Kensington Technology Associates presents this version 0.2 update to our addWindowsSources tool.  addWindowsSources solves the problem whereby Administrators of SA are unable to automatically onboard Windows Log Event Sources into a SA Log Collector after they have been added to a Windows domain.  Even though SA does provide the ability, out-of-the-box, to bulk add Windows event sources from a CSV file, it must be done manually by an Adminstrator, from the web UI.  This tool now scripts this manual process, and it can be easily scheduled to run automatically by an Administrator (e.g. by using 'cron'), thus automatically adding any new hosts to SA which have been added to your Windows domain.

 

Changes

  • Added command line option --delete to effect removal of existing event sources within the selected Event Category which are not contained in the CSV, effectively treating the CSV as authoritative for the Event Category.
  • The tool no longer attempts to re-add event sources which are already defined in the selected Event Category.  This should dramatically speed up subsequent runs of the script for AD domains with a large number of computers, in synchronous mode.

 

Highlights

  • It can pull your CSV from an HTTP/HTTPS URL, so you can dump your CSV to a secure web server
  • Removes event sources from your Log Collector which have been removed from your domain.
  • Easy to run on a schedule
  • Runs on any SA 10.6 or 10.5 host (in synchronous mode)
  • Runs on any non-SA host running Python 2.6 or 2.7

NetWitness ESA customers all over the globe are leveraging the power of multi-event correlation in order to streamline the processing of alerts from their NetWitness environment.  Up until now, they have faced a major challenge, namely the lack of flexibility in subject lines of these alerts.  The ability to configure subject lines is typically how massive numbers of these alerts can be sorted and acted upon in order of severity. Kensington Tech is pleased to share this version 0.2 update to our ESA Alert Tool.  

 

What's New

The original 0.1 release required the prepending of the string 'vars.' to some variable names in the FreeMarker email template, due to a bug in the third-party FMPP software used by the solution.  We've taken it upon ourselves to fix this bug in FMPP and are now bundling our own patched version of FMPP with the ESA Alert Tool package.

This was developed using Security Analytics 10.5, but it should work equally well with 10.6.  Do let us know if there are any issues!

 

Highlights

  • No longer a need to prepend template variables with 'vars.'
  • Use a Freemarker template to customize your subject line.
  • No need to hard code subject in a custom script
  • The ESA rule name has been added to the body of our alert email
  • TLS and SSL support for SMTP

Kensington Technology Associates is very pleased to present to all users of RSA Security Analytics for Logs this bolt-on tool.  addWindowsSources.py solves the problem whereby Administrators of SA are unable to automatically onboard Windows Log Event Sources into a SA Log Collector after they have been added to a Windows domain.  Even though SA does provide the ability, out-of-the-box, to bulk add Windows event sources from a CSV file, it must be done manually by an Adminstrator, from the web UI.  This tool now scripts this UI action, and it can be easily scheduled to run automatically by an Administrator (e.g. by using 'cron'), thus automatically adding any new hosts to SA which have been added to your Windows domain.

 

Highlights

  • It can pull your CSV from an HTTP/HTTPS URL, so you can dump your CSV to a secure web server
  • Easy to run on a schedule
  • Runs on any SA 10.6 or 10.5 host (in synchronous mode)
  • Runs on any non-SA host running Python 2.6 or 2.7