Introduction to NetWitness CloudSIEM

NetWitness® Cloud SIEM is a cloud-delivered log management, retention, and analytics solution that provides high-performance SIEM (Security Information and Event Management) capabilities without the need for customer managed deployment and platform administration.

NetWitness Cloud SIEM provides enterprises with the same rich log management, retention, reporting, and analytics services long utilized by NetWitness customers for threat detection and response, but in a cloud-delivered form. This new deployment option makes it easy for new or existing NetWitness customers to take advantage of Evolved SIEM without the resources associated with planning, sizing, deploying, updating, and administering the platform in a traditional data center or self-managed cloud format.

The NetWitness Platform is a leader in enterprise-grade threat detection and response. Businesses and government agencies around the globe use NetWitness to address their demanding security requirements. Skilled threat hunters choose NetWitness as their go-to solution, due to its ability to rapidly analyze and process large volumes of information from many different sources.

Security compliance teams have long depended on NetWitness to help meet stringent compliance needs by providing retention of large amounts of data while being able to provide fast, reliable access for compliance activities.

How is NetWitness Cloud SIEM different than NetWitness Logs?

NetWitness Cloud SIEM provides the same software and technical capabilities as a customer-managed instance of NetWitness Logs. NetWitness Cloud SIEM is a SaaS, cloud-hosted offering of NetWitness Logs, running the latest version of NetWitness Platform software in Microsoft Azure.

NetWitness Cloud SIEM provides defined retention periods for log data (subject to data limits), based on the offering Tier selected by a Customer. Cloud SIEM is also fully managed, administered, and updated by NetWitness, which is uniquely different then a customer-managed NetWitness Logs deployment.

As a result of Cloud SIEM being a cloud service there are certain administrative controls and limitations in place with the product to ensure availability and service level agreements for Customers. Specific limitations are outlined in this document and additional details are available upon request.

Available Regions

NetWitness Cloud SIEM is generally available for data residency in the following Microsoft Azure regions:

  • West US
  • Germany West Central
  • France Central
  • UK West
  • West India
  • Southeast Asia
  • Japan West
  • Australia Central

Support for additional Azure regions may be added as new regions are made available.

Log Data Collection

NetWitness Cloud SIEM enables seamless and secure methodologies for collecting log data from hundreds of event sources, extensively outlined in product documentation. Customers are responsible for configuring Cloud SIEM event sources after their tenant is provisioned. Many event sources are easily configured, including on-premise, virtual, hybrid, IaaS, PaaS, SaaS, and non-traditional sources, as outlined in documentation.

NetWitness Professional Services is also available to assist Customers with event source onboarding on a paid basis.

Log Collection Deployment

Log collection by NetWitness Cloud SIEM requires deployment of a Log Collector / Virtual Log Collector. When deploying a Log Collector, you must configure it to collect log events from various event sources and deliver these events both reliably and securely to the Cloud SIEM Log Decoder. Events are parsed and stored for subsequent analysis by the Log Decoder. Please note that each Cloud SIEM environment is self-contained within a single instance.

know more about the log collection deployment

Details on Log Collection Methods

Log Collector services are deployed across multiple locations to collect log data from varying sets of event sources by setting up an On Prem Log Collector which will collect the logs locally and then transfer them to the NetWitness Cloud Instance via an encrypted and compressed transport. All Current NetWitness Collection methods are supported in the NetWitness Cloud Instance.

For additional information regarding configuration and management of data sources, please refer to:

  • The Log Collection configuration guide for additional details on Log and event source configuration.
  • The Event Source Management guide for additional details on monitoring and managing event sources.
  • The Integrations Catalog for a complete list of supported event sources.
  • The Live Services Management Guide for configuring access to content enabling collection of the most current event source types.

Data Compression

The Communication between the on prem local collector and the NetWitness Cloud instance uses data compression to minimize the bandwidth required for data transmission to the NetWitness Cloud Instance. In addition to data compression, the data is transmitted over an encrypted channel.

OpenVPN Tunnel Configuration

For secure communication between the on-premise Virtual Log Collector (VLC) and the cloud Log Decoder and NetWitness Server, you must configure a VPN tunnel. During the Cloud SIEM onboarding process, a download link will be provided with instructions on how to setup the communication link between the VLC and the Cloud SIEM infrastructure.

Data Ingestion

The NetWitness Cloud SIEM offering is licensed based on the amount of log data throughput ingested daily, measured in gigabytes (GB) per day of collected data. Data ingest monitors against the customers specified subscription entitlement (in GB/Day) and can be increased to a higher level of ingestion to account for any increase in the amount of data being collected. You can view current and past data ingestion information within the NetWitness UI licensing page.

NetWitness Cloud SIEM customers may experience performance degradation and reduced data retention periods when log data throughput exceeds the contracted subscription capacity. NetWitness will be monitoring customers storage capacity and will inform them if additional ingestion or storage capacity is required. Customers are encouraged to contact NetWitness Sales to purchase an appropriate subscription plan to handle the required capacity.

See also

Understand CloudSIEM Maintenance and Administration