RSA NetWitness Endpoint
This Integration is part of the RSA NetWitness Endpoint Pack.#
Overview
RSA NetWitness Endpoint provides deep visibility beyond basic endpoint security solutions by monitoring and collecting activity across all of your endpoints—on and off your network.
Use this integration to access to information about endpoints, modules, and indicators.
This integration was integrated and tested with RSA NetWitness Endpoint v4.0.
Configure RSA NetWitness Endpoint on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for RSA NetWitness Endpoint.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g. https://192.168.0.1:30022 )
- credentials
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the URL and credentials.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Get GUIDs for multiple machines: netwitness-get-machines
- Get the GUID for a single machine: netwitness-get-machine
- List IOCs for a specific machine: netwitness-get-machine-iocs
- Get information for machine modules: netwitness-get-machine-modules
- Get information for a single machine module: netwitness-get-machine-module
- Blacklist IP addresses: netwitness-blacklist-ips
- Blacklist domains: netwitness-blacklist-domains
1. Get GUIDs for multiple machines
Get machine GUID. Search by machine name and more.
Base Command
netwitness-get-machinesInput
| Argument Name | Description | Required |
|---|---|---|
| machineName | Hostname to filter results by. Not case sensitive. | Optional |
| iocScoreGreaterThan | Filter all machines whose IOC score is greater than or equal to this value. Default = 0. | Optional |
| iocScoreLessThan | Filter all machines whose IOC score is less than or equal to this value. Default = 1024. Cannot be zero. | Optional |
| ipAdress | Filter all machines based on IP address. | Optional |
| macAddress | Filter all machines based on MAC address. | Optional |
| limit | Limit the number of results. Default = 100. | Optional |
| includeMachineData | Include full machine data | Optional |
| includeMachineIOCs | Include machine IOCs | Optional |
| includeMachineModules | Include machine modules | Optional |
Context Output
| Path | Description |
|---|---|
| NetWitness.Machines.MachineGUID | Machine GUID |
| NetWitness.Machines.AgentID | Agent ID |
| NetWitness.Machines.MachineName | Machine name |
| NetWitness.Machines.LocalIP | Local IP |
| NetWitness.Machines.RemoteIP | Remote IP |
| NetWitness.Machines.MAC | MAC |
| NetWitness.Machines.MachineStatus | Machine status |
| NetWitness.Machines.IIOCScore | IIOC score |
| NetWitness.Machines.IIOCLevel0 | IIOC Level 0 |
| NetWitness.Machines.IIOCLevel1 | IIOC Level 1 |
| NetWitness.Machines.IIOCLevel2 | IIOC Level 2 |
| NetWitness.Machine.IIOCLevel3 | IIOC Level 3 |
| NetWitness.Machines.AntiVirusDisabled | Anti-virus disabled |
| NetWitness.Machines.Comment | Comment |
| NetWitness.Machines.ContainmentStatus | Containment status |
| NetWitness.Machines.ContainmentSupported | Containment supported |
| NetWitness.Machines.Country | Country |
| NetWitness.Machines.DNS | DNS |
| NetWitness.Machines.DomainName | Domain name |
| NetWitness.Machines.FirewallDisabled | Firewall disabled |
| NetWitness.Machines.Gateway | Gateway |
| NetWitness.Machines.Group | Group |
| NetWitness.Machines.Idle | Idle |
| NetWitness.Machines.InstallTime | Install time |
| NetWitness.Machines.InstallationFailed | Installation failed |
| NetWitness.Machines.LastScan | Last scan |
| NetWitness.Machines.LastSeen | Last seen |
| NetWitness.Machines.NetworkSegment | Network segment |
| NetWitness.Machines.OperatingSystem | Operating system |
| NetWitness.Machines.OrganizationUnit | Organization unit |
| NetWitness.Machines.Platform | Platform |
| NetWitness.Machines.Scanning | Scanning |
| NetWitness.Machines.UserName | User name |
| NetWitness.Machine.VersionInfo | Version information |
| NetWitness.IOCs.Description | Description |
| NetWitness.IOCs.Type | Type |
| NetWitness.IOCs.MachineCount | Machine count |
| NetWitness.IOCs.ModuleCount | Module count |
| NetWitness.IOCs.IOCLevel | IOC level |
| NetWitness.IOCs.Priority | Priority |
| NetWitness.IOCs.Active | Active |
| NetWitness.IOCs.LastExecuted | Last executed |
| NetWitness.IOCs.Alertable | Alertable |
| NetWitness.IOCs.IOCTriggeredOnMachine | IOC Triggered On Machine |
| NetWitness.Machines.MachineGUID | Machine GUID |
| NetWitness.Modules.ModuleName | Module name |
| NetWitness.Modules.ModuleID | Module ID |
| NetWitness.Modules.Description | Description |
| NetWitness.Modules.IOCScore | IOC score |
| NetWitness.Modules.AnalyticsScore | Analytics score |
| NetWitness.Modules.GlobalMachineCount | Global machine count |
| NetWitness.Modules.MD5 | MD5 |
| NetWitness.Modules.SHA256 | SHA-256 |
Command Example
!netwitness-get-machines limit="100" includeMachineData="no" includeMachineIOCs="no" includeMachineModules="no"
Context Example
{
"NetWitness": {
"Machines": {
"IOCScore": {
"FilterValue": 71,
"FullScore": 8016,
"Level": 3,
"Level0": 0,
"Level1": 0,
"Level2": 8,
"Level3": 16,
"Score": 71,
"__type": "Tools.IOCScore, Tools"
},
"LastScan": "2018-09-12T15:59:48Z",
"LocalIp": "xxx.xxx.xxx.xxx",
"MacAddress": "xx:xx:xx:xx:xx:xxx",
"MachineGUID": "xxxxxx",
"MachineName": "NWE",
"Online": true,
"OperatingSystem": "Microsoft Windows Server 2012 R2 Datacenter"
}
}
}
Human Readable Output
NetWitness Endpoint - Get Machines
| MachineName | MachineGUID | Online | OperatingSystem | LastScan | IOCScore | MacAddress | LocalIp |
|---|---|---|---|---|---|---|---|
| NWE | xxxxxxxx | true | Microsoft Windows Server 2012 R2 Datacenter | 2018-09-12T15:59:48Z |
FilterValue: 71
Level: 3 Score: 71 Level0: 0 Level1: 0 Level2: 8 Level3: 16 __type: Tools.IOCScore, Tools FullScore: 8016 |
xx:xx:xx:xx:xx:xx | xxx.xxx.xxx.xxx |
2. Get the GUID for a single machine
Get information on a specific machine.
Base Command
netwitness-get-machineInput
| Argument Name | Description | Required |
|---|---|---|
| machineGUID | GUID of the machine | Required |
Context Output
| Path | Description |
|---|---|
| NetWitness.Machines.AgentID | Agent ID |
| NetWitness.Machines.MachineName | Machine name |
| NetWitness.Machines.LocalIP | Local IP |
| NetWitness.Machines.RemoteIP | Remote IP |
| NetWitness.Machines.MAC | MAC |
| NetWitness.Machines.MachineStatus | Machine status |
| NetWitness.Machines.IIOCScore | IIOC score |
| NetWitness.Machines.IIOCLevel0 | IIOC Level 0 |
| NetWitness.Machines.IIOCLevel1 | IIOC Level 1 |
| NetWitness.Machines.IIOCLevel2 | IIOC Level 2 |
| NetWitness.Machine.IIOCLevel3 | IIOC Level 3 |
| NetWitness.Machines.AntiVirusDisabled | Anti-virus disabled |
| NetWitness.Machines.Comment | Comment |
| NetWitness.Machines.ContainmentStatus | Containment status |
| NetWitness.Machines.ContainmentSupported | Containment supported |
| NetWitness.Machines.Country | Country |
| NetWitness.Machines.DNS | DNS |
| NetWitness.Machines.DomainName | Domain name |
| NetWitness.Machines.FirewallDisabled | Firewall disabled |
| NetWitness.Machines.Gateway | Gateway |
| NetWitness.Machines.Group | Group |
| NetWitness.Machines.Idle | Idle |
| NetWitness.Machines.InstallTime | Installation time |
| NetWitness.Machines.InstallationFailed | Installation failed |
| NetWitness.Machines.LastScan | Last scan |
| NetWitness.Machines.LastSeen | Last seen |
| NetWitness.Machines.NetworkSegment | Network segment |
| NetWitness.Machines.OperatingSystem | Operating system |
| NetWitness.Machines.OrganizationUnit | Organization unit |
| NetWitness.Machines.Platform | Platform |
| NetWitness.Machines.Scanning | Scanning |
| NetWitness.Machines.UserName | User name |
| NetWitness.Machine.VersionInfo | Version information |
Command Example
!netwitness-get-machine machineGUID=abc123def456
Context Example
{
"NetWitness": {
"Machine": {
"AgentID": "xxxxxx",
"AntiVirusDisabled": "False",
"Comment": "",
"ContainmentStatus": "Not Contained",
"ContainmentSupported": "True",
"Country": "USA",
"DNS": "8.8.8.8",
"DomainName": "WORKGROUP",
"FirewallDisabled": "False",
"Gateway": "xxx.xxx.xxx.xxx",
"Group": "Default",
"IIOCLevel0": "0",
"IIOCLevel1": "0",
"IIOCLevel2": "8",
"IIOCLevel3": "16",
"IIOCScore": "71",
"Idle": "True",
"InstallTime": "9/3/2018 4:01:03 PM",
"InstallationFailed": "False",
"LastScan": "9/12/2018 3:59:48 PM",
"LastSeen": "9/25/2018 1:27:01 PM",
"LocalIP": "xxx.xxx.xxx.xxx",
"MAC": "xx:xx:xx:xx:xx:xx",
"MachineName": "NWE",
"MachineStatus": "Online",
"NetworkSegment": "xxx.xxx.xxx.xxx",
"OperatingSystem": "Microsoft Windows Server 2012 R2 Datacenter",
"OrganizationUnit": "",
"Platform": "64-bit (x64)",
"RemoteIP": "xxx.xxx.xxx.xxx",
"Scanning": "False",
"UserName": "",
"VersionInfo": "4.4.0.6"
}
}
}
Human Readable Output
NetWitness Endpoint - Machine NWE Full Data
| AgentID | MachineName | LocalIP | RemoteIP | MAC | MachineStatus | IIOCScore | IIOCLevel0 | IIOCLevel1 | IIOCLevel2 | IIOCLevel3 | AntiVirusDisabled | Comment | ContainmentStatus | ContainmentSupported | Country | DNS | DomainName | FirewallDisabled | Gateway | Group | Idle | InstallTime | InstallationFailed | LastScan | LastSeen | NetworkSegment | OperatingSystem | OrganizationUnit | Platform | Scanning | UserName | VersionInfo |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| xxxxxx | NWE | xxx.xxx.xxx.xxx | xxx.xxx.xxx.xx | xx:xx:xx:xx:xx:xx | Online | 71 | 0 | 0 | 8 | 16 | False | Not Contained | True | USA | 8.8.8.8 | WORKGROUP | False | xxx.xxx.xxx.xxx | Default | True | 9/3/2018 4:01:03 PM | False | 9/12/2018 3:59:48 PM | 9/25/2018 1:27:01 PM | xxx.xxx.xxx.xxx | Microsoft Windows Server 2012 R2 Datacenter | 64-bit (x64) | False | 4.4.0.6 |
3. List IOCs for a specific machine
List IOCs for a specific machine.
Base Command
netwitness-get-machine-iocsInput
| Argument Name | Description | Required |
|---|---|---|
| machineGUID | The machine GUID | Required |
| limit | Limit the number of results. Default = 100. | Optional |
Context Output
| Path | Description |
|---|---|
| NetWitness.Machines.MachineGUID | Machine GUID |
| NetWitness.IOCs.Description | Description |
| NetWitness.IOCs.Type | Type |
| NetWitness.IOCs.MachineCount | Machine count |
| NetWitness.IOCs.ModuleCount | Module count |
| NetWitness.IOCs.IOCLevel | IOC level |
| NetWitness.IOCs.Priority | Priority |
| NetWitness.IOCs.Active | Active |
| NetWitness.IOCs.LastExecuted | Last executed |
| NetWitness.IOCs.Alertable | Alertable |
| NetWitness.IOCs.IOCTriggeredOnMachine | IOC Triggered On Machine |
Command Example
Context Example
Human Readable Output
4. Get information for machine modules
Get Names and ID's of modules of the machine. Filter by name or IOC score.
Base Command
netwitness-get-machine-modulesInput
| Argument Name | Description | Required |
|---|---|---|
| machineGUID | The machine GUID | Required |
| moduleName | Module name to filter results by (not case sensitive). Example: ModuleName=".exe "will match all machines which have the word ".exe" in their module name. | Optional |
| iocScoreGreaterThan | Filter all modules whose IOC score is greater than or equal to this value. Default = 0. | Optional |
| iocScoreLessThan | Filter all modules whose IOC score is less than or equal to this value. Default = 1024. Cannot be zero. | Optional |
| limit | Limit the number of results. Default 50. | Optional |
Context Output
| Path | Description |
|---|---|
| NetWitness.Machines.MachineGUID | Machine GUID |
| NetWitness.Modules.ModuleName | Module name |
| NetWitness.Modules.ModuleID | Module ID |
| NetWitness.Modules.Description | Description |
| NetWitness.Modules.IOCScore | IOC score |
| NetWitness.Modules.AnalyticsScore | Analytics score |
| NetWitness.Modules.GlobalMachineCount | Global machine count |
| NetWitness.Modules.MD5 | MD5 |
| NetWitness.Modules.SHA256 | SHA-256 |
Command Example
!netwitness-get-machine-modules machineGUID= iocScoreGreaterThan="20" limit="50"
Context Example
{
"File": {
"MD5": XX,
"Name": AdobeARMHelper.exe
},
"NetWitness": {
"Modules": {
"AnalyticsScore": "1",
"Description": "Adobe Reader and Acrobat Manager Helper",
"GlobalMachineCount": 1,
"IOCScore": {
"FilterValue": 25,
"FullScore": 3001,
"Level": 3,
"Level0": 0,
"Level1": 0,
"Level2": 3,
"Level3": 1,
"Score": 25,
"__type": "Tools.IOCScore, Tools"
},
"MD5": "XX",
"MachineGUID": "XX",
"ModuleID": 685,
"ModuleName": "AdobeARMHelper.exe",
"SHA256": "XX"
}
}
}
Human Readable Output
NetWitness Endpoint - Get Modules
| ModuleName | ModuleID | Description | IOCScore | AnalyticsScore | GlobalMachineCount | MD5 | SHA256 |
|---|---|---|---|---|---|---|---|
| AdobeARMHelper.exe | 685 | Adobe Reader and Acrobat Manager Helper |
FilterValue: 25
Level: 3 Score: 25 Level0: 0 Level1: 0 Level2: 3 Level3: 1 __type: Tools.IOCScore, Tools FullScore: 3001 |
1 | 1 | XX | XX |
5. Get information for a single machine module
Get information for a specific machine module.
Base Command
netwitness-get-machine-moduleInput
| Argument Name | Description | Required |
|---|---|---|
| machineGUID | The machine GUID | Required |
| moduleID | The module ID | Required |
Context Output
| Path | Description |
|---|---|
| NetWitness.Modules.MachineGUID | Machine GUID |
| NetWitness.Modules.ModuleID | Module ID |
| NetWitness.Modules.FileName | File name |
| NetWitness.Modules.FullPath | Full path |
| NetWitness.Modules.MD5 | MD5 |
| NetWitness.Modules.RiskScore | Risk score |
| NetWitness.Modules.SHA1 | SHA-1 |
| NetWitness.Modules.SHA256 | SHA-256 |
| NetWitness.Modules.IIOCScore | IIOC score |
| NetWitness.Modules.Blacklisted | Blacklisted |
| NetWitness.Modules.Graylisted | Graylisted |
| NetWitness.Modules.Whitelisted | Whitelisted |
| NetWitness.Modules.MachineCount | Machine count |
| NetWitness.Modules.IIOCLevel0 | IIOC Level 0 |
| NetWitness.Modules.IIOCLevel1 | IIOC Level 1 |
| NetWitness.Modules.IIOCLevel2 | IIOC Level 2 |
| NetWitness.Modules.IIOCLevel3 | IIOC Level 3 |
| NetWitness.Modules.FirstSeenName | First seen name |
| NetWitness.Modules.FirstSeenDate | First seen date |
| File.Name | The file name |
| File.MD5 | File MD5 |
| File.SHA1 | File SHA-1 |
| File.Path | File full path |
Command Example
!netwitness-get-machine-module machineGUID= moduleID=
Context Example
{
"File": {
"MD5": null,
"Name": null,
"Path": "C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\Temp\\242902160\\AdobeARMHelper.exe",
"SHA1": "7AFB5FDF4FAC3C682877B22B90F3D9C3737271D2"
},
"NetWitness": {
"Module": {
"Blacklisted": "None",
"FileName": "AdobeARMHelper.exe",
"FirstSeenDate": "9/18/2018 8:13:02 PM",
"FirstSeenName": "AdobeARMHelper.exe",
"FullPath": "C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\Temp\\242902160\\AdobeARMHelper.exe",
"Graylisted": "None",
"IIOCLevel0": "0",
"IIOCLevel1": "0",
"IIOCLevel2": "3",
"IIOCLevel3": "1",
"IIOCScore": "25",
"MD5": "7182705213142EE4DCF722AA247DD55C",
"MachineCount": "1",
"MachineGUID": "ea946082-0563-c15e-8128-c5b6e8b2fea9",
"RiskScore": "1",
"SHA1": "7AFB5FDF4FAC3C682877B22B90F3D9C3737271D2",
"SHA256": "F9B595F657589A25F6F247B4CDD0DE7F2BA0319B015D33F000728BFC11D0A1C2",
"Whitelisted": "None"
}
}
}
Human Readable Output
NetWitness Endpoint - Get Module
| ModuleID | ModuleName | FullPath | FirstSeenName | FirstSeenDate | MD5 | SHA1 | SHA256 | IIOCLevel0 | IIOCLevel1 | IIOCLevel2 | IIOCLevel3 | IIOCScore | Blacklisted | Graylisted | Whitelisted | MachineCount | RiskScore | AVDefinitionHash | AVDescription | AVFirstThreat | AVScanResult | AccessNetwork | AnalysisTime | AppDataLocal | AppDataRoaming | AutoStartCategory | Autorun | BlacklistCategory | BlockingStatus | Desktop | Downloaded | DownloadedTime | FakeStartAddress | FileAccessDenied | FileAccessTime | FileCreationTime | FileEncrypted | FileHiddenAttributes | FileModificationTime | FileName | FileOccurrences | Floating | HashLookup | Hooking | ImportedDLLCount | ImportedDLLs | LiveConnectRiskEnum | LiveConnectRiskReason | Loaded | OriginalFileName | Packed | Platform | RelativeFileName | RelativePath | RemoteFileName | RemotePath | Signature | SignatureTimeStamp | SizeInBytes | Status | YaraDefinitionHash | YaraScanDescription | YaraScanFirstThreat | YaraScanresult | Windows | WritetoExecutable | SysWOW64 | System32 | Temporary | TooManyConnections | User | SignatureValid | SignedbyMicrosoft | SignatureExpired | SignaturePresent | RenametoExecutable | ReservedName | ProcessAccessDenied | ProgramData | ProgramFiles | ReadDocument | MD5Collision | InstallerDirectory | LikelyPacked | Listen | ImageHidden | ImageMismatch | FirewallAuthorized | AutorunScheduledTask | Beacon |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| AdobeARMHelper.exe | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp\242902160\AdobeARMHelper.exe | AdobeARMHelper.exe | 9/18/2018 8:13:02 PM | XX | XX | XX | 0 | 0 | 3 | 1 | 25 | None | None | None | 1 | 1 | 0 | Unknown | False | 1/1/0001 12:00:00 AM | False | False | None | False | Generic Malware | Unknown | False | False | 1/1/0001 12:00:00 AM | False | False | 9/18/2018 8:11:45 PM | 9/18/2018 8:11:45 PM | False | False | 3/21/2018 7:21:48 AM | AdobeARMHelper.exe | 10343 | False | Good | False | 16 | PSAPI.DLL; msi.dll; USERENV.dll; KERNEL32.dll; USER32.dll; ADVAPI32.dll; SHELL32.dll; ole32.dll; SHLWAPI.dll; CRYPT32.dll; WINTRUST.dll; OLEACC.dll; GDI32.dll; WINSPOOL.DRV; COMDLG32.dll; OLEAUT32.dll | Unknown | None | True | False | I386 | Valid: Adobe Systems, Incorporated | 3/21/2018 9:19:15 AM | 413.5 kB | Neutral | 0 | Unknown | False | True | False | False | True | False | False | True | False | False | True | False | False | False | False | True | False | False | True | False | False | False | False | False | False | False |
6. Block list IP addresses
Add a list of IP addresses to block list.
Base Command
netwitness-blacklist-ipsInput
| Argument Name | Description | Required |
|---|---|---|
| ips | Comma separated list of IP addresses | Required |
Context Output
There is no context output for this command.
Command Example
!netwitness-blacklist-ips ips="1.1.1.1,2.2.2.2"
Context Example
{
"NetWitness": {
"Blacklist": {
"IPs": [
"1.2.3.4"
]
}
}
}
Human Readable Output
IPs Successfully Block listed
| IP |
|---|
| 1.2.3.4 |
7. Block list domains
Add a list of domain block list.
Base Command
netwitness-blacklist-domainsInput
| Argument Name | Description | Required |
|---|---|---|
| domains | Comma separated list of domains | Required |
Context Output
There is no context output for this command.
Command Example
!netwitness-blacklist-domains domains="https://www.example2.com,https://www.example2.com"
Context Example
{
"NetWitness": {
"Blacklist": {
"Domains": [
"www.example.com"
]
}
}
}
Human Readable Output
Domains Successfully Block listed
| Domain |
|---|
| www.example.com |