Skip to main content

RSA NetWitness Security Analytics

This Integration is part of the RSA NetWitness Security Analytics Pack.#

RSA Security Analytics is a distributed and modular system that enables highly flexible deployment architectures that scale with the needs of the organization. Security Analytics allows administrators to collect two types of data from the network infrastructure, packet data and log data. This integraitons should work with RSA Netwitness older than v11. For versions v11 and above use the integration RSA NetWitness v11.1.

Configure RSA NetWitness Security Analytics in Cortex#

ParameterDescriptionRequired
urlServer Url (192.168.56.101)True
usernameUsernameTrue
passwordPasswordTrue
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
proxyUse system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

nw-login#


Logins to the system and returns valid sessionId

Base Command#

nw-login

Input#

Argument NameDescriptionRequired

Context Output#

There is no context output for this command.

fetch-incidents#


Simulates fetching incidents. Returns array of incidents from NetWitness.

Base Command#

fetch-incidents

Input#

Argument NameDescriptionRequired

Context Output#

There is no context output for this command.

netwitness-im-list-incidents#


Fetches incidents by filter

Base Command#

netwitness-im-list-incidents

Input#

Argument NameDescriptionRequired
queryIf query provided all other parameters ignored. Query should contain page, limit, start, sort and filter, joined by &, For example: page=1&start=0&limit=100&sort=[{"property":"created","direction":"DESC"}]&filter=[{"property":"created","value":[851171984031,1482323984031]}]Optional
pageThe default is 1. Indicates the page number of incidentsOptional
startThe default is 0. Indicates the start index of incident in pageOptional
limitThe default is 100. Limits the number of incidents per pageOptional
sortBy default sorts by "created" field in "DESC" order. Example: "[{\"property\":\"created\",\"direction\":\"DESC\"}]"Optional
filterBy default filters by "created" from 1996 to this date. Example: "[{\"property\":\"id\", \"value\":\"INC-21\"}]"Optional
incidentManagementId[optional number] This is the id of NetWitness INCIDENT_MANAGEMENT device/component id. It can be received by running netwitness-im-get-component command. If this argument is not filled/passed, the script will automatically get the first device of type INCIDENT_MANAGEMENT from the SA server.Optional
loadAlerts[optinal boolean] By default alerts and events related to incident not loaded. If loadAlerts is true, then command will load all alerts and their events from SA. Please be noticed THIS IS HAS PERFORMANCE IMPACT! For each alert XHR request send to SA.Optional

Context Output#

PathTypeDescription
Netwitness.Incident.IdunknownNetwitness Incident ID
Netwitness.Incident.NameunknownNetwitness Incident Name
Netwitness.Incident.PriorityunknownNetwitness Incident Priority
Netwitness.Incident.CreatedByunknownUser who created Netwitness Incident
Netwitness.Incident.SummaryunknownNetwitness Incident Summary
Netwitness.Incident.AssigneeunknownUser Assigned To Incident
Netwitness.Incident.CreatedunknownTime of Incident Creation
Netwitness.Incident.FirstAlertTimeunknownTime of Incident Creation
Netwitness.Incident.LastUpdatedByUserNameunknownUser who was last to update Incident
Netwitness.Incident.RiskScoreunknownNetwitness Incident Risk Score
Netwitness.Incident.AverageAlertRiskScoreunknownNetwitness Incident Average Risk Score
Netwitness.Incident.CategoriesunknownNetwitness Incident Category
Netwitness.Incident.AlertCountunknownNetwitness Incident Alerts Counts

netwitness-im-login#


Logins to the system and returns valid sessionId

Base Command#

netwitness-im-login

Input#

Argument NameDescriptionRequired

Context Output#

There is no context output for this command.

netwitness-im-get-components#


Returns all the components in the system

Base Command#

netwitness-im-get-components

Input#

Argument NameDescriptionRequired
query[optional string] Query must contain page, start, limitOptional

Context Output#

PathTypeDescription
Netwitness.Component.IdunknownNetwitness Component ID
Netwitness.Component.DisplayNameunknownNetwitness Component DisplayName
Netwitness.Component.DeviceVersionunknownNetwitness Component Device Version
Netwitness.Component.DisplayTypeunknownNetwitness Component Device Type
Netwitness.Component.HostunknownNetwitness Component Device Host
Netwitness.Component.PortunknownNetwitness Component Device Port
Netwitness.Component.ValidatedunknownNetwitness Component is passed validation
Netwitness.Component.LicensedunknownNetwitness Component license
Netwitness.Component.UsernameunknownNetwitness Component User Name
Netwitness.Component.EnableSSLunknownNetwitness Component Enable SSL

netwitness-im-get-events#


Returns all the events in defined time range

Base Command#

netwitness-im-get-events

Input#

Argument NameDescriptionRequired
timeRangeTypeFilter of time range in which events occuredRequired
deviceId[number] Id of the device where the events stored/occurred. In order to get list of available devices/components run command netwitness-im-get-componentsRequired
collectionName[optional]Optional
predicateIds[optional]Optional
startDate[optional datetime] If timeRangeType defined as CUSTOM, set this argumentOptional
endDate[optional datetime] If timeRangeType defined as CUSTOM, set this argumentOptional
lastCollectionTime[optional datetime] Last collection timeOptional
mid1The unique meta id for this field. If nw-get-events was called this will be your starting id for this distinct valueOptional
mid2The unique meta id for this field. If nw-get-events was called this will be your ending id for this distinct value.Optional
investigationToken[optional guid] Investigation id tokenOptional
page[optional number] Default set to 1. The page numberOptional
start[optional number] Default set to 0. The starting index of event in page.Optional
limit[optional number] Default set to 25. Limits the number of events per pageOptional
sortBy default sorts by "id" field in "ASC" order. Example: "[{\"property\":\"id\",\"direction\":\"ASC\"}]"Optional
filter<string> Must provide key value pairs of fieldName and their value separated by comma. Example: "ip.src=1.1.1.1,meta.device.type=\"crowdstrike\""Optional

Context Output#

There is no context output for this command.

netwitness-im-get-available-assignees#


Returns the available users to be assigned to incidents

Base Command#

netwitness-im-get-available-assignees

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
Netwitness.Account.IdunknownNetwitness Account ID
Netwitness.Account.NameunknownNetwitness Account Name
Netwitness.Account.LoginunknownNetwitness Account Login Name
Netwitness.Account.EmailAddressunknownNetwitness Account Email Address

netwitness-im-create-incident#


Creating new incident

Base Command#

netwitness-im-create-incident

Input#

Argument NameDescriptionRequired
alertSummary[string] Short summary of the alert which will be attached to incidentRequired
severity[optional string] Default set to "50".Optional
name[string] The name of the incident.Required
assigned[optional string] Set assignee login name if assignee has changed. You can execute netwitness-im-get-available-assignees to get the list of users. Example: demisto123Optional
eventListList of event ids separated by comma [,] must not include spaces in it. In order to get list of events you can use netwitness-im-get-eventsRequired
deviceIdThe id of the device/component (Concentrator, Log Decoder, Packet Decoder, etc.) from which the events are. You can view the list of devices by executing the command netwitness-im-get-componentsRequired
priorityPriority of the incidentRequired
summarySummary of the incidentOptional
incidentManagementId[optional number] This is the id of NetWitness INCIDENT_MANAGEMENT device/component id. It can be received by running netwitness-im-get-component command. If this argument is not filled/passed, the script will automatically get the first device of type INCIDENT_MANAGEMENT from the SA server.Optional

Context Output#

PathTypeDescription
Netwitness.Incident.IdunknownNetwitness Incident ID
Netwitness.Incident.NameunknownNetwitness Incident Name
Netwitness.Incident.PriorityunknownNetwitness Incident Priority
Netwitness.Incident.CreatedByunknownUser who created Netwitness.Incident
Netwitness.Incident.AlertIDListunknownAlerts which rised by incident

netwitness-im-add-events-to-incident#


This command will add new events to existing incident

Base Command#

netwitness-im-add-events-to-incident

Input#

Argument NameDescriptionRequired
incidentId[string] Existing incident id.Required
eventList[array of strings] List of event ids separated by comma [,] must not include spaces in it. In order to get list of events you can use netwitness-im-get-events. Example: "23,12,3"Required
alertSummary[string] Short summary of the alert which will be attached to incidentRequired
severity[number] Severity of the incident. Example: 50Required
deviceId[number] The id of the device/component (Concentrator, Log Decoder, Packet Decoder, etc.) from which the events are. You can view the list of devices by executing the command netwitness-im-get-componentsRequired
incidentManagementId[optional number] This is the id of NetWitness INCIDENT_MANAGEMENT device/component id. It can be received by running netwitness-im-get-component command. If this argument is not filled/passed, the script will automatically get the first device of type INCIDENT_MANAGEMENT from the SA server.Optional

Context Output#

There is no context output for this command.

netwitness-im-update-incident#


Updates incident

Base Command#

netwitness-im-update-incident

Input#

Argument NameDescriptionRequired
idListList of incident ids which will be updated, separated by comma [,]. Must not contain spaces. Example: "INC-13,INC-15,INC-23"Required
name[optional string] Set name if incident name has been changedOptional
summary[optional string] Updated incident summaryOptional
assignee[optional string] Set assignee login name if assignee has changed. You can execute netwitness-im-get-available-assignees to get the list of users. Example: demisto123Optional
comment[optional string] Add a journal entry describing your changesOptional
status[optional status] Set status if changedOptional
priority[optional priority] Set priority if incident priority has been changedOptional
categoriesList of categories.Optional
incidentManagementId[optional number] This is the id of NetWitness INCIDENT_MANAGEMENT device/component id. It can be received by running netwitness-im-get-component command. If this argument is not filled/passed, the script will automatically get the first device of type INCIDENT_MANAGEMENT from the SA server.Optional

Context Output#

There is no context output for this command.

netwitness-im-get-alerts#


Return all the alerts filtered by filter.

Base Command#

netwitness-im-get-alerts

Input#

Argument NameDescriptionRequired
pageThe default is 1. Indicates the page number of incidentsOptional
startThe default is 0. Indicates the start index of incident in pageOptional
limitThe default is 100. Limits the number of incidents per pageOptional
sortBy default sorts by "alert.timestamp" field in "DESC" order. Example: "[{\"property\":\"alert.timestamp\",\"direction\":\"DESC\"}]"Optional
filterBy default filters by "alert.timestamp" from 1996 to this date. Example: "[{\"property\":\"incidentId\", \"value\":\"INC-21\"}]"Optional

Context Output#

There is no context output for this command.

netwitness-im-get-alert-details#


Return single alert by id

Base Command#

netwitness-im-get-alert-details

Input#

Argument NameDescriptionRequired
alertIdAlert idRequired

Context Output#

PathTypeDescription
Netwitness.Alert.IdunknownNetwitness Alert ID
Netwitness.Alert.NameunknownNetwitness Alert Name
Netwitness.Alert.IncidentIdunknownId of Incident which caused to Alert
Netwitness.Alert.TimestampunknownTime of Alert
Netwitness.Alert.HostSummaryunknownNetwitness Alert Summary
Netwitness.Alert.SignatureIdunknownSingnature Id of Alert
Netwitness.Alert.SourceunknownScore of Alert
Netwitness.Alert.TypeunknownType of Alert
Netwitness.Alert.RiskScoreunknownRisk score of Alert
Netwitness.Alert.SourceCountryunknownNetwitness Alert Source Country
Netwitness.Alert.DestinationCountryunknownNetwitness Alert Destination Country
Netwitness.Alert.NumEventsunknownNetwitness Alert Evevts Number
Netwitness.Alert.SourceIpunknownNetwitness Alert Source Ip
Netwitness.Alert.DestonationIpunknownNetwitness Alert Destonation Ip
Netwitness.Alert.DestonationPortunknownNetwitness Alert Destonation Port

netwitness-im-get-event-details#


Returns two entries. One is event details json and the second is

Base Command#

netwitness-im-get-event-details

Input#

Argument NameDescriptionRequired
deviceId[number] Id of the device where the events stored/occurred. In order to get list of available devices/components run command netwitness-im-get-componentsRequired
eventId[number] Id of the eventRequired

Context Output#

PathTypeDescription
Netwitness.Event.EventIdunknownNetwitness Event ID
Netwitness.Event.DeviceIdunknownNetwitness Event Device Id
Netwitness.Event.ReconstructedContentTypeunknownNetwitness Event Reconstructed Content
Netwitness.Event.PacketsTotalunknownTotal Packets Netwitness Event
Netwitness.Event.PacketsProcessedunknownPackets Processed in Current Event

netwitness-im-get-incident-details#


Returns incident json by id

Base Command#

netwitness-im-get-incident-details

Input#

Argument NameDescriptionRequired
incidentId[number] ID of incident. Example: "INC-12"Required

Context Output#

PathTypeDescription
Netwitness.Incident.IdunknownNetwitness Incident ID
Netwitness.Incident.NameunknownNetwitness Incident Name
Netwitness.Incident.PriorityunknownNetwitness Incident Priority
Netwitness.Incident.CreatedByunknownUser who created Netwitness Incident
Netwitness.Incident.SummaryunknownNetwitness Incident Summary
Netwitness.Incident.AssigneeunknownUser Assigned To Incident
Netwitness.Incident.CreatedunknownTime of Incident Creation
Netwitness.Incident.FirstAlertTimeunknownTime of Incident Creation
Netwitness.Incident.LastUpdatedByUserNameunknownUser who was last to update Incident
Netwitness.Incident.RiskScoreunknownNetwitness Incident Risk Score
Netwitness.Incident.AverageAlertRiskScoreunknownNetwitness Incident Average Risk Score
Netwitness.Incident.CategoriesunknownNetwitness Incident Category
Netwitness.Incident.AlertCountunknownNetwitness Incident Alerts Counts

netwitness-im-get-alert-original#


Returns the original events which this alert contains

Base Command#

netwitness-im-get-alert-original

Input#

Argument NameDescriptionRequired
alertIdId of the alertRequired