Configure Endpoint Alerts Through Syslog into a Log Decoder

You can configure the use of NetWitness Endpoint data in NetWitness to provide NetWitness Endpoint alerts through Syslog into Log Decoder sessions. This generates metadata that is used by NetWitness Investigation, Alerts, and Reporting Engine.

For NetWitness networks that are consuming logs, this integration of NetWitness Endpoint with NetWitness pushes NetWitness Endpoint events to the Log Decoder through common event format (CEF) syslog messages and generates metadata that is used by NetWitness Investigation, Alerts, and Reporting Engine. The use case for this integration is SIEM Integration to allow centralized event management, correlation of NetWitness Endpoint events with other Log Decoder data, NetWitness reporting on NetWitness Endpoint events, and NetWitness alerting of NetWitness Endpoint events.

Prerequisites

The following are required for this integration:

  • Version 4.3.0.4, 4.3.0.5, 4.4, 4.4.0.2, or later NetWitness Endpoint UI.
  • NetWitness Server Version 11.1 is installed.
  • Version 10.4 or later NetWitness Log Decoder and Concentrator connected to the NetWitness Server in the network.
  • Port UDP- 514 or TCP - 1514 open from NetWitness Endpoint server to Log Decoder in the firewall.

Procedure

  1. Deploy the required parser (CEF or rsaecat) to the Log Decoder as described in the "Manage Live Resources" topic in Live Services Management. After you deploy the parser, make sure the parser is enabled. For more information, see "Services Config View - General Tab" in the Malware Analysis Configuration Guide.

Note: Use only one of these parsers. When the CEF parser is deployed, it supersedes the NetWitness Endpoint parser, and all CEF messages into NetWitness are processed by the CEF parser. Enabling both parsers is an unnecessary burden on performance.

  1. Configure NetWitness Endpoint to send syslog output to NetWitness and generate NetWitness Endpoint alerts to the Log Decoder.
  2. (Optional) Edit the table mapping in table-map-custom.xml and the index-concentrator-custom.xml to add fields based on user preferences for metadata to be mapped to NetWitness.

Configure NetWitness Endpoint to Send Syslog Output to NetWitness

To add the Log Decoder as a Syslog external component and generate NetWitness Endpoint alerts to the Log Decoder:

  1. Open the NetWitness Endpoint user interface and log on using the proper credentials.
  2. From the menu bar, select netwitness_configureicon_24x21.png (Configure) > Monitoring and External Components.

    The External Components Configuration dialog is displayed.

  3. In SYSLOG Server, click netwitness_add.png.

    The SYSLOG Server dialog is displayed.

    netwitness_110_syslog-svr_720x442.png

  4. In the NetWitness panel, in On, enter the descriptive name for the Log Decoder.
  5. In the Syslog Connection panel, perform the following to enable Syslog messaging:

Server Hostname/IP = The hostname DNS or IP address of the NetWitness Log Decoder
Port = 514
Transport Protocol = Select UDP or TCP as appropriate for your Syslog server for the transport protocol.

  1. Click Save.
  2. Open the InstantIOCs window in the NetWitness Endpoint UI and, in the Alertable column, click to enable each IIOC for which you want alerts sent to the Log Decoder.

    netwitness_110_instant-iocs-endpoint.png

When the instant IOCs are triggered, Syslog alerts from the NetWitness Endpoint server are sent to the Log Decoder. Log Decoder alerts are then aggregated to the Concentrator. These events are injected into the Concentrator as metadata.

Edit the Table Mapping in table-map-custom.xml

In the default NetWitness table-map.xml provided by NetWitness, the meta keys in the table-map.xml file are set to Transient. In order to view the meta keys in Investigation, the keys must be set to None. To make changes to the mapping, you must add the entries to the table-map-custom.xml on the Log Decoder.

This is the list of meta keys in table-map.xml.

NetWitness Endpoint Fields NetWitness Mapping Transient in NetWitness
agentid client No
CEF Header Hostname Field alias.host No
CEF Header Product Version version No
CEF Header Product Name Product Yes
CEF Header Severity severity Yes
CEF Header Signature ID event.type No
CEF Header Signature Name event.desc No
destinationDnsDomain ddomain Yes
deviceDnsDomain domain Yes
dhost host.dst No
dst ip.dst No
end endtime Yes
fileHash checksum No
fname filename No
fsize filename.size No
gatewayip gateway Yes
instantIOCLevel threat.desc No
instantIOCName threat.category No
machineOU dn No
machineScore risk.num No
md5sum checksum No
os OS No
port ip.dstport No
protocol protocol Yes
Raw Message msg Yes
remoteip stransaddr Yes
rt alias.host No
sha256sum checksum No
shost host.src No
smac eth.src No
src ip.src No
start starttime No
suser user.dst No
timezone timezone No
totalreceived rbytes Yes
totalsent bytes.src No
useragent user.agent No
userOU org Yes

The following seven keys are not in table-map.xml; to use these keys in NetWitness you need to add them to table-map-custom.xml, and set the flags to None.

NetWitness Endpoint Fields NetWitness Mapping Transient in NetWitness
moduleScore cs.modulescore Yes
moduleSignature cs.modulesign Yes
Target module cs.targetmodule Yes
YARA result cs.yararesult Yes
Source module cs.sourcemodule Yes
OPSWATResult cs.opswatresult Yes
ReputationResult cs.represult Yes

Here are the entries to be added to the table-map-custom.xml if required.

<mapping envisionName="cs_represult" nwName="cs.represult" flags="None" envisionDisplayName="ReputationResult"/>
<mapping envisionName="cs_modulescore" nwName="cs.modulescore" format="Int32" flags="None" envisionDisplayName="ModuleScore"/>
<mapping envisionName="cs_modulesign" nwName="cs.modulesign" flags="None" envisionDisplayName="ModuleSignature"/>
<mapping envisionName="cs_opswatresult" nwName="cs.opswatresult" flags="None" envisionDisplayName="OpswatResult"/>
<mapping envisionName="cs_sourcemodule" nwName="cs.sourcemodule" flags="None" envisionDisplayName="SourceModule"/>
<mapping envisionName="cs_targetmodule" nwName="cs.targetmodule" flags="None" envisionDisplayName="TargetModule"/>
<mapping envisionName="cs_yararesult" nwName="cs.yararesult" flags="None" envisionDisplayName="YaraResult"/>

Note: Restart the Log Decoder or reload the log parsers for the changes to take effect.

Configure the NetWitness Suite Concentrator Service

  1. Log on to NetWitness and go to netwitness_adminicon_25x22.png (Admin) > Services.
    1. Select a Concentrator from the list and select View > Config.
  2. Select the Files tab, and from the Files to Edit drop-down list, select index-concentrator-custom.xml.
  3. Add the NetWitness Endpoint meta keys to the file and click Apply. Make sure that this file contains the XML sections already; if the lines are not included, add them.
  4. Restart the Concentrator.
  5. To add the Concentrator as a data source in the Reporting Engine, in the netwitness_adminicon_25x22.png (Admin) > Services view, select the Reporting Engine and Select View> Config > Sources.
    NetWitness Endpoint meta is populated in Reporting Engine, and you can run reports by selecting the appropriate meta keys.

Example

Note: The following lines are examples; make sure the values match your configuration and the column names you included in the feed definition, where:
description is the name of the meta key you want to display in NetWitness Investigation.
level is "IndexValues"
name is the NetWitness Endpoint meta key name from the table below

<language>
<key description="Product" format="Text" level="IndexValues" name="product" valueMax="250000" defaultAction="Open"/>
<key description="Severity" format="Text" level="IndexValues" name="severity" valueMax="250000" defaultAction="Open"/>
<key description="Destination Dns Domain" format="Text" level="IndexValues" name="ddomain" valueMax="250000" defaultAction="Open"/>
<key description="Domain" format="Text" level="IndexValues" name="domain" valueMax="250000" defaultAction="Open"/>
<key description="Destination Host" format="Text" level="IndexValues" name="host.dst" valueMax="250000" defaultAction="Open"/>
<key description="End Time" format="TimeT" level="IndexValues" name="endtime" valueMax="250000" defaultAction="Open"/>
<key description="Checksum" format="Text" level="IndexValues" name="checksum" valueMax="250000" defaultAction="Open"/>
<key description="Filename Size" format="Int32" level="IndexValues" name="filename.size" valueMax="250000" defaultAction="Open"/>
<key description="Gateway" format="Text" level="IndexValues" name="gateway" valueMax="250000" defaultAction="Open"/>
<key description="Domain OU" format="Text" level="IndexValues" name="dn" valueMax="250000" defaultAction="Open"/>
<key description="Risk Number" format="Float64" level="IndexValues" name="risk.num" valueMax="250000" defaultAction="Open"/>
<key description="ReputationResult" format="Text" level="IndexValues" name="cs.represult" valueMax="250000" defaultAction="Open"/>
<key description="Module Score" format="Text" level="IndexValues" name="cs.modulescore" valueMax="250000" defaultAction="Open"/>
<key description="Module Sign" format="Text" level="IndexValues" name="cs.modulesign" valueMax="250000" defaultAction="Open"/>
<key description="opswat result" format="Text" level="IndexValues" name="cs.opswatresult" valueMax="250000" defaultAction="Open"/>
<key description="source module" format="Text" level="IndexValues" name="cs.sourcemodule" valueMax="250000" defaultAction="Open"/>
<key description="Target Module" format="Text" level="IndexValues" name="cs.targetmodule" valueMax="250000" defaultAction="Open"/>
<key description="yara result" format="Text" level="IndexValues" name="cs.yararesult" valueMax="250000" defaultAction="Open"/>
<key description="Protocol" format="Text" level="IndexValues" name="protocol" valueMax="250000" defaultAction="Open"/>
<key description="Event Time" format="TimeT" level="IndexValues" name="event.time" valueMax="250000" defaultAction="Open"/>
<key description="Source Host" format="Text" level="IndexValues" name="host.src" valueMax="250000" defaultAction="Open"/>
<key description="Start Time" format="TimeT" level="IndexValues" name="starttime" valueMax="250000" defaultAction="Open"/>
<key description="Timezone" format="Text" level="IndexValues" name="timezone" valueMax="250000" defaultAction="Open"/>
<key description="Received Bytes" format="UInt64" level="IndexValues" name="rbytes" valueMax="250000" defaultAction="Open"/>
<key description="Agent User" format="Text" level="IndexValues" name="user.agent" valueMax="250000" defaultAction="Open"/>
<key description="Source Bytes" format="UInt64" level="IndexValues" name="bytes.src" valueMax="250000" defaultAction="Open"/>
<key description="Strans Address" format="Text" level="IndexValues" name="stransaddr" valueMax="250000" defaultAction="Open"/>
</language>

Result

Analysts can:

  • Create NetWitness alerts based on NetWitness Endpoint events by configuring NetWitness Endpoint events as an enrichment source.
  • Create ESA rules using NetWitness Endpoint meta as described in the "Add Rules to the Rules Library" topic in the Alerting Using ESA Guide.
  • Report on NetWitness Endpoint events using NetWitness Endpoint meta as described in the "Configure a Rule" topic in the Reporting Guide.
  • View NetWitness Endpoint alerts in NetWitness Respond as described in the "View Alerts" topic in NetWitness Respond User Guide.
  • View NetWitness Endpoint meta keys in Investigation along with standard NetWitness core meta keys as described in the "Conduct an Investigation" topic in Investigation and Malware Analysis User Guide.