NETWITNESS - CEF Certified Configuration Guide

Summary:

The "Common Event Format Configuration Guide" for NetWitness NextGen version 9.0 with Informer v1.6 is designed to guide users through the process of configuring NetWitness to send events in Common Event Format (CEF) to ArcSight for analysis. This document provides a step-by-step guide on how to integrate NetWitness with ArcSight, including: 1. Configuring the Syslog server IP in Informer by logging into Informer, navigating to System Settings, and entering the IP address of the ArcSight Syslog Connector. Restarting the Informer service is required after this configuration. 2. Building rules using ALERT Meta in where clause within Informer to identify specific traffic behaviors (e.g., searching for alerts containing 'Passwords'). 3. Creating an Alert based on these rules, selecting syslog as the action and configuring it with CEF syntax. The document also addresses a known issue regarding time adjustment and provides information on passing NetWitness alerts into ArcSight using generic event structures and CEF format. It emphasizes customization through META fields and includes a table of recommended CEF format for alert representation, mapping device events to ArcSight data fields, and assigning severity and categorization based on vendor-specific event definitions.

Details:

The "Common Event Format Configuration Guide" for NetWitness NextGen version 9.0 with Informer v1.6 provides a guide on how to configure NetWitness to send events in Common Event Format (CEF) to ArcSight for analysis. This document outlines the steps necessary to integrate NetWitness with ArcSight, detailing the configuration process and the creation of rules within Informer to identify specific traffic behaviors. The integration involves configuring the Syslog server in Informer, creating a rule using META Alerts, and then setting up an Alert based on that rule to send syslog events in CEF format. Key steps include: 1. Configuring the Syslog server IP in Informer by logging into Informer, navigating to System Settings, and entering the IP address of the ArcSight Syslog Connector. Restarting the Informer service completes this step. 2. Building rules using ALERT Meta in where clause within Informer to identify desired traffic behavior (e.g., searching for alerts containing 'Passwords'). 3. Creating an Alert based on these rules, selecting syslog as the action and configuring it with CEF syntax. This configuration allows NetWitness NextGen to interoperate effectively with ArcSight, leveraging deep context and content knowledge within network sessions to address complex security challenges not met by traditional monitoring solutions. This document outlines the integration of Informer with ArcSight, detailing how to configure Informer to send alerts and syslog results to ArcSight Connector, addressing a known issue regarding time adjustment. It also provides information on passing NetWitness alerts into ArcSight using generic event structures and CEF format, emphasizing customization through META fields. The document includes a table of recommended CEF format for alert representation, mapping device events to ArcSight data fields, and assigning severity and categorization based on vendor-specific event definitions.