RSA NetWitness v11.1 (Deprecated)
This Integration is part of the RSA NetWitness Pack.#
Deprecated
Use the RSA NetWitness integration for systems Logs, Network, and endpoint visibility for real-time collection, detection, and automated response on Cortex XSOAR.
Providing full session analysis, customers can extract critical data and effectively operate security operations automated playbook.
Use Cases
- Monitor NetWitness incidents.
- Update existing incident.
- Query incidents in a specific time frame.
Prerequisites
You need the server URL and a valid NetWitness account before configuring a new instance.
Required Permissions
The following permission is required for all commands.
- integration-server.api.access
Configure RSA Netwitness on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for RSA netwitness.
-
Click
Add instance
to create and configure a new integration instance.
- Name : A textual name for the integration instance.
- Server URL : Exchange server URL.
- Credentials : Your personal account username.
- Password : Your personal account password.
- Fetched incidents data : The integration imports NetWitness incident, and all alerts related, as Cortex XSOAR incident. All incidents created 24 hours prior to the configuration of ‘Fetch-incidents’  and up to current time will be imported.
- On Fetch incidents, import all alerts related to the incident .
- Fetch time: First fetch timestamp.
- Click Test to validate the URLs and token.
Fetched Incidents Data
To use Fetch incidents, select the Fetch Incidents checkbox when configuring a new integration instance.
By default, the integration will import NetWitness incidents data as Cortex XSOAR incidents.
To import related alerts data in addition to the incidents data, select the relevant checkbox in the instance settings.
All incidents created 24 hours prior to the configuration of Fetch Incidents and up to current time will be imported.
- Note - Due to API limitations, the first few attempts to fetch incidents may fail. If the fetch fails, you can either change the value of the "First fetch timestamp" parameter to fetch a smaller number of incidents or set the timeout of the fetch incidents command of the integration to a higher value.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Get details for a specific incident: netwitness-get-incident
- Get a list of incidents: netwitness-get-incidents
- Update an incident: netwitness-update-incident
- Delete an incident: netwitness-delete-incident
- Get all alerts for an incident: netwitness-get-alerts
1. Get details for a specific incident
Get details of a specific incident, including all alerts related with the incident.
Base Command
netwitness-get-incident
Input
| Argument Name | Description | Required |
|---|---|---|
| incidentId | The incident ID | Required |
Context Output
| Path | Description |
|---|---|
| NetWitness.Incidents.id | The unique identifier of the incident. |
| NetWitness.Incidents.title | Title of the incident. |
| NetWitness.Incidents.summary | Summary of the incident. |
| NetWitness.Incidents.priority | The incident priority. |
| NetWitness.Incidents.riskScore | Incident risk score calculated based on associated alert’s risk score. Risk score ranges from 0 (no risk) to 100 (highest risk). |
| NetWitness.Incidents.status | The current status. |
| NetWitness.Incidents.alertCount | Number of alerts associated with the Incident. |
| NetWitness.Incidents.averageAlertRiskScore | Average risk score of the alerts associated with the incident. |
| NetWitness.Incidents.sealed | Indicates if additional alerts can be associated with an incident. |
| NetWitness.Incidents.totalRemediationTaskCount | The number of total remediation tasks for the incident. |
| NetWitness.Incidents.openRemediationTaskCount | The number of open remediation tasks for the incident. |
| NetWitness.Incidents.created | The timestamp of when the incident is created. |
| NetWitness.Incidents.lastUpdated | The timestamp of when the incident was last updated. |
| NetWitness.Incidents.lastUpdatedBy | The NetWitness user identifier of the user who last updated the incident. |
| NetWitness.Incidents.assignee | The NetWitness user identifier of the user currently working on the incident. |
| NetWitness.Incidents.sources | Unique set of sources for all of the Alerts in the incident. |
| NetWitness.Incidents.ruleId | The unique identifier of the rule that created the incident. |
| NetWitness.Incidents.firstAlertTime | The timestamp of the earliest occurring Alert in this incident. |
| NetWitness.Incidents.categories.id | The unique category identifier. |
| NetWitness.Incidents.categories.parent | Parent name of the category. |
| NetWitness.Incidents.categories.name | Friendly name of the category. |
| NetWitness.Incidents.journalEntries.id | The unique journal entry identifier. |
| NetWitness.Incidents.journalEntries.author | The author of this entry. |
| NetWitness.Incidents.journalEntries.notes | Notes and observations about the incident. |
| NetWitness.Incidents.journalEntries.created | The timestamp of the journal entry created date. |
| NetWitness.Incidents.journalEntries.lastUpdated | The timestamp of the journal entry last updated date. |
| NetWitness.Incidents.journalEntries.milestone | Incident milestone classifier. |
| NetWitness.Incidents.createdBy | The NetWitness user id or name of the rule that created the incident. |
| NetWitness.Incidents.deletedAlertCount | The number of alerts that are deleted from theincident. |
| NetWitness.Incidents.eventCount | Number of events associated with incident. |
| NetWitness.Incidents.alertMeta.SourceIp | Unique source IP addresses. |
| NetWitness.Incidents.alertMeta.DestinationIp | Unique destination IP addresses. |
| NetWitness.Alerts.id | The unique alert identifier. |
| NetWitness.Alerts.incidentId | The incident id associated with the alert. |
| NetWitness.Alerts.title | The title or name of the rule that created the alert. |
| NetWitness.Alerts.detail | The details of the alert. This can be the module name or meta that the module included. |
| NetWitness.Alerts.created | The timestamp of the alert created date. |
| NetWitness.Alerts.source | The source of this alert. For example, "Event Stream Analysis", "Malware Analysis", etc. |
| NetWitness.Alerts.riskScore | The risk score of this alert, usually in the range 0 - 100. |
| NetWitness.Alerts.type | Type of alert, "Network", "Log", etc. |
| NetWitness.Alerts.events.source.device.ipAddress | The IP address. |
| NetWitness.Alerts.events.source.device.port | The port. |
| NetWitness.Alerts.events.source.device.macAddress | The ethernet MAC address. |
| NetWitness.Alerts.events.source.device.dnsHostname | The DNS resolved hostname. |
| NetWitness.Alerts.events.source.device.dnsDomain | The top-level domain from the DNS resolved hostname |
| NetWitness.Alerts.events.source.user.username | The unique username. |
| NetWitness.Alerts.events.source.user.emailAddress | An email address. |
| NetWitness.Alerts.events.source.user.adUsername | An Active Directory (AD) username. |
| NetWitness.Alerts.events.source.user.adDomain | An Active Directory (AD) domain |
| NetWitness.Alerts.events.destination.device.ipAddress | The IP address. |
| NetWitness.Alerts.events.destination.device.port | The port. |
| NetWitness.Alerts.events.destination.device.macAddress | The ethernet MAC address. |
| NetWitness.Alerts.events.destination.device.dnsHostname | The DNS resolved hostname. |
| NetWitness.Alerts.events.destination.device.dnsDomain | The top-level domain from the DNS resolved hostname |
| NetWitness.Alerts.events.destination.user.username | The unique username. |
| NetWitness.Alerts.events.destination.user.emailAddress | An email address. |
| NetWitness.Alerts.events.destination.user.adUsername | An Active Directory (AD) username. |
| NetWitness.Alerts.events.destination.user.adDomain | An Active Directory (AD) domain |
Command Example
!NetWitness -get-incident incidentId="INC-1"
Context Example
{
"NetWitness": {
"Alerts": {
"created": "2018-03-15T16:39:18.777Z",
"detail": null,
"events": [
{
"destination": {
"device": {
"dnsDomain": null,
"dnsHostname": null,
"ipAddress": "192.168.5.###",
"macAddress": "00:0C:29:62:29:##",
"port": 23
},
"user": {
"adDomain": null,
"adUsername": null,
"emailAddress": null,
"username": "administrator"
}
},
"domain": null,
"eventSource": null,
"eventSourceId": "7",
"source": {
"device": {
"dnsDomain": null,
"dnsHostname": null,
"ipAddress": "192.168.5.###",
"macAddress": "00:0C:29:D1:39:##",
"port": 1045
},
"user": {
"adDomain": null,
"adUsername": null,
"emailAddress": null,
"username": "administrator"
}
}
}
],
"id": "5aaaa1b69a95133336911c93",
"incidentId": "INC-12",
"riskScore": 50,
"source": "NetWitness Investigate",
"title": "Network Alert1",
"type": "Network"
},
"Incidents": {
"alertCount": 1,
"alertMeta": {
"DestinationIp": [
"192.168.5.###"
],
"SourceIp": [
"192.168.5.###"
]
},
"assignee": null,
"averageAlertRiskScore": 50,
"categories": [],
"created": "2018-03-15T16:39:18.802Z",
"createdBy": "admin",
"deletedAlertCount": 0,
"eventCount": 1,
"firstAlertTime": null,
"id": "INC-12",
"journalEntries": null,
"lastUpdated": "2018-03-16T05:51:03.233Z",
"lastUpdatedBy": "admin",
"openRemediationTaskCount": 0,
"priority": "Medium",
"riskScore": 50,
"ruleId": null,
"sealed": false,
"sources": [
"NetWitness Investigate"
],
"status": "New",
"summary": "",
"title": "Network Alert1",
"totalRemediationTaskCount": 0
}
}
}
Human Readable Output
Incident INC-12 Alerts
Alert Details
| ID | Title | Detail | Created | Source | Risk score | Type | Total events |
|---|---|---|---|---|---|---|---|
| 5aaaa1b69a95133336911c93 | Network Alert1 | 2018-03-15T16:39:18.777Z | NetWitness Investigate | 50 | Network | 1 |
Event Details
Domain:
None
Source:
None
ID:
7
Source
| Device IP | Device Port | Device MAC | User UserName |
|---|---|---|---|
| 192.168.5.189 | 1045 | 00:0C:29:D1:39:5D | administrator |
Destination
| Device IP | Device Port | Device MAC | User UserName |
|---|---|---|---|
| 192.168.5.172 | 23 | 00:0C:29:62:29:43 | administrator |
2. Get a list of incidents
Get a list of incidents in a specific time frame. All arguments are optional, but you need to specify at least one argument for the command to execute successfully.
Base Command
netwitness-get-incidents
Input
| Argument Name | Description | Required |
|---|---|---|
| since | Timestamp in ISO 8601 format (2018-01-01T14:00:00.000Z). Use to retrieve incidents created on and after this timestamp. | Optional |
| until | Timestamp in ISO 8601 format (2018-01-01T14:00:00.000Z). Use to retrieve incidents created on and before this timestamp. | Optional |
| limit | Maximum number of incidents to retrieve. Default is 200. | Optional |
| lastDays | Use this to retrieve incidents from the previous number of days. | Optional |
Context Output
| Path | Description |
|---|---|
| NetWitness.Incidents.id | Unique identifier of the incident |
| NetWitness.Incidents.title | Title of the incident |
| NetWitness.Incidents.summary | Summary of the incident |
| NetWitness.Incidents.priority | The incident priority |
| NetWitness.Incidents.riskScore | Incident risk score calculated based on associated alert’s risk score. Risk score ranges from 0 (no risk) to 100 (highest risk). |
| NetWitness.Incidents.status | The current status of the incident |
| NetWitness.Incidents.alertCount | Number of alerts associated with the incident |
| NetWitness.Incidents.averageAlertRiskScore | Average risk score of the alerts associated with the incident |
| NetWitness.Incidents.sealed | Indicates if additional alerts can be associated with an incident |
| NetWitness.Incidents.totalRemediationTaskCount | The number of total remediation tasks for the incident |
| NetWitness.Incidents.openRemediationTaskCount | The number of open remediation tasks for the incident |
| NetWitness.Incidents.created | The timestamp of when the incident is created |
| NetWitness.Incidents.lastUpdated | The timestamp of when the incident was last updated |
| NetWitness.Incidents.lastUpdatedBy | The NetWitness user identifier of the user who last updated the incident |
| NetWitness.Incidents.assignee | The NetWitness user identifier of the user currently working on the incident |
| NetWitness.Incidents.sources | Unique set of sources for all alerts in the incident |
| NetWitness.Incidents.ruleId | The unique identifier of the rule that created the incident |
| NetWitness.Incidents.firstAlertTime | The timestamp of the earliest occurring alert in this incident |
| NetWitness.Incidents.categories.id | The unique category identifier |
| NetWitness.Incidents.categories.parent | Parent name of the category |
| NetWitness.Incidents.categories.name | Friendly name of the category |
| NetWitness.Incidents.journalEntries.id | The unique journal entry identifier |
| NetWitness.Incidents.journalEntries.author | The author of this entry |
| NetWitness.Incidents.journalEntries.notes | Notes and observations about the incident |
| NetWitness.Incidents.journalEntries.created | The timestamp of the journal entry created date |
| NetWitness.Incidents.journalEntries.lastUpdated | The timestamp of the journal entry last updated date |
| NetWitness.Incidents.journalEntries.milestone | Incident milestone classifier |
| NetWitness.Incidents.createdBy | The NetWitness user ID or username of the rule that created the incident |
| NetWitness.Incidents.deletedAlertCount | The number of alerts that are deleted from the incident |
| NetWitness.Incidents.eventCount | Number of events associated with incident |
| NetWitness.Incidents.alertMeta.SourceIp | Unique source IP addresses |
| NetWitness.Incidents.alertMeta.DestinationIp | Unique destination IP addresses |
Command Examples
!NetWitness -get-incidents since=2018-01-01T14:00:00.000Z limit=200
!NetWitness -get-incidents lastDays=4
Context Example
{
"NetWitness": {
"Incidents": [
{
"alertCount": 1,
"alertMeta": {
"DestinationIp": [
""
],
"SourceIp": [
""
]
},
"assignee": null,
"averageAlertRiskScore": 50,
"categories": [],
"created": "2018-03-29T13:55:55.644Z",
"createdBy": "admin",
"deletedAlertCount": 0,
"eventCount": 2,
"firstAlertTime": null,
"id": "INC-23",
"journalEntries": null,
"lastUpdated": "2018-03-29T13:55:55.644Z",
"lastUpdatedBy": "admin",
"openRemediationTaskCount": 0,
"priority": "Critical",
"riskScore": 50,
"ruleId": null,
"sealed": false,
"sources": [
"NetWitness Investigate"
],
"status": "New",
"summary": "summary test ",
"title": "test incident",
"totalRemediationTaskCount": 0
},
{
"alertCount": 1,
"alertMeta": {
"DestinationIp": [
"75.98.175.###"
],
"SourceIp": [
"192.168.11.###"
]
},
"assignee": null,
"averageAlertRiskScore": 50,
"categories": [],
"created": "2018-03-27T16:07:19.521Z",
"createdBy": "admin",
"deletedAlertCount": 0,
"eventCount": 1,
"firstAlertTime": null,
"id": "INC-14",
"journalEntries": null,
"lastUpdated": "2018-03-27T16:07:19.521Z",
"lastUpdatedBy": "admin",
"openRemediationTaskCount": 0,
"priority": "Critical",
"riskScore": 50,
"ruleId": null,
"sealed": false,
"sources": [
"NetWitness Investigate"
],
"status": "New",
"summary": "",
"title": "log",
"totalRemediationTaskCount": 0
}
]
}
}
Human Readable Output
NetWitness Get Incidents
Incident Details
| ID | Title | Summary | Risk score | Status | Alert count | Created | Last updated | Assignee | Sources | Categories |
|---|---|---|---|---|---|---|---|---|---|---|
| INC-23 | test incident | summary test | 50 | New | 1 | 2018-03-29T13:55:55.644Z | 2018-03-29T13:55:55.644Z | NetWitness Investigate | ||
| INC-22 | test | blob | 60 | Assigned | 1 | 2018-03-29T13:41:00.965Z | 2018-07-12T13:54:47.194Z | admin | NetWitness Investigate | Physical:Connection |
| INC-21 | User Behavior for test_user | 30 | New | 1 | 2018-03-28T19:27:48.521Z | 2018-03-28T19:27:48.521Z | Event Stream Analysis | |||
| INC-20 | ttyyy | 50 | New | 1 | 2018-03-27T16:16:01.899Z | 2018-03-27T16:16:01.899Z | NetWitness Investigate | |||
| INC-19 | test | 50 | New | 1 | 2018-03-27T16:15:50.027Z | 2018-03-27T16:15:50.027Z | NetWitness Investigate | |||
| INC-18 | log3 | 50 | New | 1 | 2018-03-27T16:08:10.565Z | 2018-03-27T16:08:10.565Z | NetWitness Investigate | |||
| INC-17 | log4 | 50 | New | 1 | 2018-03-27T16:07:55.403Z | 2018-03-27T16:07:55.403Z | NetWitness Investigate | |||
| INC-16 | log2 | 50 | New | 1 | 2018-03-27T16:07:43.418Z | 2018-03-27T16:07:43.418Z | NetWitness Investigate |
3. Update an incident
Update a specific incident. Currently, an incident’s status and assignee may be modified
Base Command
netwitness-update-incident
Input
| Argument Name | Description | Required |
|---|---|---|
| incidentId | The incident ID | Required |
| status | The incident's current status | Optional |
| assignee | The NetWitness user identifier of the user currently working on the incident | Optional |
Context Output
| Path | Description |
|---|---|
| NetWitness.Incidents.id | The unique identifier of the incident. |
| NetWitness.Incidents.title | Title of the incident |
| NetWitness.Incidents.summary | Summary of the incident |
| NetWitness.Incidents.priority | The incident priority |
| NetWitness.Incidents.riskScore | Incident risk score calculated based on associated alert’s risk score. Risk score ranges from 0 (no risk) to 100 (highest risk). |
| NetWitness.Incidents.status | The current status of the incident |
| NetWitness.Incidents.alertCount | Number of alerts associated with the incident |
| NetWitness.Incidents.averageAlertRiskScore | Average risk score of the alerts associated with the incident |
| NetWitness.Incidents.sealed | Indicates if additional alerts can be associated with an incident |
| NetWitness.Incidents.totalRemediationTaskCount | The number of total remediation tasks for the incident |
| NetWitness.Incidents.openRemediationTaskCount | The number of open remediation tasks for the incident |
| NetWitness.Incidents.created | The timestamp of when the incident is created |
| NetWitness.Incidents.lastUpdated | The timestamp of when the incident was last updated |
| NetWitness.Incidents.lastUpdatedBy | The NetWitness user identifier of the user who last updated the incident |
| NetWitness.Incidents.assignee | The NetWitness user identifier of the user currently working on the incident |
| NetWitness.Incidents.sources | Unique set of sources for all alerts in the incident |
| NetWitness.Incidents.ruleId | The unique identifier of the rule that created the incident |
| NetWitness.Incidents.firstAlertTime | The timestamp of the earliest occurring alert in this incident |
| NetWitness.Incidents.categories.id | The unique category identifier |
| NetWitness.Incidents.categories.parent | Parent name of the category |
| NetWitness.Incidents.categories.name | Friendly name of the category |
| NetWitness.Incidents.journalEntries.id | The unique journal entry identifier |
| NetWitness.Incidents.journalEntries.author | The author of this entry |
| NetWitness.Incidents.journalEntries.notes | Notes and observations about the incident |
| NetWitness.Incidents.journalEntries.created | The timestamp of the journal entry created date |
| NetWitness.Incidents.journalEntries.lastUpdated | The timestamp of the journal entry last updated date |
| NetWitness.Incidents.journalEntries.milestone | Incident milestone classifier |
| NetWitness.Incidents.createdBy | The NetWitness user ID or username of the rule that created the incident |
| NetWitness.Incidents.deletedAlertCount | The number of alerts that are deleted from the incident |
| NetWitness.Incidents.eventCount | Number of events associated with incident |
| NetWitness.Incidents.alertMeta.SourceIp | Unique source IP addresses |
| NetWitness.Incidents.alertMeta.DestinationIp | Unique destination IP addresses |
Command Example
!netwitness-update-incident incidentId=INC-12 status=InProgress
Context Example
{
"NetWitness": {
"Incidents": {
"alertCount": 1,
"alertMeta": {
"DestinationIp": [
"192.168.5.172"
],
"SourceIp": [
"192.168.5.189"
]
},
"assignee": null,
"averageAlertRiskScore": 50,
"categories": [],
"created": "2018-03-15T16:39:18.802Z",
"createdBy": "admin",
"deletedAlertCount": 0,
"eventCount": 1,
"firstAlertTime": null,
"id": "INC-12",
"journalEntries": null,
"lastUpdated": "2018-08-28T16:18:20.858Z",
"lastUpdatedBy": "admin",
"openRemediationTaskCount": 0,
"priority": "Medium",
"riskScore": 50,
"ruleId": null,
"sealed": true,
"sources": [
"NetWitness Investigate"
],
"status": "InProgress",
"summary": "",
"title": "Network Alert1",
"totalRemediationTaskCount": 0
}
}
}
Human Readable Output
NetWitness Update Incident
Incident Details
| ID | Title | Summary | Risk score | Status | Alert count | Created | Last updated | Assignee | Sources | Categories |
|---|---|---|---|---|---|---|---|---|---|---|
| INC-12 | Network Alert1 | 50 | InProgress | 1 | 2018-03-15T16:39:18.802Z | 2018-08-28T16:18:20.858Z | NetWitness Investigate |
4. Delete an incident
Delete a specific incident, according to the incident ID.
Base Command
netwitness-delete-incident
Input
| Argument Name | Description | Required |
|---|---|---|
| incidentId | The incident ID | Required |
Context Output
There is no context output for this command.
Command Example
!netwitness-delete-incident incidentId=INC-12
5. Get all alerts for an incident
Get all the alerts related to a specific incident.
Base Command
netwitness-get-alerts
Input
| Argument Name | Description | Required |
|---|---|---|
| incidentId | The incident ID | Required |
Context Output
| Path | Description |
|---|---|
| NetWitness.Alerts.id | The unique alert identifier |
| NetWitness.Alerts.incidentId | The incident ID associated with the alert |
| NetWitness.Alerts.title | The title or name of the rule that created the alert |
| NetWitness.Alerts.detail | The details of the alert. This can be the module name or meta that the module included. |
| NetWitness.Alerts.created | The timestamp of the alert created date |
| NetWitness.Alerts.source | The source of this alert. For example, "Event Stream Analysis", "Malware Analysis", and so on. |
| NetWitness.Alerts.riskScore | The risk score of this alert, usually in the range 0 - 100. |
| NetWitness.Alerts.type | Type of alert (Network, Log, and so on) |
| NetWitness.Alerts.events.source.device.ipAddress | The source IP address |
| NetWitness.Alerts.events.source.device.port | The source port |
| NetWitness.Alerts.events.source.device.macAddress | The source Ethernet MAC address |
| NetWitness.Alerts.events.source.device.dnsHostname | The source DNS resolved hostname |
| NetWitness.Alerts.events.source.device.dnsDomain | The top-level domain from the DNS resolved hostname (source) |
| NetWitness.Alerts.events.source.user.username | The unique username (source) |
| NetWitness.Alerts.events.source.user.emailAddress | An email address (source) |
| NetWitness.Alerts.events.source.user.adUsername | An Active Directory (AD) username (source) |
| NetWitness.Alerts.events.source.user.adDomain | An Active Directory (AD) domain (source) |
| NetWitness.Alerts.events.destination.device.ipAddress | The destination IP address |
| NetWitness.Alerts.events.destination.device.port | The destination port |
| NetWitness.Alerts.events.destination.device.macAddress | The destination Ethernet MAC address |
| NetWitness.Alerts.events.destination.device.dnsHostname | The destination DNS resolved hostname |
| NetWitness.Alerts.events.destination.device.dnsDomain | The top-level domain from the DNS resolved hostname (destination) |
| NetWitness.Alerts.events.destination.user.username | The unique username (destination) |
| NetWitness.Alerts.events.destination.user.emailAddress | An email address (destination) |
| NetWitness.Alerts.events.destination.user.adUsername | An Active Directory (AD) username (destination) |
| NetWitness.Alerts.events.destination.user.adDomain | An Active Directory (AD) domain (destination) |
Command Example
!netwitness-get-alerts incidentId="INC-12"
Context Example
{
"NetWitness": {
"Alerts": {
"created": "2018-03-15T16:39:18.777Z",
"detail": null,
"events": [
{
"destination": {
"device": {
"dnsDomain": null,
"dnsHostname": null,
"ipAddress": "192.168.5.172",
"macAddress": "00:0C:29:62:29:43",
"port": 23
},
"user": {
"adDomain": null,
"adUsername": null,
"emailAddress": null,
"username": "administrator"
}
},
"domain": null,
"eventSource": null,
"eventSourceId": "7",
"source": {
"device": {
"dnsDomain": null,
"dnsHostname": null,
"ipAddress": "192.168.5.189",
"macAddress": "00:0C:29:D1:39:5D",
"port": 1045
},
"user": {
"adDomain": null,
"adUsername": null,
"emailAddress": null,
"username": "administrator"
}
}
}
],
"id": "5aaaa1b69a95133336911c93",
"incidentId": "INC-12",
"riskScore": 50,
"source": "NetWitness Investigate",
"title": "Network Alert1",
"type": "Network"
}
}
}
Human Readable Output
Incident INC-12 Alerts
Alert Details
| ID | Title | Detail | Created | Source | Risk score | Type | Total events |
|---|---|---|---|---|---|---|---|
| 5aaaa1b69a95133336911c93 | Network Alert1 | 2018-03-15T16:39:18.777Z | NetWitness Investigate | 50 | Network | 1 |
Event Details
Domain:
None
Source:
None
ID:
7
Source
| Device IP | Device Port | Device MAC | User UserName |
|---|---|---|---|
| 192.168.5.189 | 1045 | 00:0C:29:D1:39:5D | administrator |
Destination
| Device IP | Device Port | Device MAC | User UserName |
|---|---|---|---|
| 192.168.5.172 | 23 | 00:0C:29:62:29:43 | administrator |
Additional Information
Incidents query with time frame restriction
The time frame can be restricted on only one end, specifying since or until arguments, or restricted on both ends, specifying both arguments.
Both arguments should be passed in ISO 8601 format:
!NetWitness-get-incidents since=2018-01-01T14:00:00.000Z
until=2018-01-01T16:30:00.000Z
In this example, all incidents created between 2:00 PM on January 1, 2018 and 2:30 PM
the same day will be fetched.
Another option is to specify the number of days prior as a time frame:
!NetWitness-get-incidents lastDays=10
In this example, all incidents created in the 10 days prior to the current date will be fetched.
Known Limitations
- Only an incident’s status and assignee fields can be modified.
- Incidents query can only be filtered using by time frame.
Troubleshooting
-
‘Request failed with status: 400..’ error when running a NetWitness command
If this error raises, it indicates one of the arguments passed is not a valid value.
For example:- Passing non-existing incident id to ‘get-incidents’ will cause this type of error.
-
Passing invalid timestamp to ‘NetWitness-get-incidents’ will cause this type of error.
The error message provides a short description of the problem.
Error snap-shot
-
‘Login failed with status: 401..’ when testing instance configuration
This error indicates bad credentials are configured in the instance settings.
Make sure correct credentials and password is configured in the instance settings.Error snap-shot
-
‘…CERTIFICATE_VERIFY_FAILED...’ error when testing instance configuration
This error may indicate that server certificate is missing/cannot be validated.
It is possible to bypass certificate validation by checking ‘Do not validate server certificate’ in the instance settings.