This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • Let's deliver some more value by customizing Security Analytics

Let's deliver some more value by customizing Security Analytics

DavideVeneziano
DavideVeneziano Beginner
Beginner
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
‎2014-09-11 01:00 PM

When working in a Security Operation Center, it is not uncommon to continuously adapt the people, the processes and the technologies to objectives that evolve over the time because both the business requirements are dynamic and the threat landscape out there is never the same. Every single environment is somehow unique and each organization has peculiar needs which are eventually reflected in the way the SOC operates and achieve its goals.

 

While adapting to new situations is inherent to the human nature, each piece of technology has instead embedded a logic that is not always easy to subvert. This is why relying on products which would allow a high degree of customization could become a key element in an organization's SOC strategy, leading to easier integrations with the enterprise environment, increased quality of the service and eventually a better Return on Investment.

 

Flexibility has always been a central element in Security Analytics and easily adapting the platform to handle custom use cases is a key factor. But you would say, let’s prove it then!

 

During the last few weeks, I have posted a few articles here about customizing the platform, intended to demonstrate how to get more value out of it or to achieve complex use cases.

 

In my first post (available at https://community.emc.com/thread/198366) I shared some simple rules intended to promote a standard naming convention and approach to "tag" inbound/outbound connections as well as to name our networks.

Understanding which connection is going in or out our network is key to better focus our investigation, running our reports, configuring our alerts. Tagging our network is on the other hand relevant to better determine which service is impacted, evaluate the risk and prioritize our follow-up actions accordingly.

 

In my second article (available at https://community.emc.com/thread/198832) I focused on how to enhance the log parsing mechanism by leveraging parsers commonly used to analyze a network stream, which are more flexible and powerful. I demonstrated a specific use case by providing a sample parser which is generating a hash of the entire log message and storing it in a meta key. This is for example a common scenario when a compliance requirement mandates to achieve a per-event integrity check.

 

In my third post (available at https://community.emc.com/thread/198976) I discussed a simple but interesting scenario. The Event Stream Analysis module, responsible in Security Analytics to correlate logs and packets meta to identify potentially malicious or anomalous activities, is often then the last link of the chain, transferring the elaboration outside the platform (to the analyst, to a ticketing system, etc.). There are however many relevant use cases that can be accomplished by feeding this information back into Security Analytics to, just to name a few, provide additional context during an investigating making available all the alerts triggered by a specific user/endpoint or implement a sort of multi-step correlation scenario. Sample parsers have been provided also in this case.

 

In my last post (available at https://community.emc.com/thread/199143) I wanted to recall a capability already mentioned a few times in the discussions here but never emphasized enough that is leveraging parsers to post-process the meta values created by a log parser with the purpose of generating new piece of meta. A typical example is to split a URL identified by all the parsers in domain, TLD, directory, page and extension. Applying the logic in all the log parsers generating URLs may be possible but does not scale very well. A single parser can instead do the job easily and effectively.

 

All of those examples are intended to prove how a technology, when designed to be flexible, can easily adapt to specific situations so supporting the achievement of complex use cases or ad-hoc requirements.

  • customize
  • flex
  • Lua
  • NetWitness
  • NW
  • NWP
  • Parser
  • RSA NetWitness
  • RSA NetWitness Platform
3 Likes
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Agent Tesla: The Information Stealer
  • Threat Analysis: Detecting “Follina” (CVE-2022-30190) RCE Vulnerability with Netwitness Endpoint
  • Introducing NetWitness Vision XDR
  • Introducing NetWitness Platform XDR v12.0
  • Atlassian Confluence Zero-day Vulnerability (0-Zero) CVE-2022-26134: What You Need To Know
  • ‘Follina’ CVE-2022-30190 0-Day: What You Need To Know
  • CVE-2022-1388: BIG-IP iControl REST RCE Vulnerability
  • Ragnar Locker Ransomware: The Rampage Continues…
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
Labels
  • Announcements 54
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 57
  • Tutorials 21
  • Use Cases 21
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.