Comments on: NetWitness Investigator – Awesome Network Intelligence! http://www.dragoslungu.com/2009/06/24/netwitness/ Security Tools and Tips Fri, 18 Nov 2011 18:51:25 -0600 hourly 1 http://wordpress.org/?v=3.1.3 By: New NetWitness Visualize : Welcome To The Future! | Dragos Lungu Dot Com http://www.dragoslungu.com/2009/06/24/netwitness/comment-page-1/#comment-82212 New NetWitness Visualize : Welcome To The Future! | Dragos Lungu Dot Com Tue, 20 Jul 2010 16:25:14 +0000 http://www.dragoslungu.com/?p=271#comment-82212 [...] have already written about how awesome NetWitness is so I won't repeat what i said in this NetWitness review ; instead I would like to present you the most advanced network traffic visualization system [...] [...] have already written about how awesome NetWitness is so I won't repeat what i said in this NetWitness review ; instead I would like to present you the most advanced network traffic visualization system [...]

]]> By: NetWitness releases NextGen version 9.0 | Dragos Lungu Dot Com http://www.dragoslungu.com/2009/06/24/netwitness/comment-page-1/#comment-81624 NetWitness releases NextGen version 9.0 | Dragos Lungu Dot Com Fri, 06 Nov 2009 13:29:59 +0000 http://www.dragoslungu.com/?p=271#comment-81624 [...] It's been a long time since my last post and If I look back at it, I was writing about NetWitness. [...] [...] It's been a long time since my last post and If I look back at it, I was writing about NetWitness. [...]

]]> By: Tuffer http://www.dragoslungu.com/2009/06/24/netwitness/comment-page-1/#comment-81521 Tuffer Tue, 14 Jul 2009 14:08:23 +0000 http://www.dragoslungu.com/?p=271#comment-81521 Hi Dragos You can send an SNMP trap or Syslog message from NetWitness Informer to ArcSight with alerts details. The SIEM link allows you to view events from ArcSight, an IDS/IPS or other security device in NetWitness Investigator. Basically you are taking a date time group and a source and destination IP and running that as a query in Investigator to show ALL sessions between those hosts over a predefined time period, 10 minutes, 10 hours, 10 days whatever you like depending on how long you are storing sessions for. I have sent you a white paper on SIEM link for your info. Regards Chris Hi Dragos

You can send an SNMP trap or Syslog message from NetWitness Informer to ArcSight with alerts details. The SIEM link allows you to view events from ArcSight, an IDS/IPS or other security device in NetWitness Investigator. Basically you are taking a date time group and a source and destination IP and running that as a query in Investigator to show ALL sessions between those hosts over a predefined time period, 10 minutes, 10 hours, 10 days whatever you like depending on how long you are storing sessions for.
I have sent you a white paper on SIEM link for your info.
Regards

Chris

]]> By: Dragos Lungu http://www.dragoslungu.com/2009/06/24/netwitness/comment-page-1/#comment-81516 Dragos Lungu Fri, 10 Jul 2009 18:15:19 +0000 http://www.dragoslungu.com/?p=271#comment-81516 Hi John, By installing Guidance Software' Information Assurance on top of EnCase Enterprise, I had access to A.I.R.S (Automated Incident Response Solution) to do on demand snapshots on systems running the EnCase servlet. Then I defined a custom data source for AIRS where to look for IPs to be polled and the next thing was to get ArcSight to insert IP addresses in that database. Not very complicated, but it works very well. So now I have a new tool defined in ArcSight Console which sends the highlighted cell (must be an IP) to EnCase for a forensic snapshot. The same can be used in a correlation rule. However, the analyst has to look into AIRS console to see the snapshot details... I couldn't find a way to get data back in ArcSight but I think it's doable . ( my goal was to set up a demo incident response architecture for an event). As for new sources of information to be sent in ArcSight. I'm looking forward to work with NetWitness (i think a SNMP flex connector is needed). Let me know if you want to go any further with the EnCase / ArcSight integration. Hi John,

By installing Guidance Software’ Information Assurance on top of EnCase Enterprise, I had access to A.I.R.S (Automated Incident Response Solution) to do on demand snapshots on systems running the EnCase servlet.

Then I defined a custom data source for AIRS where to look for IPs to be polled and the next thing was to get ArcSight to insert IP addresses in that database. Not very complicated, but it works very well.

So now I have a new tool defined in ArcSight Console which sends the highlighted cell (must be an IP) to EnCase for a forensic snapshot. The same can be used in a correlation rule. However, the analyst has to look into AIRS console to see the snapshot details… I couldn’t find a way to get data back in ArcSight but I think it’s doable . ( my goal was to set up a demo incident response architecture for an event).

As for new sources of information to be sent in ArcSight. I’m looking forward to work with NetWitness (i think a SNMP flex connector is needed).

Let me know if you want to go any further with the EnCase / ArcSight integration.

]]> By: john http://www.dragoslungu.com/2009/06/24/netwitness/comment-page-1/#comment-81504 john Tue, 07 Jul 2009 09:56:32 +0000 http://www.dragoslungu.com/?p=271#comment-81504 Hi, I work both with Arcsight and Encase - could you expand on the integration to managed to achieve using both tools, have you used EE? what kind of automation (if any) were you able to achieve, what other integration regarding IR do you reccomend in arcsight? Hi,
I work both with Arcsight and Encase – could you expand on the integration to managed to achieve using both tools, have you used EE? what kind of automation (if any) were you able to achieve, what other integration regarding IR do you reccomend in arcsight?

]]>