. This configuration adds contextual meta values in addition to the instant IOC alerts that can be used to build correlations to other metadata in the NetWitness ecosystem.
Administrators can configure NetWitness to consume system scan contextual data from NetWitness Endpoint through a NetWitness Live recurring feed. This integration can enrich the session from a Decoder or Log Decoder with contextual information displayed in NetWitness Investigation; some examples include the host operating system, MAC address, IIOC score, and other data that may not be present in the log or packet data into sessions from a Decoder or Log Decoder.
Note: Although this feature is targeted for customers with a Network Decoder, a recurring feed can also be implemented in Log Decoders.
Caution: In an environment with many NetWitness Endpoint hosts, using recurring feed may result in decreased performance on the NetWitness ingest devices (Decoder and Log Decoder).
Prerequisites
- Version 4.3.0.4, 4.3.0.5, 4.4, 4.4.0.2, or later NetWitness Endpoint Console server and NetWitness Server Version 10.4 and above installed.
- Version 11.0 or 11.1 NetWitness Decoder and Concentrator connected to the NetWitness Server in the network.
To Configure Contextual Data from NetWitness Endpoint Through Recurring Feed, perform the following:
- Enable the NetWitness Endpoint Feed for NetWitness in the NetWitness Endpoint User Interface.
- Export the NetWitness Endpoint CA Certificate from the NetWitness Endpoint Console server and Import it into NetWitness trust store.
- Configure the NetWitness Concentrator service to define which meta keys are indexed.
- Create a recurring feed in NetWitness Live.
Enable the NetWitness Endpoint Feed for NetWitnessEnable the NetWitness Endpoint Feed for NetWitness
- In the NetWitness Endpoint user interface, create SQL user in NetWitness Endpoint:
- Open the NetWitness Endpoint user interface and log on using the proper credentials.
- From the menu bar, select (Configure) > Manage Users and Roles, right-click in the pane, and select create sql user.
The Create a new SQL User dialog is displayed. - Enter the Login Name and Password and click Create.
-
From the menu bar, select (Configure) > Monitoring and External Components.
The External Components Configuration dialog is displayed.
- In NetWitness, click +.
The NetWitness dialog is displayed. - In the NetWitness panel, in On, enter the name to identify the NetWitness component.
- In the NetWitness Connection panel, perform the following.
- In the Server Hostname/IP field, enter the host name or IP address of the NetWitness Server.
- In the Port field, enter the port number. By default port number is 443.
- In the Configure NetWitness panel, perform the following:
- In the Servers Time Zone field, select the time zone for the component from the drop-down list.
- In the Device Identifier field, enter the NetWitness concentrator device ID.
Note: You can find the Device Identifier in NetWitness when you look up a Concentrator or Broker in Investigation > Navigate > <Concentrator or Broker Name>. The Device Identifier is the number in the URL after "investigation." For example, in the URL https://<IP address>investigation/319/navigate/values, the Device Identifier is 319.
The URI field is populated when you click Save.
- In the Query Optimization panel, in the Do Not Perform Query Older Than field, enter the number of days to limit the query period. Enter 0 if you want to discard this feature.
- In the Query Time Range panel, perform the following:
In the Minimum field, enter the number of minutes for the minimum query time range. This value is used to automatically increase the time range submitted to NetWitness. This ensures that a query returns a positive response if the NetWitness Endpoint Agent's reported time is slightly different than NetWitness Endpoint's time.
- In the Maximum field, enter the number of minutes to limit the time range. This value is used to automatically limit the time range submitted to NetWitness, so that a query does not overload the NetWitness Server.
- In the Configure NetWitness Endpoint Feeds for NetWitness panel, perform the following:
- Select Enable NetWitness Endpoint Feed.
- In the URL field, enter the SQL Username and Password (configured in step 1) to access the location of the feed.
The URL field is populated when you click Save. - Enter the time interval for the frequency at which feeds are published.
- In the Feed Publishing Interval panel, in the Time Interval field, select the time interval in hrs and mins for the frequency at which feeds are published.
- In the Enable URL access to below user to panel, enter the Username and Password of the NetWitness Endpoint user.
- Click Save.
A feed is created.
Export the NetWitness Endpoint SSL CertificateExport the NetWitness Endpoint SSL Certificate
Note: This procedure works only for NetWitness 10.5 and above because Java 8 support was added for 10.5. If you are using an earlier version of NetWitness, refer to the applicable version of this guide.
To export the NetWitness Endpoint CA certificate from the NetWitness Endpoint Console server and copy it to the NetWitness host:
- Log on to the NetWitness Endpoint Console.
- Open MMC.
- Add a certificate snap-in for Computer account.
- Export the certificate named NweCA (in NetWitness Endpoint 4.3.0.4, 4.3.0.5, 4.4, 4.4.0.2, or later fresh install) or EcatCA (in NetWitness Endpoint upgraded from previous version to 4.3.0.4 or 4.3.0.5).
- Export without a private key.
- Export in DER encoded binary X.509 (.CER) format.
- Name it NweCA.cer (in NetWitness Endpoint 4.3.0.4, 4.3.0.5, 4.4, 4.4.0.2, or later fresh install) or EcatCA.cer (in NetWitness Endpoint upgraded from previous version to 4.3.0.4 or 4.3.0.5).
- Copy the NetWitness Endpoint CA certificate to the NetWitness host:
- For NetWitness Endpoint 4.3.0.4, 4.3.0.5 or 4.4 fresh installation:
scp NweCA.cer root@<sa-machine>:. - For NetWitness Endpoint upgraded from previous version to 4.3.0.4 or 4.3.0.5:
scp EcatCA.cer root@<sa-machine>:.
- For NetWitness Endpoint 4.3.0.4, 4.3.0.5 or 4.4 fresh installation:
- To import the NetWitness Endpoint Endpoint CA certificate into the NetWitness Trusted store, navigate to java directory. Enter the following commands:
For NetWitness Endpoint fresh installation:
keytool -import -v -trustcacerts -alias nweca -file ~/NweCA.cer -keystore /etc/pki/java/cacerts -storepass changeit- For NetWitness Endpoint upgraded from previous version:
keytool -import -v -trustcacerts -alias ecatca -file ~/EcatCA.cer -keystore /etc/pki/java/cacerts -storepass changeit
When prompted for certificate update confirmation, enter Yes.
- Create a file jetty.user in the /etc/default directory and add the following text.
JAVA_OPTIONS="${JAVA_OPTIONS} -Djdk.security.allowNonCaAnchor=true" - On the NetWitness host, do one of the following:
For NetWitness Endpoint 4.3.0.4, 4.3.0.5, 4.4, 4.4.0.2, or later fresh installation, edit/etc/hosts.user to map the IP address of the NetWitness Endpoint Console server to the name NweServerCertificate by adding the following line to the file:
<ip-address-ecat-cs> NweServerCertificate
For NetWitness Endpoint upgraded from previous version to 4.3.0.4 or 4.3.0.5, edit /etc/hosts.user to map the IP address of the upgraded NetWitness Endpoint Console server to the name ecatserverexported by adding the following line to the file:
<ip-address-ecat-cs> ecatserverexported
-
SSH to ADMIN Server and run the following command.
nw-manage --refresh-host --host-all - To restart NetWitness, enter the following command:
service jetty restart
Configure the NetWitness Concentrator ServiceConfigure the NetWitness Concentrator Service
- Log on to NetWitness and go to (Admin) > Services.
- Select a Concentrator from the list and select View > Config.
- Select the Files tab, and from the Files to Edit drop-down menu, select index-concentrator-custom.xml.
- Add the following NetWitness Endpoint meta keys to the file and click Apply. Make sure that this file contains the XML sections already; if the lines are not included, add them. The following lines are examples; make sure the values match your configuration and the column names you included in the feed definition, where:
description is the name of the meta key you want to display in NetWitness Investigation.
level is "IndexValues"
name matches the column name of the CSV file that NetWitness uses while defining the recurring feed (see the table in Configure the Recuring Custom Feed Task in NetWitness below).<key description="Gateway" format="Text" level="IndexValues" name="gateway" valueMax="250000" defaultAction="Open"/>
<key description="Risk Number" format="Float64" level="IndexValues" name="risk.num" valueMax="250000" defaultAction="Open"/>
<key description="Strans Addr" format="Text" level="IndexValues" name="stransaddr" valueMax="250000" defaultAction="Open"/>
<key description="Domain" format="Text" level="IndexValues" name="domain" valueMax="250000" defaultAction="Open"/>
<key description="User Account" format="Text" level="IndexValues" name="username" valueMax="250000" defaultAction="Open"/>
<key description="Ecat Connectiontime" format="Text" level="IndexValues" name="ecat.ctime" valueMax="250000" defaultAction="Open"/>
<key description="Ecat Scantime" format="Text" level="IndexValues" name="ecat.stime" valueMax="250000" defaultAction="Open"/>
- Restart the Concentrator to activate the custom key updates.
Configure the Recurring Custom Feed Task in NetWitnessConfigure the Recurring Custom Feed Task in NetWitness
-
Log on to NetWitness and go to (Configure) > Custom Feeds.
The Feeds view is displayed. -
In the toolbar, click .
The Setup Feed dialog is displayed. -
In the Setup Feed dialog, select Custom Feed and click Next.
The Configure a Custom Feed wizard is displayed, with the Define Feed form open. - In the Define Feed, perform the following:
- In the Feed Type field, select CSV.
- In the Feed Task Type field, select Recurring.
- In the Name field, enter the name of the feed. For example, EndpointFeed.
- Enable the Upload As Csv File Feed checkbox to upload the feed as a CSV file.
- In the URL field, enter the URL with the hostname of the Windows server on which NetWitness Endpoint is installed:
- For NetWitness Endpoint 4.3.0.4, 4.3.0.5, 4.4, 4.4.0.2, or later fresh installation, use the URL https://NweServerCertificate:9443/api/v2/feed/machines.csv.
- For NetWitness Endpoint upgraded from previous version to 4.3.0.4 or 4.3.0.5, use the URL https://ecatserverexported:9443/api/v2/feed/machines.csv.
- Enable the Authenticatedcheckbox and enter the username and password as noted in Enable the ECAT Feed above.
Click Verify to check if NetWitness can reach the web resource.
.
- Define the schedule and click Next
-
In the Select Services tab, select the Decoder or groups to consume the feed. Click Next.
-
In the Define Columns tab, enter the column names as shown in the table below and save the feed.
The following table shows the columns in the CSV file for the NetWitness Endpoint feed.
Column | Name | Description | Column Name in NetWitness (Meta Key Name) |
---|---|---|---|
1 | MachineName | Host name of the Windows agent | alias.host |
2 | LocalIp | IPv4 address | IP type (indexed column) |
3 | RemoteIp | Far end IP as seen by the router | stransaddr |
4 | GatewayIp | IP of the gateway | gateway |
5 | MacAddress | MAC address | eth.src |
6 | OperatingSystem | Operating system used by the Windows Agent | OS |
7 | AgentID | Agent ID of the host (unique ID assigned to the agent) | client |
8 | ConnectionUTCTime | Last time when the agent connected to NetWitness Endpoint server | ecat.ctime |
9 | Source Domain | Domain | domain.src |
10 | ScanUTC time | Last time when the agent was scanned | ecat.stime |
11 |
UserName |
Username of the client machine |
username |
12 | Machine Score | Score of the agent indicating the suspicious level | risk.num |
Note: In the table, the recommended index setting is LocalIp. However, if the LocalIp for NetWitness Endpoint Agent PC is allocated by a DHCP Server and the DHCP lease has expired, and if the IP is then re-allocated to another PC, the metadata created by the feed will be incorrect. To avoid this risk, use the machine name or the Mac address instead of the localIP address as the Feed's index. For example, to use a Mac address, you could enter the values as shown in the following figure.
Result
When viewing feed data in NetWitness, upon a match of the indexed value (ip.src), meta data is populated in Investigation, Reporting, and Alerting Interfaces.