Step 1. Configure Alert Sources to Display Alerts in the Respond ViewStep 1. Configure Alert Sources to Display Alerts in the Respond View
This procedure is required so that alerts from the alert sources are displayed in NetWitness Respond. You have an option to enable or disable the alerts being populated in the Respond view. By default this option is disabled for Detect AI, Reporting Engine, Malware Analysis, and NetWitness Endpoint and enabled only for Event Stream Analysis. So when you install the Respond Server service you need to enable this option in the Reporting Engine, Malware Analysis, and NetWitness Endpoint to populate the corresponding alerts in the Respond view.
PrerequisitesPrerequisites
Ensure that:
- The Respond Server service is installed and running on NetWitness.
- NetWitness Endpoint is installed and running. This is necessary only if you want to configure NetWitness Endpoint as an alert source in the Respond view.
Configure Reporting Engine to Display Reporting Engine Alerts in the Respond ViewConfigure Reporting Engine to Display Reporting Engine Alerts in the Respond View
The Reporting Engine alerts are by default disabled from being displayed in Respond view. To display and view the Reporting Engine alerts, you have to enable the NetWitness Respond alerts in the Services Config view > General tab for the Reporting Engine.
- Go to (Admin) > Services, select a Reporting Engine service, and then select > View > Config.
The Services Config view is displayed with the Reporting Engine General tab open. - Select System Configuration.
- Select the checkbox for Forward Alerts to Respond.
- Click Apply.
The Reporting Engine now forwards the alerts to NetWitness Respond.
For details on parameters in the General tab, see the "Reporting Engine General Tab" topic in the Reporting Engine Configuration Guide. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.
Configure Malware Analysis to Display Malware Analysis Alerts in the Respond ViewConfigure Malware Analysis to Display Malware Analysis Alerts in the Respond View
Viewing NetWitness Respond alerts is a function of auditing in Malware Analysis. The procedure for enabling NetWitness Respond alerts is described in the "(Optional) Configure Auditing on Malware Analysis Host" topic in the Malware Analysis Configuration Guide. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.
Configure NetWitness Endpoint to Display NetWitness Endpoint Alerts in the Respond ViewConfigure NetWitness Endpoint to Display NetWitness Endpoint Alerts in the Respond View
This procedure is required to integrate NetWitness Endpoint with NetWitness so that the NetWitness Endpoint alerts are picked up by the NetWitness Respond component of NetWitness and displayed in the Respond > Alerts view.
Note: NetWitness supports NetWitness Endpoint versions 4.3.0.4, 4.3.0.5, 4.4, 4.4.0.2, or later for NetWitness Respond integration. For more detailed information, see "NetWitness Endpoint Integration" in the NetWitness Endpoint User Guide. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.
The diagram below represents the flow of NetWitness Endpoint alerts to the NetWitness Respond Server service and its display in the Respond > Alerts view.
To configure NetWitness Endpoint to display NetWitness Endpoint alerts in the NetWitness user interface:
-
In the NetWitness Endpoint user interface, click Configure > Monitoring and External Components.
The External Components Configuration dialog is displayed.
- From the components listed, select Incident Message Broker and click + to add a new IM Broker.
-
Enter the following fields:
- Instance Name: Enter a unique name to identify the IM broker.
- Server Hostname/IP address: Enter the Host DNS or IP address of the IM Broker (NetWitness Server).
- Port number: The default port is 5671.
- Click Save.
- Navigate to the ConsoleServer.exe.Config file in C:\Program Files\RSA\ECAT\Server.
-
Modify the virtual host configurations in the file as follows:
<add key="IMVirtualHost" value="/rsa/system" /> -
Restart the API Server and Console Server.
-
To set up SSL for Respond Alerts, perform the following steps on the NetWitness Endpoint primary console server to set the SSL communications:
- Export the NetWitness Endpoint CA certificate to .CER format (Base-64 encoded X.509) from the personal certificate store of the local computer (without selecting the private key).
-
Generate a client certificate for NetWitness Endpoint using the NetWitness Endpoint CA certificate. (You MUST set the CN name to ecat.)
makecert -pe -n "CN=ecat" -len 2048 -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.2 -in "NWECA" -is MY -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -cy end -sy 12 client.cer
Note: In the above code sample, if you upgraded to Endpoint version 4.3 from a previous version and did not generate new certificates, you should substitute EcatCA for NWECA.
-
Make a note of the thumbprint of the client certificate generated in step b. Enter the thumbprint value of the client certificate in the IMBrokerClientCertificateThumbprint section of the ConsoleServer.Exe.Config file as shown.
<add key="IMBrokerClientCertificateThumbprint" value="896df0efacf0c976d955d5300ba0073383c83abc"/>
-
On the NetWitness Server, copy the NetWitness Endpoint CA certificate file in .CER format into the import folder:
/etc/pki/nw/trust/import -
Issue the following command to initiate the necessary Chef run:
orchestration-cli-client --update-admin-node
This appends all of those certificates into the truststore. -
Restart the RabbitMQ server:
systemctl restart rabbitmq-server
The NetWitness Endpoint account should automatically be available on RabbitMQ. - Import the /etc/pki/nw/ca/nwca-cert.pem and /etc/pki/nw/ca/ssca-cert.pem files from the NetWitness Server and add them to the Trusted Root Certification stores in the Endpoint Server.
Note: In NetWitness 11.0 and later, the virtual host is “/rsa/system”. For version 10.6.x and below, the virtual host is “/rsa/sa”.