This topic describes how to deploy the Broadcom ETM Integration for users using the Policy based CCM.

You must perform the following tasks to deploy the Broadcom ETM Integration on NetWitness Platform.

Task 1. Map Network Adapter in Decoder for Broadcom ETM Integration

You must select a network adapter (pcap_stream,Pcap File Streamer) and enable Capture Autostart option through which the Decoder captures packets and processes the data.

To Map the Network Adapter in Decoder for Broadcom ETM Integration

  1. Log in to the NetWitness Platform.

  2. Go to AdminIcon.png (Admin) > Services.

  3. Select the Packet Decoder service and click actions_button.png > View > Config.

    12.4_decoder_config_0124.png

    The Configure view for the Decoder service is displayed with the General tab open.

  4. Under the Decoder Configuration section, do the following:

    1. Set the Capture Interface Selected to pcap_stream,Pcap File Streamer network adapter.

    2. Enable the Capture Autostart option.

      12.4_capture_autostart_0124.png

  5. Click Apply to save the changes.

  6. To restart the Decoder service, go to the Services view, select the Decoder service, and click actions_button.png > Restart.

  7. A Confirmation dialog request is displayed. To restart the service, click Yes.

  8. (Optional) Navigate to the System view of the Decoder service and check if the Decoder is capturing the data.

    This option ensures the decoder has already started capturing the packets.

    12.4_optional_0124.png

Task 2. Create and Publish Policy for Broadcom ETM Integration

You must create a policy with Broadcom ETM Integration plugin type and assign it to one or more groups having a decoder service and publish the policy.

Prerequisites

  • Ensure that the Broadcom ETM Integration plugin is available at the SASE Integration Plugin tab.

  • Ensure that the group with one or more decoder services is created.

Supported Hosts

  • Packet Decoder

  • Packet Hybrid

To create and publish policy for Broadcom ETM Integration

  1. Go to ConfigureIcon.png (Configure) > Policies.

  2. In the policies panel, click Content.

  3. Click Policies.

    The available policies are displayed.

  4. Click + Create New to add a new policy.

  5. In the New Policy panel, do the following:

    1. Enter a unique policy name.

    2. (Optional) Enter a description for the policy.

      12.4_broadcomnewpolicy_0124.png

  6. Click Next.

  7. In the Available Content, select the plugin and click + to add the Broadcom ETM Integration plugin to the policy. To add all content based on the resource type, click 122_AddAllServices_1122.png.

    12.4_broadcompluginadding_0124.png

  8. Enable the subscription (if required) by clicking the subscribed toggle. Once the content is subscribed to, the updates are pushed automatically.

    12.4_subscription_0124.png

  9. Click Next.

  10. If there are no unassigned groups available, click 122_CreateNewGroup_0123.png to save the policy and redirect you to the Create New Group screen.

  11. In the New Group panel, do the following:

    • Enter the name of the group.

    • (Optional) Enter the description for the group.

      12.4_Sase_decodergroup1_0124.png

  12. Click Next.

  13. In the Define Group, click + to assign services to the group.

    12.4_Sase_decodergroup2_0124.png

    Note:
    - A service is disabled if it is assigned to another group.
    - A service is disabled if it is not managed by Policy-based Centralized Content Management.

  14. Click Next.

    12.4_Sase_decodergroup3_0124.png

  15. In the Assign Policies, click + to assign policies to a group. You can assign only one policy to any particular group.

    12.4_Sase_decodergroup4_0124.png

  16. Click Save and Publish to save and publish the settings.

    12.4_Sase_decodergroup6_0124.png

IMPORTANT: Ensure that you always publish the policy after adding the Broadcom ETM Integration plugin to deploy the plugin to the Decoder service.

Note: You can also publish a policy from the Policy Details screen. For more information on publishing a policy from the Policy Details screen, refer to the View a Policy topic.

For more information on Policies, see Manage Policies.

For more information on Groups, see Manage Groups.

Next steps, go to the policy details view and perform the Broadcom ETM Integration settings. For more information, see Task 3. Configure Broadcom ETM Integration from Policy Details View.

Task 3. Configure Broadcom ETM Integration from Policy Details View

Administrators can configure the Broadcom ETM Integration type to capture the network data from the decoder service within a policy, which sends the data to NetWitness. The data is then processed by NetWitness so that it can provide a comprehensive view of network traffic and malicious activity. Analysts can use this data to monitor network traffic, identify threats, and investigate any malicious behavior.

Prerequisites

Before you begin configuring the Broadcom ETM Integration, ensure that you have the following details:

  • Ensure there is a policy created with the Broadcom ETM Integration plugin type, and the policy is associated with the group that has a Decoder service configured, and the policy is published.

  • You must have the Request URL and Auth Token from Broadcom for configuration.

To Configure Broadcom ETM Integration

  1. Go to ConfigureIcon.png (Configure) > Policies.

  2. In the policies panel, click Content.

  3. In the left panel, click Policies.

  4. Do one of the following:

    1. Click the policy name containing the Broadcom ETM plugin type to view the policy details.

    2.  Click a row to view details about the selected policy and click View Details.

  5. Click the SASE Integration Plugin tab.

    12.4_broadcopolicydetailsview_0124.png

    IMPORTANT: The Configuration button will be disabled when the policy status is Unpublished, Failed, or N/A. For more information, see Filter Policies.

  6. Select the Broadcom ETM Integration type and click Configuration.

    The Configuration dialog is displayed.

    12.4_broadcomconfigscreen1_0124.png

  7. Enter the request URL in the Request URL field.

  8. Enter the auth token in the Auth Token field.

    Note:
    • Broadcom provides you with a unique request URL and Auth token for your account.
    • It is important to keep your auth (bearer) token and request url secure. Do not share it with other users or applications

  9. Click Test Connection to determine if NetWitness connects to the Broadcom service and ensure the connection is successful.

  10. Click Next to continue.

    The screen to configure the targets is displayed.

    12.4_broadcomconfigscreen12_0124.png

  11. To configure the available targets, do the following:

    • Select the available bootstrap servers from the drop-down list.

    • Select a decoder service from the drop-down list to map it to the target.

    The Bootstrap server in a Kafka cluster consists of a Kafka host and a Kafka port. The decoder connects to the target (topic) using this Kafka host and Kafka port and fetches the data from the Kafka topic.

    Note:
    • A target (Kafka topic or tool name) can only have one decoder configured.
    • You can assign the target to an undefined value if no decoders are available.

  12. (Optional) To return to the previous screen, click Back.

  13. Review the target configuration details and click Save And Publish.

    To verify if the configuration was completed successfully, ensure that the Config Status column displays Configured for the Broadcom ETM Integration.

Task 4. Verify Broadcom ETM Events Received at Decoder

You can analyze the Broadcom ETM events that have been received by the Decoder and verify their accuracy.

To verify the Broadcom ETM Events Received at Decoder

  1. Log in to the NetWitness Platform.

  2. Go to AdminIcon.png (Admin) > Services.

  3. Select the Packet Decoder service and click actions_button.png> View > Stats.

  4. Under the Key Stats section, check the values for Capture Rate, Max Capture Rate, and Total Captured packets for the decoder service.

    12.4_decoder_capture_details_0124.png

Task 5. Verify Events Meta from Broadcom ETM in Investigate View

To verify Broadcom ETM events, you must first aggregate the Decoder service into the Concentrator and then go to the Investigate > Events page to view the Broadcom ETM events.

Add the Decoder Service in the Concentrator

  1. Log in to the NetWitness Platform.

  2. Go to AdminIcon.png (Admin) > Services.

  3. In the Services list, select the Concentrator service.

  4. Click actions_button.png > View > Config.

    The Services Config View of the Concentrator is displayed.

  5. Select the Sources tab.

  6. Click add_icon.png and select Available Services.

    The Available Services dialog is displayed.

  7. Select the Decoder service and click OK.

    The service authentication dialog box is displayed.

    Note: The services with the Trust Model enabled must be added individually. You are prompted to provide a username and password for the selected service.

  8. Enter the Username and Password for the service.

  9. Click OK.

  10. Click Apply.

Verify from the Investigate > Events View

  1. Go to Investigate > Events.

  2. Select the Concentrator Service from the Services selection drop-down list.

  3. Click QryIconBlue.png to load the Broadcom ETM events in the Events table.              

    12.4_events_0124.png