RSA NetWitness

This document applies to Classic/Legacy Integrations. You may continue to use these integration configurations. While no active development is happening for these integrations, we continue to provide Classic/Legacy Integrations in the product. You do not have to move to MSI Integrations. If your support engineer or TSC recommends or you choose to move to MSI Integrations, you can take advantage of the latest features and functionality. For more information, see the MSI Integration documentation in the Integrations Overview.

This integration is remote capable.

Update the Validation Platform

Prerequisites

Information to gather before you start:

  1. IP address used to access the RSA NetWitness concentrator.
  2. Port for the concentrator communication (default is 50105).
  3. Identify whether the protocol is HTTP or HTTPS for connections to the RSA NetWitness concentrator port.
  4. Identify or create the credentials to access RSA NetWitness's concentrator.

  5. Identify the field name mappings for the following:

    There could be multiple of each, depending on log sources and configuration.
    1. Source IP
    2. Destination IP
    3. Source Port
    4. Destination Port
    5. Event Start Time (timestamp)
    6. Event Unique ID
    7. Event Signature ID
    8. Event Description
    9. Event Source Host

Configuration

To add the RSA NetWitness integration

  1. Go to Settings > Integrations.

  2. Click Add Integration > RSA NetWitness.

    RSA NetWitness Integration

  3. Enter information for the Host, Port, Protocol, Username and Password or API Token.

  4. (Optional) Enter information in the Query dialog box to query for base events. Click Show default query to see the default query information.

  5. Expand Advanced options.

    RSA NetWitness Integration (Advanced Options)

  6. (Optional) Update the User Agent.

  7. To enable a query for ESA alerts, check the Enable query for Alerts check box.

  8. (Optional) Enter information in the Alert Query dialog box to query for ESA alerts.

    The default time for an alert can be up to 30 minutes off from when the event fired. If this is the case you must add another field to your alerts with the proper time and add that time to the start_time field map for correlations to work properly.

  9. Review the field name mappings; update as necessary.

    1. Inputs are enclosed by square brackets [].
    2. Inputs are columns that could contain the info (["time"]).
    3. If there could be multiple commas, enclosed in one set of brackets, encompassed in quotes, and separated by commas (["msg.id","reference.id", "rid"]).

  10. (Optional) Assign a Name.

  11. (Optional) Choose Yes to save suspicious events.

  12. Click Submit.

Verify Connectivity

To verify connectivity to RSA NetWitness

Click Test to verify that:

  • The Director can communicate with NetWitness on the port and protocol specified.
  • Credentials are valid and working.
© Copyright Mandiant. All rights reserved
  • First Published: June 3, 2022
  • Last updated: October 20, 2023
In This Article
Related Articles
  • None
Copyright © 2020 – 2021 Your Company, LLC. All rights reserved.