NetWitness Cloud SIEM Platform

Introducing NetWitness Cloud SIEM

NetWitness® Cloud SIEM is a cloud-native log management, retention, and analytics solution that provides high-performance SIEM (Security Information and Event Management) capabilities without the need for on-premise deployment and administration.

NetWitness Cloud SIEM provides enterprises with the same rich log management, retention, reporting, and analytics services long utilized by on-premise customers for threat detection and response, but in cloud form. This new deployment option makes it easy for new or existing NetWitness customers to take advantage of Evolved SIEM without the resources associated with planning, sizing, deploying, updating, and administering the solution in the data center.

The NetWitness Platform is a leader in enterprise-grade threat detection and response. Businesses and government agencies around the globe use NetWitness to address their ever more demanding security requirements. Skilled threat hunters choose NetWitness as their go-to solution, due to its ability to rapidly analyze and process large volumes of information from many different sources. Exacting compliance teams the world over have long depended on NetWitness to help meet stringent compliance needs by providing retention of large amounts of data while being able to provide fast, reliable access for compliance activities.

Available Azure Regions

Choose the right Azure region for you from the following list:

  • West US
  • Germany West Central
  • France Central
  • UK West
  • West India
  • Southeast Asia
  • Japan West
  • Australia Central

How To Deploy Log Collection

When deploying a Log Collector, you must configure it to collect log events from various event sources and deliver these events both reliably and securely to the Cloud SIEM Log Decoder. Once at the Log Decoder, the events are parsed and stored for subsequent analysis. Cloud native Logs collection can be enabled by using the Log Collectors on the Log Decoder or VLCs. Based on type of logs that need to be collected, download the plugins from Live and configure plugin collection.

Product Architecture

Product Architecture

For instructions on how to configure your Virtual Log Collector (VLC), see Log Collection: Configure Local and Remote Collectors

OpenVPN Tunnel Configuration

For secure communication between the on-premise Virtual Log Collector (VLC) and the hosted Log Decoder and NW Server, you must configure a VPN tunnel. During the Cloud SIEM onboarding process, a download link will be provided with instructions on how to setup the communication link between the VLC and the Cloud SIEM infrastructure.


The amount of data the NetWitness Platform can collect daily is determined by your subscription throughput level. Throughput-based subscription meters ingestion to the subscription entitlement and can always be increased to a higher tier to account for any increase in the amount of data being collected. You can see current and past daily data ingestion information within the NetWitness UI licensing page. If licensing is consistently exceeded, contact RSA NetWitness Sales to purchase an appropriate ingest-based subscription plan to handle your volume.

SLA for Cloud SIEM

For any Single Instance Virtual Machine, we guarantee you will have Virtual Machine Connectivity of at least 99.9%. We guarantee that at least 99.9% of the time, we will successfully process Storage requests to read/write data from Locally Redundant Storage (LRS).

Submit Feedback
© 2020 RSA Security LLC or its affiliates. All Rights Reserved.