Skip to main content

RSANetWitness v11.5

This Integration is part of the RSA NetWitness Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

RSA NetWitness Platform provides systems Logs, Network, and endpoint visibility for real-time collection, detection, and automated response with the XSOAR Enterprise platform.

This integration was integrated and tested with version 12.2 of RSANetWitness.

The integration supports version 11.5 and higher.

Changes compared to V11.1#

Changes in commands#

  • rsa-nw-remove-incident replaces the netwitness-delete-incident command.
  • rsa-nw-incident-list-alerts replaces the netwitness-get-alerts command with an added limit option and new pagination options.
  • rsa-nw-list-incidents replaces the netwitness-get-incident and netwitness-get-incidents commands.
  • rsa-nw-update-incident replaces the netwitness-update-incident command.

New commands#

  • endpoint
  • rsa-nw-endpoint-isolate-from-network
  • rsa-nw-endpoint-isolation-remove
  • rsa-nw-endpoint-update-exclusions
  • rsa-nw-file-alerts-list
  • rsa-nw-file-download
  • rsa-nw-files-list
  • rsa-nw-host-alerts-list
  • rsa-nw-hosts-list
  • rsa-nw-incident-add-journal-entry
  • rsa-nw-incident-list-alerts
  • rsa-nw-mft-download-request
  • rsa-nw-process-dump-download-request
  • rsa-nw-scan-request
  • rsa-nw-scan-stop-request
  • rsa-nw-services-list
  • rsa-nw-snapshot-details-get
  • rsa-nw-snapshots-list-for-host
  • rsa-nw-system-dump-download-request

API Limitations#

Commands that require actions within a hostonly return the status of the request received by our RSA server and not our host. Whether the desired action was preformed successfully within the host is not reported back.

For example, for our rsa-nw-scan-request command a success message returned only confirms the request has been received by RSA NetWitness, but does not indicate the scan has been preformed successfully in the requested host. Commands affected by this limitation are:

  • rsa-nw-endpoint-isolate-from-network
  • rsa-nw-endpoint-isolation-remove
  • rsa-nw-endpoint-update-exclusions
  • rsa-nw-file-download
  • rsa-nw-mft-download-request
  • rsa-nw-process-dump-download-request
  • rsa-nw-scan-request
  • rsa-nw-scan-stop-request
  • rsa-nw-system-dump-download-request

Configure RSA NetWitness in Cortex#

ParameterDescriptionRequired
Server URL (e.g., https://192.168.0.1)True
User nameTrue
PasswordTrue
Service IdThe service ID that is automatically used in every command where service ID is required. Retrieve all service IDs with the rsa-nw-services-list command. To overwrite with another service ID, use the command argument 'service_id'.False
Use system proxy settingsFalse
Trust any certificate (not secure)False
Fetch LimitThe maximum number of incidents to fetchFalse
Fetch TimeFirst fetch timestamp (<number> <time unit>, for example, 12 hours, 7 days)False
Incident typeFalse
Fetch incidentsFalse
On 'Fetch incidents' import all alerts related to the incidentFalse

Configure incident mirroring#

You can enable incident mirroring between Cortex XSOAR incidents and RSA NetWitness incidents (available from Cortex XSOAR version 6.0.0).

To setup the mirroring follow these instructions:

  1. Navigate to Settings > Integrations > Instances.
  2. Search for RSANetWitness v11.5 and select your integration instance.
  3. Enable Fetches incidents.
  4. Under Incident type, select NetWitness Incident.
  5. Under Mapper (incoming), select RSA NetWitness v11.5 - incoming mapper.
  6. In the Incident Mirroring Direction integration parameter, select in which direction the incidents should be mirrored:
    • Incoming - Any changes in RSA NetWitness incidents will be reflected in Cortex XSOAR incidents.
    • Outgoing - Any changes in XSOAR incidents will be reflected in RSA Netwitness incidents (status).
    • Incoming And Outgoing - Changes in Cortex XSOAR incidents and RSA NetWitness incidents will be reflected in both directions.
    • None - Turns off incident mirroring.
  7. Optional: Check the Close Mirrored XSOAR Incident integration parameter to close the Cortex XSOAR incident when the corresponding incident is closed in RSA NetWitness.

Newly fetched incidents will be mirrored in the chosen direction. However, this selection does not affect existing incidents.

Important Notes

  • When mirroring in incidents from RSA NetWitness to Cortex XSOAR, if the Close Mirrored XSOAR Incident integration parameter is enabled, the status field in RSA NetWitness determines whether the incident was closed.
  • Journal entries, tasks, and assignees are currently not mirrored.
  • Because of the implementation of the RSA API (you can get 1 incident by ID or every incident using a time interval), incidents are mirrored for a maximum of 24 days within a limit of 1500 incidents.

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

rsa-nw-list-incidents#


Retrieves a single incident by ID or multiple incidents by the date and time they were created using the start time ('since') or end time ('until'). You can limit the results using the limit argument or the page size argument. If no arguments are entered the last 50 results are returned.

Base Command#

rsa-nw-list-incidents

Input#

Argument NameDescriptionRequired
untilA timestamp in the format 2020-01-18T14:00:00.000Z. Retrieve incidents created on and before this timestamp.Optional
sinceA timestamp in the format 2020-01-18T14:00:00.000Z. Retrieve incidents created on and after this timestamp.Optional
page_sizeThe maximum number of items to return in a single page. Cannot be supplied with the limit argument.Optional
page_numberThe requested page number, first page is 0. Cannot be supplied with the limit argument.Optional
limitMaximum number of results to be returned. If not set, the first 50 results are returned. Cannot be supplied with page_size/page_number arguments.Optional
idEnter an incident ID to receive its full details. For example, 'INC-40'.Optional

Context Output#

PathTypeDescription
RSANetWitness115.Incidents.idStringThe unique incident identifier.
RSANetWitness115.Incidents.titleStringThe incident title.
RSANetWitness115.Incidents.summaryStringThe incident summary.
RSANetWitness115.Incidents.priorityStringThe incident priority. Can be Low, Medium, High, or Critical.
RSANetWitness115.Incidents.riskScoreNumberThe incident risk score is calculated based on the associated alert’s risk score. Risk score ranges from 0 (no risk) to 100 (highest risk).
RSANetWitness115.Incidents.statusStringThe current incident status.
RSANetWitness115.Incidents.alertCountNumberThe number of alerts associated with an incident.
RSANetWitness115.Incidents.averageAlertRiskScoreNumberThe average risk score of the alerts associated with the incident. Risk score ranges from 0 (no risk) to 100 (highest risk).
RSANetWitness115.Incidents.sealedBooleanIndicates if additional alerts can be associated with an incident. A sealed incident cannot be associated with additional alerts.
RSANetWitness115.Incidents.totalRemediationTaskCountNumberThe number of total remediation tasks for an incident.
RSANetWitness115.Incidents.openRemediationTaskCountNumberThe number of open remediation tasks for an incident.
RSANetWitness115.Incidents.createdDateThe timestamp when the incident was created.
RSANetWitness115.Incidents.lastUpdatedDateThe timestamp when the incident was last updated.
RSANetWitness115.Incidents.lastUpdatedByStringThe NetWitness user identifier of the user who last updated the incident.
RSANetWitness115.Incidents.assigneeStringThe NetWitness user identifier of the user currently working on the incident.
RSANetWitness115.Incidents.sourcesStringUnique set of sources for all the alerts in an incident.
RSANetWitness115.Incidents.ruleIdStringThe unique identifier of the rule that created the incident.
RSANetWitness115.Incidents.firstAlertTimeStringThe timestamp of the earliest occurring Alert in this incident.
RSANetWitness115.Incidents.categories.idStringThe unique category identifier.
RSANetWitness115.Incidents.categories.parentStringThe parent name of the category.
RSANetWitness115.Incidents.categories.nameStringThe friendly name of the category.
RSANetWitness115.Incidents.journalEntries.idStringThe unique journal entry identifier.
RSANetWitness115.Incidents.journalEntries.authorStringThe author of this entry.
RSANetWitness115.Incidents.journalEntries.notesStringNotes and observations about the incident.
RSANetWitness115.Incidents.journalEntries.createdStringThe timestamp of the journal entry created date.
RSANetWitness115.Incidents.journalEntries.lastUpdatedStringThe timestamp of the journal entry last updated date.
RSANetWitness115.Incidents.journalEntries.milestoneStringIncident milestone classifier.
RSANetWitness115.Incidents.createdByStringThe NetWitness user ID or name of the rule that created the incident.
RSANetWitness115.Incidents.deletedAlertCountNumberThe number of alerts that are deleted from the incident.
RSANetWitness115.Incidents.eventCountNumberThe number of events associated with incident.
RSANetWitness115.Incidents.alertMeta.SourceIpStringThe unique source IP addresses.
RSANetWitness115.Incidents.alertMeta.DestinationIpStringThe unique destination IP addresses.
RSANetWitness115.paging.Incidents.hasNextBooleanIndicates if there is a page containing results after this page.
RSANetWitness115.paging.Incidents.hasPreviousBooleanIndicates if there is a page containing results before this page.
RSANetWitness115.paging.Incidents.pageNumberNumberThe requested page number.
RSANetWitness115.paging.Incidents.pageSizeNumberThe requested number of items to return in a single page.
RSANetWitness115.paging.Incidents.totalPagesNumberThe total number of pages available.
RSANetWitness115.paging.Incidents.totalItemsNumberThe total number of items available.

Command example#

!rsa-nw-list-incidents limit=1

Context Example#

{
"RSANetWitness115": {
"Incidents": {
"alertCount": 1,
"alertMeta": {
"DestinationIp": [
"1.1.1.1"
],
"SourceIp": [
""
]
},
"assignee": null,
"averageAlertRiskScore": 70,
"categories": null,
"created": "2021-11-15T07:30:49.670Z",
"createdBy": "Admin",
"deletedAlertCount": 0,
"eventCount": 1,
"firstAlertTime": null,
"id": "INC-49",
"journalEntries": [
{
"author": "Admin",
"created": "2021-12-26T16:10:21.810Z",
"id": "48",
"lastUpdated": "2021-12-26T16:10:21.810Z",
"milestone": null,
"notes": "great inc for demo"
}
],
"lastUpdated": "2022-01-10T13:50:14.312Z",
"lastUpdatedBy": "Admin",
"openRemediationTaskCount": 0,
"priority": "Low",
"riskScore": 70,
"ruleId": null,
"sealed": false,
"sources": [
"Reporting Engine"
],
"status": "Assigned",
"summary": null,
"title": "Fetch_testing",
"totalRemediationTaskCount": 0
},
"paging": {
"Incidents": {
"hasNext": true,
"hasPrevious": false,
"pageNumber": 0,
"pageSize": 1,
"totalItems": 28,
"totalPages": 28
}
}
}
}

Human Readable Output#

Total Retrieved Incidents : 1#

Page number 0 out of 28 |Id|Title|Summary|Priority|RiskScore|Status|AlertCount|Created|LastUpdated|Assignee|Sources|Categories| |---|---|---|---|---|---|---|---|---|---|---|---| | INC-49 | Fetch_testing | | Low | 70 | Assigned | 1 | 2021-11-15T07:30:49.670Z | 2022-01-10T13:50:14.312Z | | Reporting Engine | |

rsa-nw-update-incident#


Updates incident status and assignee.

Base Command#

rsa-nw-update-incident

Input#

Argument NameDescriptionRequired
idThe incident ID.Required
statusThe new incident status. Can be New, Assigned, InProgress, RemediationRequested, RemediationComplete, Closed, ClosedFalsePositive. Possible values are: New, Assigned, InProgress, RemediationRequested, RemediationComplete, Closed, ClosedFalsePositive.Optional
assigneeThe NetWitness user identifier of the user currently working on the incident. You can find the list of assignees in the RSA Net Witness interface.Optional

Context Output#

PathTypeDescription
RSANetWitness115.Incidents.idStringThe unique incident identifier.
RSANetWitness115.Incidents.titleStringThe incident title.
RSANetWitness115.Incidents.summaryStringThe incident summary.
RSANetWitness115.Incidents.priorityStringThe incident priority. Can be Low, Medium, High, or Critical.
RSANetWitness115.Incidents.riskScoreNumberThe incident risk score is calculated based on the associated alert’s risk score. Risk score ranges from 0 (no risk) to 100 (highest risk).
RSANetWitness115.Incidents.statusStringThe current incident status.
RSANetWitness115.Incidents.alertCountNumberThe number of alerts associated with an incident.
RSANetWitness115.Incidents.averageAlertRiskScoreNumberThe average risk score of the alerts associated with the incident. Risk score ranges from 0 (no risk) to 100 (highest risk).
RSANetWitness115.Incidents.sealedBooleanIndicates if additional alerts can be associated with an incident. A sealed incident cannot be associated with additional alerts.
RSANetWitness115.Incidents.totalRemediationTaskCountNumberThe number of total remediation tasks for an incident.
RSANetWitness115.Incidents.openRemediationTaskCountNumberThe number of open remediation tasks for an incident.
RSANetWitness115.Incidents.createdDateThe timestamp when the incident was created.
RSANetWitness115.Incidents.lastUpdatedDateThe timestamp when the incident was last updated.
RSANetWitness115.Incidents.lastUpdatedByStringThe NetWitness user identifier of the user who last updated the incident.
RSANetWitness115.Incidents.assigneeStringThe NetWitness user identifier of the user currently working on the incident.
RSANetWitness115.Incidents.sourcesStringUnique set of sources for all the alerts in an incident.
RSANetWitness115.Incidents.ruleIdStringThe unique identifier of the rule that created the incident.
RSANetWitness115.Incidents.firstAlertTimeStringThe timestamp of the earliest occurring Alert in this incident.
RSANetWitness115.Incidents.categories.idStringThe unique category identifier.
RSANetWitness115.Incidents.categories.parentStringThe parent name of the category.
RSANetWitness115.Incidents.categories.nameStringThe friendly name of the category.
RSANetWitness115.Incidents.journalEntries.idStringThe unique journal entry identifier.
RSANetWitness115.Incidents.journalEntries.authorStringThe author of this entry.
RSANetWitness115.Incidents.journalEntries.notesStringNotes and observations about the incident.
RSANetWitness115.Incidents.journalEntries.createdStringThe timestamp of the journal entry created date.
RSANetWitness115.Incidents.journalEntries.lastUpdatedStringThe timestamp of the journal entry last updated date.
RSANetWitness115.Incidents.journalEntries.milestoneStringIncident milestone classifier.
RSANetWitness115.Incidents.createdByStringThe NetWitness user ID or name of the rule that created the incident.
RSANetWitness115.Incidents.deletedAlertCountNumberThe number of alerts that are deleted from the incident.
RSANetWitness115.Incidents.eventCountNumberThe number of events associated with incident.
RSANetWitness115.Incidents.alertMeta.SourceIpStringThe unique source IP addresses.
RSANetWitness115.Incidents.alertMeta.DestinationIpStringThe unique destination IP addresses.

Command example#

!rsa-nw-update-incident id=INC-49 status=Assigned

Context Example#

{
"RSANetWitness115": {
"Incidents": {
"alertCount": 1,
"alertMeta": {
"DestinationIp": [
"1.1.1.1"
],
"SourceIp": [
""
]
},
"assignee": null,
"averageAlertRiskScore": 70,
"categories": null,
"created": "2021-11-15T07:30:49.670Z",
"createdBy": "Admin",
"deletedAlertCount": 0,
"eventCount": 1,
"firstAlertTime": null,
"id": "INC-49",
"journalEntries": [
{
"author": "Admin",
"created": "2021-12-26T16:10:21.810Z",
"id": "48",
"lastUpdated": "2021-12-26T16:10:21.810Z",
"milestone": null,
"notes": "great inc for demo"
}
],
"lastUpdated": "2022-01-10T14:12:35.992Z",
"lastUpdatedBy": "Admin",
"openRemediationTaskCount": 0,
"priority": "Low",
"riskScore": 70,
"ruleId": null,
"sealed": false,
"sources": [
"Reporting Engine"
],
"status": "Assigned",
"summary": null,
"title": "Fetch_testing",
"totalRemediationTaskCount": 0
}
}
}

Human Readable Output#

Updated Incident INC-49#

IdTitleSummaryPriorityRiskScoreStatusAlertCountCreatedLastUpdatedAssigneeSourcesCategories
INC-49Fetch_testingLow70Assigned12021-11-15T07:30:49.670Z2022-01-10T14:12:35.992ZReporting Engine

rsa-nw-remove-incident#


Remove a single incident using the incident’s unique identifier.

Base Command#

rsa-nw-remove-incident

Input#

Argument NameDescriptionRequired
idThe unique incident identifier.Required

Context Output#

There is no context output for this command.

rsa-nw-incident-add-journal-entry#


Add a journal entry to an existing incident.

Base Command#

rsa-nw-incident-add-journal-entry

Input#

Argument NameDescriptionRequired
idThe unique incident identifier.Required
authorThe NetWitness user ID of the user creating the journal entry. Can be found in the RSA platform. If no author is provided the command lists the user from the integration configuration as the author.Optional
notesNotes and observations about the incident.Required
milestoneThe incident milestone classifier. Can be Reconnaissance, Delivery, Exploitation, Installation, CommandAndControl, ActionOnObjective, Containment, Eradication, Closure. Possible values are: Reconnaissance, Delivery, Exploitation, Installation, CommandAndControl, ActionOnObjective, Containment, Eradication, Closure.Optional

Context Output#

There is no context output for this command.

Command example#

!rsa-nw-incident-add-journal-entry id=INC-24 notes="adding entry"

Human Readable Output#

Journal entry added successfully for incident INC-24

rsa-nw-incident-list-alerts#


Retrieves all the alerts that are associated with an incident based on the incident ID. you can limit the results using the limit argument or the page size argument.

Base Command#

rsa-nw-incident-list-alerts

Input#

Argument NameDescriptionRequired
idThe unique incident identifier.Required
page_numberThe requested page number, first page is 0. Cannot be supplied with the limit argument.Optional
page_sizeThe maximum number of items to return in a single page. Cannot be supplied with the limit argument.Optional
limitThe maximum number of results to be returned. If not set, the first 50 results are returned. cannot be supplied with page_size/page_number arguments.Optional

Context Output#

PathTypeDescription
RSANetWitness115.IncidentAlerts.idStringThe unique alert identifier.
RSANetWitness115.IncidentAlerts.titleStringThe title or name of the rule that created the alert.
RSANetWitness115.IncidentAlerts.detailStringThe details of the alert. This can be the module name or meta that the module included.
RSANetWitness115.IncidentAlerts.createdDateThe timestamp of the alert created date.
RSANetWitness115.IncidentAlerts.sourceStringThe source of this alert. For example, Event Stream Analysis or Malware Analysis.
RSANetWitness115.IncidentAlerts.riskScoreNumberThe risk score of this alert, usually in the range 0 - 100.
RSANetWitness115.IncidentAlerts.typeStringThe type alert type. For example, Network or Log.
RSANetWitness115.IncidentAlerts.events.source.device.ipAddressStringThe source IP address.
RSANetWitness115.IncidentAlerts.events.source.device.portNumberThe source port.
RSANetWitness115.IncidentAlerts.events.source.device.macAddressStringThe source ethernet MAC address.
RSANetWitness115.IncidentAlerts.events.source.device.dnsHostnameStringThe source DNS resolved hostname.
RSANetWitness115.IncidentAlerts.events.source.device.dnsDomainStringThe source top-level domain from the DNS resolved hostname.
RSANetWitness115.IncidentAlerts.events.source.user.usernameStringThe source unique username.
RSANetWitness115.IncidentAlerts.events.source.user.emailAddressStringThe source email address.
RSANetWitness115.IncidentAlerts.events.source.user.adUsernameStringThe source Active Directory (AD) username.
RSANetWitness115.IncidentAlerts.events.source.user.adDomainStringThe source Active Directory (AD) domain.
RSANetWitness115.IncidentAlerts.events.destination.device.ipAddressStringThe destination IP address.
RSANetWitness115.IncidentAlerts.events.destination.device.portNumberThe destination port.
RSANetWitness115.IncidentAlerts.events.destination.device.macAddressStringThe destination ethernet MAC address.
RSANetWitness115.IncidentAlerts.events.destination.device.dnsHostnameStringThe destination DNS resolved hostname.
RSANetWitness115.IncidentAlerts.events.destination.device.dnsDomainStringThe destination top-level domain from the DNS resolved hostname.
RSANetWitness115.IncidentAlerts.events.destination.user.usernameStringThe destination unique username.
RSANetWitness115.IncidentAlerts.events.destination.user.emailAddressStringThe destination email address.
RSANetWitness115.IncidentAlerts.events.destination.user.adUsernameStringThe destination Active Directory (AD) username.
RSANetWitness115.IncidentAlerts.events.destination.user.adDomainStringAn destination Active Directory (AD) domain.
RSANetWitness115.IncidentAlerts.events.domainStringThe destination top-level domain or Windows domain.
RSANetWitness115.IncidentAlerts.events.eventSourceStringThe source of the event. This may be a fully-qualified hostname with a port, or simple name.
RSANetWitness115.IncidentAlerts.events.eventSourceIdStringThe unique identifier of the event on the source. For Network and Log events, this is the Nextgen Session ID.
RSANetWitness115.paging.IncidentAlerts.pageNumberNumberThe requested page number.
RSANetWitness115.paging.IncidentAlerts.pageSizeNumberThe requested number of items to return in a single page.
RSANetWitness115.paging.IncidentAlerts.totalPagesNumberThe total number of pages available.
RSANetWitness115.paging.IncidentAlerts.totalItemsNumberThe total number of items available.
RSANetWitness115.paging.IncidentAlerts.hasNextBooleanIndicates if there is a page containing results after this page.
RSANetWitness115.paging.IncidentAlerts.hasPreviousBooleanIndicates if there is a page containing results before this page.

Command example#

!rsa-nw-incident-list-alerts id=INC-49

Context Example#

{
"RSANetWitness115": {
"IncidentAlerts": {
"IncidentId": "INC-49",
"created": "2021-03-02T17:46:06Z",
"detail": null,
"events": [
{
"destination": {
"device": {
"dnsDomain": null,
"dnsHostname": null,
"ipAddress": "1.1.1.1",
"macAddress": "111::111:11:111:11",
"port": null
},
"user": {
"adDomain": null,
"adUsername": null,
"emailAddress": null,
"username": null
}
},
"domain": "ADONIS",
"eventSource": "1.1.1.1",
"eventSourceId": "1",
"source": {
"device": {
"dnsDomain": null,
"dnsHostname": null,
"ipAddress": null,
"macAddress": null,
"port": null
},
"user": {
"adDomain": null,
"adUsername": null,
"emailAddress": null,
"username": null
}
}
}
],
"id": "1",
"riskScore": null,
"source": "Reporting Engine",
"title": "Rule",
"type": "Log"
},
"paging": {
"IncidentAlerts": {
"hasNext": false,
"hasPrevious": false,
"pageNumber": 0,
"pageSize": 50,
"totalItems": 1,
"totalPages": 1
}
}
}
}

Human Readable Output#

Total Retrieved Alerts : 1 for incident INC-49#

Page number 0 out of 1 |Id|Title|Created|Source|Type|Events| |---|---|---|---|---|---| | 1 | Rule | 2021-03-02T17:46:06Z | Reporting Engine | Log | {'source': {'device': {'ipAddress': None, 'port': None, 'macAddress': None, 'dnsHostname': None, 'dnsDomain': None}, 'user': {'username': None, 'emailAddress': None, 'adUsername': None, 'adDomain': None}}, 'destination': {'device': {'ipAddress': '1.1.1.1', 'port': None, 'macAddress': '111::111:11:111:11', 'dnsHostname': None, 'dnsDomain': None}, 'user': {'username': None, 'emailAddress': None, 'adUsername': None, 'adDomain': None}}, 'domain': 'ADONIS', 'eventSource': '1.1.1.1', 'eventSourceId': '1'} |

rsa-nw-services-list#


Retrieves a list of all services, or filter by name.

Base Command#

rsa-nw-services-list

Input#

Argument NameDescriptionRequired
nameThe name of the service. For example, endpoint-server.Optional

Context Output#

PathTypeDescription
RSANetWitness115.ServicesList.idStringThe unique identifier of each service installed in the RSA NetWitness suite.
RSANetWitness115.ServicesList.nameStringThe name of the service. For example, endpoint- server.
RSANetWitness115.ServicesList.displayNameStringThe display name of the service.
RSANetWitness115.ServicesList.hostStringThe host details of the service.
RSANetWitness115.ServicesList.versionStringThe version of the service.

Command example#

!rsa-nw-services-list

Context Example#

{
"RSANetWitness115": {
"ServicesList":
{
"displayName": "ELD",
"host": "1.1.1.1",
"id": "1",
"name": "server",
"version": "1"
}
]
}
}

Human Readable Output#

Results#

displayNamehostidnameversion
ELD1.1.1.11server1

rsa-nw-hosts-list#


Lists all host information from a specific endpoint server. Filter the results using the supplied arguments (can be a list) or use the 'filter' argument. You can limit the results using the limit argument or the page size argument.

Base Command#

rsa-nw-hosts-list

Input#

Argument NameDescriptionRequired
service_idThe service ID of the specific endpoint server. View all service IDs using the 'rsa-nw-services-list' command. If none is given, the service ID configured in the integration configuration is used.Optional
page_numberThe requested page number, first page is 0. Cannot be supplied with the limit argument.Optional
page_sizeThe maximum number of items to return in a single page. Cannot be supplied with the limit argument.Optional
limitThe maximum number of results to be returned. If not set, the first 50 results are returned. Cannot be supplied with page_size/page_number arguments.Optional
agent_idA comma-separated list of host agent IDs.Optional
host_nameA comma-separated list of host names.Optional
risk_scoreThe host risk score. Returns all results with risk score greater than or equal to.Optional
ipA comma-separated list of IPV4 in the network interface.Optional
filterCustom filter in JSON format.Optional

Context Output#

PathTypeDescription
RSANetWitness115.HostsList.agentIdStringThe host agent ID.
RSANetWitness115.HostsList.hostNameStringThe host name.
RSANetWitness115.HostsList.riskScoreNumberThe host risk score.
RSANetWitness115.HostsList.networkInterfaces.nameStringThe name of the network interface.
RSANetWitness115.HostsList.networkInterfaces.macAddressStringThe MAC Address of the network interface.
RSANetWitness115.HostsList.networkInterfaces.ipv4StringThe list of IPV4 in the network interface.
RSANetWitness115.HostsList.networkInterfaces.ipv6StringThe list of IPV6 in the network interface.
RSANetWitness115.HostsList.networkInterfaces.networkIdv6StringThe list of network IDV6 in the network interface.
RSANetWitness115.HostsList.networkInterfaces.gatewayStringThe list of gateways in the network interface.
RSANetWitness115.HostsList.networkInterfaces.dnsStringThe list of DNS in the network interface.
RSANetWitness115.HostsList.networkInterfaces.promiscuousBooleanSpecifies if the network interface is in promiscuous mode.
RSANetWitness115.HostsList.lastSeenTimeDateThe agent last seen time.
RSANetWitness115.paging.HostsList.pageNumberNumberThe requested page number.
RSANetWitness115.paging.HostsList.pageSizeNumberThe requested number of items to return in a single page.
RSANetWitness115.paging.HostsList.totalPagesNumberThe total number of pages available.
RSANetWitness115.paging.HostsList.totalItemsNumberThe total number of items available.
RSANetWitness115.paging.HostsList.hasNextBooleanIndicates if there is a page containing results after this page.
RSANetWitness115.paging.HostsList.hasPreviousBooleanIndicates if there is a page containing results before this page.

Command example#

!rsa-nw-hosts-list limit=1

Context Example#

{
"RSANetWitness115": {
"HostsList": {
"agentId": "1",
"hostName": "hostName",
"lastSeenTime": "2022-01-10T14:12:30.197Z",
"networkInterfaces": [
{
"dns": [
"1.1.1.1"
],
"gateway": [
"1.1.1.1"
],
"ipv4": [
"1.1.1.1"
],
"ipv6": [
"111::111:11:111:11"
],
"macAddress": "111::111:11:111:11",
"name": "AWS PV Network Device #0",
"networkIdv6": [
"1"
],
"promiscuous": false
}
],
"riskScore": 0
},
"paging": {
"HostsList": {
"hasNext": false,
"hasPrevious": false,
"pageNumber": 0,
"pageSize": 1,
"totalItems": 1,
"totalPages": 1
}
}
}
}

Human Readable Output#

Total Retrieved Hosts : 1#

Page number 0 out of 1 |agentId|hostName|riskScore|networkInterfaces|lastSeenTime| |---|---|---|---|---| | 1 | hostName | 0 | {'name': 'AWS PV Network Device #0', 'macAddress': '111::111:11:111:11', 'ipv4': ['1.1.1.10'], 'ipv6': ['111::111:11:111:11'], 'networkIdv6': ['1'], 'gateway': ['1.1.1.1'], 'dns': ['1.1.1.1'], 'promiscuous': False} | 2022-01-10T14:12:30.197Z |

endpoint#


Retrieves host information for a specific endpoint. To use this command, service ID must be set in the integration configuration.

Base Command#

endpoint

Input#

Argument NameDescriptionRequired
idThe endpoint ID.Optional
ipThe endpoint IP.Optional
hostnameThe endpoint hostname.Optional

Context Output#

PathTypeDescription
Endpoint.HostnameStringThe endpoint hostname.
Endpoint.Relationships.EntityAstringThe relationship source.
Endpoint.Relationships.EntityBstringThe relationship destination.
Endpoint.Relationships.RelationshipstringThe relationship name.
Endpoint.Relationships.EntityATypestringThe relationship source type.
Endpoint.Relationships.EntityBTypestringThe relationship destination type.
Endpoint.OSStringThe endpoint operation system.
Endpoint.IPAddressStringThe endpoint IP address.
Endpoint.IDStringThe endpoint ID.
Endpoint.StatusStringThe endpoint status.
Endpoint.IsIsolatedStringThe endpoint isolation status.
Endpoint.MACAddressStringThe endpoint MAC address.
Endpoint.VendorStringThe integration name of the endpoint vendor.
Endpoint.DomainStringThe endpoint domain.
Endpoint.DHCPServerStringThe endpoint DHCP server.
Endpoint.OSVersionStringThe endpoint operation system version.
Endpoint.BIOSVersionStringThe endpoint BIOS version.
Endpoint.ModelStringThe model of the machine or device.
Endpoint.MemoryIntThe memory on this endpoint.
Endpoint.ProcessorsIntThe number of processors.
Endpoint.ProcessorStringThe processor model.

Command example#

!endpoint

Context Example#

{
"Endpoint": {
"Hostname": "hostName",
"ID": "1",
"IPAddress": [
[
"1.1.1.1"
]
],
"MACAddress": [
"111::111:11:111:11"
],
"Vendor": "RSA NetWitness 11.5 Response"
}
}

Human Readable Output#

RSA NetWitness - Endpoint: 1#

HostnameIDIPAddressMACAddressVendor
hostName1['1.1.1.1']111::111:11:111:11RSA NetWitness 11.5 Response

rsa-nw-snapshots-list-for-host#


Retrieve a list os snapshot IDs for a given host.

Base Command#

rsa-nw-snapshots-list-for-host

Input#

Argument NameDescriptionRequired
agent_idThe host agent ID.Required
service_idThe service ID of the specific endpoint server. View all service IDs using the 'rsa-nw-services-list' command. If none is given, the service ID configured in the integration configuration is used.Optional

Context Output#

PathTypeDescription
RSANetWitness115.SnapshotsListForHostDateThe list of snapshot timestamps.

Command example#

!rsa-nw-snapshots-list-for-host agent_id=1

Context Example#

{
"RSANetWitness115": {
"SnapshotsListForHost": [
"2022-01-09T16:42:45.661Z",
"2022-01-09T16:12:41.840Z",
"2022-01-09T15:51:44.870Z",
"2022-01-02T13:21:24.655Z",
"2021-12-30T09:32:48.740Z",
"2021-12-16T14:23:38.357Z"
]
}
}

Human Readable Output#

Snapshot list for agent id 1-#

Snapshot Id
2022-01-09T16:42:45.661Z
2022-01-09T16:12:41.840Z
2022-01-09T15:51:44.870Z
2022-01-02T13:21:24.655Z
2021-12-30T09:32:48.740Z
2021-12-16T14:23:38.357Z

rsa-nw-snapshot-details-get#


Provides snapshot details of the given host for the specified snapshot time. It is recommended to use categories to filter the results since this command returns a large amount of data.

Base Command#

rsa-nw-snapshot-details-get

Input#

Argument NameDescriptionRequired
agent_idThe host agent ID.Required
snapshot_timestampThe start time of the scan snapshot. Can be retrieved using the 'rsa-nw-snapshots-list-for-host' command.Required
service_idThe service ID of the specific endpoint server. View all service IDs using the 'rsa-nw-services-list' command. If none is given, the service ID configured in the integration configuration is used.Optional
categoriesA comma-separated list of categories to filter the results. For example, PROCESSES,SERVICES. Possible values are: PROCESSES, LOADED_LIBRARIES, SERVICES, AUTORUNS, TASKS, DRIVERS, THREADS, IMAGE_HOOKS, KERNEL_HOOKS..Optional
limitThe maximum number of results returned by the command. Default is 50.Optional
offsetThe offset to receive results from. For example, offset=3 returns results from the 3rd result onward.Optional

Context Output#

PathTypeDescription
RSANetWitness115.SnapshotDetailsGet.machineOsTypeStringThe operating system type (Windows, Mac, Linux).
RSANetWitness115.SnapshotDetailsGet.hostNameStringThe host name.
RSANetWitness115.SnapshotDetailsGet.agentIdStringThe host agent ID.
RSANetWitness115.SnapshotDetailsGet.agentVersionStringThe agent version.
RSANetWitness115.SnapshotDetailsGet.scanStartTimeDateThe start time of the scan snapshot.
RSANetWitness115.SnapshotDetailsGet.directoryStringThe file directory.
RSANetWitness115.SnapshotDetailsGet.fileNameStringThe file name.
RSANetWitness115.SnapshotDetailsGet.owner.usernameStringThe user name of the file owner.
RSANetWitness115.SnapshotDetailsGet.owner.groupnameStringThe group name of the file owner.
RSANetWitness115.SnapshotDetailsGet.owner.uidStringThe UID of the user name.
RSANetWitness115.SnapshotDetailsGet.owner.gidStringThe GID of the user name.
RSANetWitness115.SnapshotDetailsGet.timeCreatedDateThe timestamp when the file was created.
RSANetWitness115.SnapshotDetailsGet.timeModifiedDateThe timestamp when the file was modified.
RSANetWitness115.SnapshotDetailsGet.timeAccessedDateThe timestamp when the file was last accessed.
RSANetWitness115.SnapshotDetailsGet.attributesStringThe list of file attributes.
RSANetWitness115.SnapshotDetailsGet.accessModeNumberThe file access mode.
RSANetWitness115.SnapshotDetailsGet.sameDirectoryFileCounts.nonExeNumberThe number of non-exe files in the same directory as the file.
RSANetWitness115.SnapshotDetailsGet.sameDirectoryFileCounts.exeNumberThe number of exe files in the same directory as the file.
RSANetWitness115.SnapshotDetailsGet.sameDirectoryFileCounts.subFolderNumberThe number of sub-folders in the same directory as the file.
RSANetWitness115.SnapshotDetailsGet.sameDirectoryFileCounts.exeSameCompanyNumberThe number of executables with the same company name in the same directory as the file.
RSANetWitness115.SnapshotDetailsGet.sameDirectoryFileCounts.hiddenFilesNumberThe count of hidden files in the same directory as the file.
RSANetWitness115.SnapshotDetailsGet.fileContextStringThe list of file context.
RSANetWitness115.SnapshotDetailsGet.directoryContextStringThe list of directory context.
RSANetWitness115.SnapshotDetailsGet.autorunContextUnknownThe list of autorun context.
RSANetWitness115.SnapshotDetailsGet.networkContextUnknownThe list of network context.
RSANetWitness115.SnapshotDetailsGet.kernelModeContextUnknownThe list of kernel mode context.
RSANetWitness115.SnapshotDetailsGet.userModeContextUnknownThe list of user mode context.
RSANetWitness115.SnapshotDetailsGet.processContextUnknownThe list of process context.
RSANetWitness115.SnapshotDetailsGet.rpm.packageNameStringThe RPM package name to which the file belongs.
RSANetWitness115.SnapshotDetailsGet.rpm.categoryStringThe category to which the RPM package belongs.
RSANetWitness115.SnapshotDetailsGet.windows.processes.pidNumberThe process ID.
RSANetWitness115.SnapshotDetailsGet.windows.processes.parentPidNumberThe parent process ID.
RSANetWitness115.SnapshotDetailsGet.windows.processes.imageBaseNumberThe process image base address.
RSANetWitness115.SnapshotDetailsGet.windows.processes.createUtcTimeStringThe process creation time.
RSANetWitness115.SnapshotDetailsGet.windows.processes.ownerStringThe user name.
RSANetWitness115.SnapshotDetailsGet.windows.processes.launchArgumentsStringThe process launch arguments.
RSANetWitness115.SnapshotDetailsGet.windows.processes.threadCountNumberThe number of threads running in the process.
RSANetWitness115.SnapshotDetailsGet.windows.processes.eprocessStringThe process identifier.
RSANetWitness115.SnapshotDetailsGet.windows.processes.sessionIdNumberThe process session ID.
RSANetWitness115.SnapshotDetailsGet.windows.processes.parentPathStringThe parent process directory.
RSANetWitness115.SnapshotDetailsGet.windows.processes.imageSizeNumberThe process image size.
RSANetWitness115.SnapshotDetailsGet.windows.processes.integrityLevelNumberThe process integrity level.
RSANetWitness115.SnapshotDetailsGet.windows.processes.contextStringThe list of process context.
RSANetWitness115.SnapshotDetailsGet.windows.dlls.createTimeDateThe process creation timestamp.
RSANetWitness115.SnapshotDetailsGet.windows.dlls.eprocessStringThe process identity.
RSANetWitness115.SnapshotDetailsGet.windows.dlls.imageSizeNumberThe size of the DLL image in memory.
RSANetWitness115.SnapshotDetailsGet.windows.threads.processNameStringThe process name.
RSANetWitness115.SnapshotDetailsGet.windows.threads.processTimeDateThe process creation timestamp.
RSANetWitness115.SnapshotDetailsGet.windows.threads.eprocessStringThe process identifier.
RSANetWitness115.SnapshotDetailsGet.windows.threads.pidNumberThe process ID.
RSANetWitness115.SnapshotDetailsGet.windows.threads.ethreadStringThe thread identifier.
RSANetWitness115.SnapshotDetailsGet.windows.threads.tidNumberThe thread ID.
RSANetWitness115.SnapshotDetailsGet.windows.threads.tebStringThe address of the thread environment block.
RSANetWitness115.SnapshotDetailsGet.windows.threads.startAddressStringThe start address of the thread in memory.
RSANetWitness115.SnapshotDetailsGet.windows.threads.stateUnknownThe thread state.
RSANetWitness115.SnapshotDetailsGet.windows.threads.behaviorKeyStringThe floating behavior resolution of the thread.
RSANetWitness115.SnapshotDetailsGet.windows.drivers.imageBaseNumberThe driver image base address.
RSANetWitness115.SnapshotDetailsGet.windows.drivers.imageSizeNumberThe driver image size.
RSANetWitness115.SnapshotDetailsGet.windows.services.serviceNameStringThe service name as identified by the system.
RSANetWitness115.SnapshotDetailsGet.windows.services.displayNameStringThe service display name.
RSANetWitness115.SnapshotDetailsGet.windows.services.descriptionStringThe service description.
RSANetWitness115.SnapshotDetailsGet.windows.services.accountStringThe name of the user the service executes as.
RSANetWitness115.SnapshotDetailsGet.windows.services.launchArgumentsStringThe launch arguments of the service.
RSANetWitness115.SnapshotDetailsGet.windows.services.serviceMainStringThe service main.
RSANetWitness115.SnapshotDetailsGet.windows.services.hostingPidNumberThe service hosting process ID.
RSANetWitness115.SnapshotDetailsGet.windows.services.stateStringThe service current state.
RSANetWitness115.SnapshotDetailsGet.windows.services.win32ErrorCodeNumberThe last Windows 32 error code from registry.
RSANetWitness115.SnapshotDetailsGet.windows.services.contextUnknownThe list of service context.
RSANetWitness115.SnapshotDetailsGet.windows.tasks.nameStringThe task name.
RSANetWitness115.SnapshotDetailsGet.windows.tasks.executeUserStringThe name of the user the task executes as.
RSANetWitness115.SnapshotDetailsGet.windows.tasks.creatorUserStringThe name of the user who created the task.
RSANetWitness115.SnapshotDetailsGet.windows.tasks.launchArgumentsStringThe launch arguments of the task.
RSANetWitness115.SnapshotDetailsGet.windows.tasks.statusUnknownThe task status.
RSANetWitness115.SnapshotDetailsGet.windows.tasks.lastRunTimeStringThe time the task was last run.
RSANetWitness115.SnapshotDetailsGet.windows.tasks.nextRunTimeStringThe next scheduled time of the task.
RSANetWitness115.SnapshotDetailsGet.windows.tasks.triggerStringStringThe textual trigger string of the task.
RSANetWitness115.SnapshotDetailsGet.windows.autoruns.typeStringThe autorun type.
RSANetWitness115.SnapshotDetailsGet.windows.autoruns.registryPathStringThe registry path where the autorun is located.
RSANetWitness115.SnapshotDetailsGet.windows.autoruns.launchArgumentsStringthe autorun launch argument.
RSANetWitness115.SnapshotDetailsGet.windows.imageHooks.process.pidStringThe PID of the process in which the hook was detected.
RSANetWitness115.SnapshotDetailsGet.windows.imageHooks.process.fileNameStringThe filename of the process in which the hook was detected.
RSANetWitness115.SnapshotDetailsGet.windows.imageHooks.process.createUtcTimeStringThe creation time of the process in which the hook was detected.
RSANetWitness115.SnapshotDetailsGet.windows.imageHooks.hookLocation.sectionStringThe name of the image section that was modified by the hook.
RSANetWitness115.SnapshotDetailsGet.windows.imageHooks.hookLocation.sectionBaseStringThe base of the image section that was modified by the hook.
RSANetWitness115.SnapshotDetailsGet.windows.imageHooks.hookLocation.symbolStringThe closest symbol name to the memory location that was modified.
RSANetWitness115.SnapshotDetailsGet.windows.imageHooks.hookLocation.symbolOffsetNumberThe closest symbol +/- offset to the hook location when relevant.
RSANetWitness115.SnapshotDetailsGet.windows.imageHooks.inlinePatch.originalBytesStringThe hexadecimal bytes which were replaced.
RSANetWitness115.SnapshotDetailsGet.windows.imageHooks.inlinePatch.originalAsmUnknownThe array of decoded ASM instructions that were replaced.
RSANetWitness115.SnapshotDetailsGet.windows.imageHooks.inlinePatch.currentBytesStringThe hexadecimal bytes that overwrote the original code.
RSANetWitness115.SnapshotDetailsGet.windows.imageHooks.inlinePatch.currentAsmUnknownThe array of decoded ASM instructions that overwrote the original code.
RSANetWitness115.SnapshotDetailsGet.windows.kernelHooks.hookLocation.objectNameStringName of the object that was hooked in kernel.
RSANetWitness115.SnapshotDetailsGet.windows.kernelHooks.hookLocation.objectFunctionStringThe name of the object function that was hooked in the kernel.
RSANetWitness115.SnapshotDetailsGet.mac.processes.priorityNumberThe process priority.
RSANetWitness115.SnapshotDetailsGet.mac.processes.flagsNumberThe process flags.
RSANetWitness115.SnapshotDetailsGet.mac.processes.niceNumberThe nice value of the process.
RSANetWitness115.SnapshotDetailsGet.mac.processes.openFilesCountNumberThe number of open files by process at scan time.
RSANetWitness115.SnapshotDetailsGet.mac.processes.contextUnknownThe process context.
RSANetWitness115.SnapshotDetailsGet.mac.processes.pidNumberThe process ID.
RSANetWitness115.SnapshotDetailsGet.mac.processes.parentPidNumberThe parent process ID.
RSANetWitness115.SnapshotDetailsGet.mac.processes.imageBaseNumberThe process image base address.
RSANetWitness115.SnapshotDetailsGet.mac.processes.createUtcTimeStringThe process UTC creation time.
RSANetWitness115.SnapshotDetailsGet.mac.processes.ownerStringThe user name.
RSANetWitness115.SnapshotDetailsGet.mac.processes.launchArgumentsStringThe process launch arguments.
RSANetWitness115.SnapshotDetailsGet.mac.processes.threadCountNumberThe number of threads running in the process.
RSANetWitness115.SnapshotDetailsGet.mac.dylibs.pidNumberThe process ID in dylibs which is loaded.
RSANetWitness115.SnapshotDetailsGet.mac.dylibs.processNameStringThe process name in dylibs.
RSANetWitness115.SnapshotDetailsGet.mac.dylibs.imageBaseStringThe process image base address in dylibs.
RSANetWitness115.SnapshotDetailsGet.mac.drivers.preLinkedBooleanTrue if the kext bundle is prelinked.
RSANetWitness115.SnapshotDetailsGet.mac.drivers.numberOfReferencesNumberThe number of references.
RSANetWitness115.SnapshotDetailsGet.mac.drivers.dependenciesUnknownThe list of kexts (name) the driver is linked against.
RSANetWitness115.SnapshotDetailsGet.mac.drivers.imageBaseStringThe driver image base address.
RSANetWitness115.SnapshotDetailsGet.mac.drivers.imageSizeStringThe driver image size.
RSANetWitness115.SnapshotDetailsGet.mac.daemons.nameStringThe daemon label.
RSANetWitness115.SnapshotDetailsGet.mac.daemons.sessionNameStringThe name of the session in which the daemon runs.
RSANetWitness115.SnapshotDetailsGet.mac.daemons.userStringThe name of the user under which the daemon runs.
RSANetWitness115.SnapshotDetailsGet.mac.daemons.pidNumberThe daemon PID.
RSANetWitness115.SnapshotDetailsGet.mac.daemons.onDemandBooleanTrue if the daemon is configured to run on demand.
RSANetWitness115.SnapshotDetailsGet.mac.daemons.lastExitCodeNumberThe daemon last exit code.
RSANetWitness115.SnapshotDetailsGet.mac.daemons.timeoutNumberThe daemon timeout value.
RSANetWitness115.SnapshotDetailsGet.mac.daemons.daemons.launchArgumentsStringThe daemon launch argument.
RSANetWitness115.SnapshotDetailsGet.mac.daemons.daemons.configStringThe full path of the configuration file used to configure the daemon.
RSANetWitness115.SnapshotDetailsGet.mac.tasks.nameStringThe task name.
RSANetWitness115.SnapshotDetailsGet.mac.tasks.cronJobBooleanTrue if the task is a cron job, else launchd.
RSANetWitness115.SnapshotDetailsGet.mac.tasks.launchArgumentsStringThe task launch argument.
RSANetWitness115.SnapshotDetailsGet.mac.tasks.userStringThe name of the user under which the task runs.
RSANetWitness115.SnapshotDetailsGet.mac.tasks.triggerStringStringThe task trigger string.
RSANetWitness115.SnapshotDetailsGet.mac.tasks.configFileStringThe full path of the configuration file used to configure the task.
RSANetWitness115.SnapshotDetailsGet.mac.autoruns.typeStringThe autorun type.
RSANetWitness115.SnapshotDetailsGet.mac.autoruns.userStringThe name of the user under which the autorun is run.
RSANetWitness115.SnapshotDetailsGet.mac.autoruns.nameStringThe autorun label.
RSANetWitness115.SnapshotDetailsGet.mac.autoruns.detailStringThe autorun details.
RSANetWitness115.SnapshotDetailsGet.linux.processes.priorityNumberThe process priority.
RSANetWitness115.SnapshotDetailsGet.linux.processes.uidNumberThe user UID.
RSANetWitness115.SnapshotDetailsGet.linux.processes.environmentStringThe process environment variables.
RSANetWitness115.SnapshotDetailsGet.linux.processes.niceNumberThe process nice value.
RSANetWitness115.SnapshotDetailsGet.linux.processes.securityContextStringThe process security context.
RSANetWitness115.SnapshotDetailsGet.linux.processes.pidNumberThe process ID.
RSANetWitness115.SnapshotDetailsGet.linux.processes.parentPidNumberThe parent process ID.
RSANetWitness115.SnapshotDetailsGet.linux.processes.imageBaseNumberThe process base address.
RSANetWitness115.SnapshotDetailsGet.linux.processes.createUtcTimeStringThe process UTC creation time.
RSANetWitness115.SnapshotDetailsGet.linux.processes.ownerStringThe user name.
RSANetWitness115.SnapshotDetailsGet.linux.processes.launchArgumentsStringThe process launch arguments.
RSANetWitness115.SnapshotDetailsGet.linux.processes.threadCountNumberThe number of threads running in the process.
RSANetWitness115.SnapshotDetailsGet.linux.loadedLibraries.pidStringThe process ID in the loaded library.
RSANetWitness115.SnapshotDetailsGet.linux.loadedLibraries.processNameStringThe process name in the loaded library.
RSANetWitness115.SnapshotDetailsGet.linux.loadedLibraries.imageBaseStringThe process image base address in the loaded library.
RSANetWitness115.SnapshotDetailsGet.linux.drivers.numberOfInstancesNumberThe number of instances loaded in memory.
RSANetWitness115.SnapshotDetailsGet.linux.drivers.loadStateStringThe driver load state.
RSANetWitness115.SnapshotDetailsGet.linux.drivers.dependenciesUnknownThe dependent driver names.
RSANetWitness115.SnapshotDetailsGet.linux.drivers.authorStringThe driver author name.
RSANetWitness115.SnapshotDetailsGet.linux.drivers.descriptionStringThe driver description.
RSANetWitness115.SnapshotDetailsGet.linux.drivers.sourceVersionStringThe driver source version.
RSANetWitness115.SnapshotDetailsGet.linux.drivers.versionMagicStringThe driver version magic.
RSANetWitness115.SnapshotDetailsGet.linux.initds.initdHashSha256StringThe hash of the init-d script file.
RSANetWitness115.SnapshotDetailsGet.linux.initds.initdPathsStringThe path of the init-d script file.
RSANetWitness115.SnapshotDetailsGet.linux.initds.pidNumberThe process ID of the init-d script file.
RSANetWitness115.SnapshotDetailsGet.linux.initds.descriptionStringThe init-d script file description.
RSANetWitness115.SnapshotDetailsGet.linux.initds.statusStringThe init-d script file status.
RSANetWitness115.SnapshotDetailsGet.linux.initds.runLevelsUnknownThe list of run levels in which the init-d script file is enabled.
RSANetWitness115.SnapshotDetailsGet.linux.systemds.systemdHashSha256StringThe systemd script file hash value.
RSANetWitness115.SnapshotDetailsGet.linux.systemds.systemdPathsStringThe systemd script file path value.
RSANetWitness115.SnapshotDetailsGet.linux.systemds.nameStringThe systemd script file name.
RSANetWitness115.SnapshotDetailsGet.linux.systemds.descriptionStringThe systemd script file description.
RSANetWitness115.SnapshotDetailsGet.linux.systemds.stateStringThe systemd script file state.
RSANetWitness115.SnapshotDetailsGet.linux.systemds.launchArgumentsStringThe systemd script file launch argument.
RSANetWitness115.SnapshotDetailsGet.linux.systemds.pidNumberThe process ID.
RSANetWitness115.SnapshotDetailsGet.linux.systemds.triggeredByUnknownThe systemd script file triggered by list.
RSANetWitness115.SnapshotDetailsGet.linux.systemds.triggerStringsUnknownThe systemd script file trigger strings.
RSANetWitness115.SnapshotDetailsGet.linux.autoruns.typeStringThe autorun type.
RSANetWitness115.SnapshotDetailsGet.linux.autoruns.labelStringThe autorun label.
RSANetWitness115.SnapshotDetailsGet.linux.autoruns.commentsStringThe autorun comments.
RSANetWitness115.SnapshotDetailsGet.linux.crons.userStringThe user account under which cron job was created.
RSANetWitness115.SnapshotDetailsGet.linux.crons.triggerStringStringThe trigger string that launches the cron job.
RSANetWitness115.SnapshotDetailsGet.linux.crons.launchArgumentsStringThe cron job launch arguments.
RSANetWitness115.SnapshotDetailsGet.fileProperties.firstFileNameStringThe first name of the file sent by the agent.
RSANetWitness115.SnapshotDetailsGet.fileProperties.reputationStatusStringThe reputation status of the file.
RSANetWitness115.SnapshotDetailsGet.fileProperties.globalRiskScoreStringThe global risk score.
RSANetWitness115.SnapshotDetailsGet.fileProperties.firstSeenTimeStringThe time the file was first seen by the endpoint server.
RSANetWitness115.SnapshotDetailsGet.machineOsTypeStringThe operating system type (Windows, Mac, Linux).
RSANetWitness115.SnapshotDetailsGet.fileProperties.signatureObjectThe file signatory information.
RSANetWitness115.SnapshotDetailsGet.fileProperties.signature.timeStampStringThe signature timestamp.
RSANetWitness115.SnapshotDetailsGet.fileProperties.signature.thumbprintStringThe certificate thumbprint.
RSANetWitness115.SnapshotDetailsGet.fileProperties.signature.contextUnknownThe certificate context information.
RSANetWitness115.SnapshotDetailsGet.fileProperties.signature.signerStringThe certificate signer information.
RSANetWitness115.SnapshotDetailsGet.fileProperties.sizeStringThe file size.
RSANetWitness115.SnapshotDetailsGet.fileProperties.checksumMd5StringThe file MD5.
RSANetWitness115.SnapshotDetailsGet.fileProperties.checksumSha1StringThe file SHA1.
RSANetWitness115.SnapshotDetailsGet.fileProperties.checksumSha256StringThe file SHA256.
RSANetWitness115.SnapshotDetailsGet.fileProperties.peObjectThe file PE information. This is applicable for Windows files.
RSANetWitness115.SnapshotDetailsGet.fileProperties.pe.timeStampStringThe PE file timestamp.
RSANetWitness115.SnapshotDetailsGet.fileProperties.pe.imageSizeStringThe PE file image size.
RSANetWitness115.SnapshotDetailsGet.fileProperties.pe.numberOfExportedFunctionsStringThe number of exported functions in the PE file.
RSANetWitness115.SnapshotDetailsGet.fileProperties.pe.numberOfNamesExportedStringThe number of names exported in the PE file.
RSANetWitness115.SnapshotDetailsGet.fileProperties.pe.numberOfExecuteWriteSectionsStringThe number of execute write sections in the PE file.
RSANetWitness115.SnapshotDetailsGet.fileProperties.pe.contextUnknownThe PE file context information.
RSANetWitness115.SnapshotDetailsGet.fileProperties.pe.resourcesObjectThe PE file resources.
RSANetWitness115.SnapshotDetailsGet.fileProperties.pe.resources.originalFileNameStringThe original filename as per PE information.
RSANetWitness115.SnapshotDetailsGet.fileProperties.pe.resources.companyStringThe company name as per PE information.
RSANetWitness115.SnapshotDetailsGet.fileProperties.pe.resources.descriptionStringThe description of the file as per PE information.
RSANetWitness115.SnapshotDetailsGet.fileProperties.pe.resources.versionStringThe version of the file as per PE information.
RSANetWitness115.SnapshotDetailsGet.fileProperties.pe.sectionNamesUnknownThe list of section names in the PE file.
RSANetWitness115.SnapshotDetailsGet.fileProperties.pe.importedLibrariesUnknownThe list of imported libraries in the PE file.
RSANetWitness115.SnapshotDetailsGet.fileProperties.elfObjectThe ELF information of the file. This is applicable for Linux files.
RSANetWitness115.SnapshotDetailsGet.elf.classTypeStringThe ELF file class type.
RSANetWitness115.SnapshotDetailsGet.elf.dataStringThe ELF file data.
RSANetWitness115.SnapshotDetailsGet.elf.entryPointStringThe ELF file entry point.
RSANetWitness115.SnapshotDetailsGet.elf.contextUnknownThe ELF file context information.
RSANetWitness115.SnapshotDetailsGet.elf.typeStringThe ELF file type.
RSANetWitness115.SnapshotDetailsGet.elf.sectionNamesUnknownThe list of section names in the ELF file.
RSANetWitness115.SnapshotDetailsGet.elf.importedLibrariesUnknownThe list of imported libraries in the ELF file.
RSANetWitness115.SnapshotDetailsGet.fileProperties.machoObjectThe Macho file information. This is applicable for Mac files.
RSANetWitness115.SnapshotDetailsGet.macho.uuidStringThe Macho file UUID.
RSANetWitness115.SnapshotDetailsGet.macho.identifierStringThe Macho file identifier.
RSANetWitness115.SnapshotDetailsGet.macho.minOsxVersionStringThe minimum OSx version for the Macho file.
RSANetWitness115.SnapshotDetailsGet.macho.contextUnknownThe Macho file context information.
RSANetWitness115.SnapshotDetailsGet.macho.flagsStringThe Macho file flags.
RSANetWitness115.SnapshotDetailsGet.macho.numberOfLoadCommandsStringThe number of Macho file load commands.
RSANetWitness115.SnapshotDetailsGet.macho.versionStringThe Macho file version.
RSANetWitness115.SnapshotDetailsGet.macho.sectionNamesUnknownThe Macho file section names.
RSANetWitness115.SnapshotDetailsGet.macho.importedLibrariesUnknownThe Macho file imported libraries list.
RSANetWitness115.SnapshotDetailsGet.fileProperties.entropyStringThe file entropy.
RSANetWitness115.SnapshotDetailsGet.fileProperties.formatStringThe file format.
RSANetWitness115.SnapshotDetailsGet.fileProperties.fileStatusStringThe file status as assigned by the analyst. Can be Whitelist, Blacklist, Neutral, or Graylist.
RSANetWitness115.SnapshotDetailsGet.fileProperties.remediationActionStringThe remediation action as assigned by the analyst. For example, Blocked.
RSANetWitness115.SnapshotDetailsGet.localRiskScoreNumberThe file score based on alerts triggered in the given agent.

Command example#

!rsa-nw-snapshot-details-get agent_id=1 snapshot_timestamp=2022-01-09T16:42:45.661Z categories=AUTORUNS

Context Example#

{
"RSANetWitness115": {
"SnapshotDetailsGet": [
{
"accessMode": 0,
"agentId": "1",
"agentVersion": "1",
"attributes": [
"file.attribute.archive"
],
"autorunContext": null,
"directory": "C:\\Windows\\System32\\",
"directoryContext": [
"windows",
"windowsSystem32"
],
"fileContext": [
"file.autorun",
"file.found",
"file.protected"
],
"fileName": "cmd.exe",
"fileProperties": {
"checksumMd5": "1",
"checksumSha1": "1",
"checksumSha256": "1",
"elf": null,
"entropy": 1,
"fileStatus": "Neutral",
"firstFileName": "cmd.exe",
"firstSeenTime": "2021-07-27T07:18:36.416Z",
"format": "pe",
"globalRiskScore": 0,
"machineOsType": "windows",
"macho": null,
"pe": {
"context": [
"file.exe
],
"imageSize": 413696,
"importedLibraries": [
"msvcrt.dll"
],
"numberOfExecuteWriteSections": 0,
"numberOfExportedFunctions": 0,
"numberOfNamesExported": 0,
"resources": {
"company": "Microsoft Corporation",
"description": "Windows Command Processor",
"originalFileName": "Cmd.Exe",
"version": null
},
"sectionNames": [
".text",
".rdata",
".data",
".pdata",
".didat",
".rsrc",
".reloc"
],
"timeStamp": "2008-05-30T00:32:37.000Z"
},
"remediationAction": "Unblock",
"reputationStatus": null,
"signature": {
"context": [
"microsoft",
"signed",
"valid",
"catalog"
],
"signer": "Microsoft Windows",
"thumbprint": "1",
"timeStamp": "2021-07-04T12:36:11.241Z"
},
"size": 278528
},
"hostName": "hostName",
"kernelModeContext": null,
"linux": null,
"localRiskScore": 0,
"mac": null,
"machineOsType": "windows",
"networkContext": null,
"owner": null,
"processContext": null,
"rpm": null,
"sameDirectoryFileCounts": {
"exe": 3280,
"exeSameCompany": 3248,
"hiddenFiles": 0,
"nonExe": 563,
"subFolder": 121
},
"scanStartTime": "2022-01-09T16:42:45.661Z",
"timeAccessed": "2021-01-13T21:15:45.606Z",
"timeCreated": "2021-01-13T21:15:45.574Z",
"timeModified": "2021-01-13T21:15:45.606Z",
"userModeContext": null,
"windows": {
"autoruns": [
{
"launchArguments": "",
"registryPath": "",
"type": "logon"
}
],
"dlls": [],
"drivers": [],
"imageHooks": [],
"kernelHooks": [],
"processes": [],
"services": [],
"tasks": [
{
"creatorUser": "",
"executeUser": "Author",
"lastRunTime": "2021-07-15T12:04:04.000+0000",
"launchArguments": "/C C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -File \"C:\\ProgramData\\Amazon\\EC2-Windows\\Launch\\Scripts\\InitializeInstance.ps1\"",
"name": "\\Amazon Ec2 Launch - Instance Initialization",
"nextRunTime": "1899-12-30T00:00:00.000+0000",
"status": [
"disabled",
"startOnDemand",
"dontStartOnBatteries"
],
"triggerString": "Starts the task when the task is registered."
},
{
"creatorUser": "",
"executeUser": "LocalSystem",
"lastRunTime": "1999-11-30T00:00:00.000+0000",
"launchArguments": "/d /c %systemroot%\\system32\\silcollector.cmd publish",
"name": "\\Microsoft\\Windows\\Software Inventory Logging\\Collection",
"nextRunTime": "2022-01-09T17:04:38.000+0000",
"status": [
"disabled",
"dontStartOnBatteries",
"hidden"
],
"triggerString": "Triggers the task at a specific time of day."
},
{
"creatorUser": "",
"executeUser": "LocalSystem",
"lastRunTime": "2021-07-27T07:16:33.000+0000",
"launchArguments": "/d /c %systemroot%\\system32\\silcollector.cmd configure",
"name": "\\Microsoft\\Windows\\Software Inventory Logging\\Configuration",
"nextRunTime": "1899-12-30T00:00:00.000+0000",
"status": [
"ready",
"dontStartOnBatteries",
"hidden"
],
"triggerString": "Starts the task when the task is registered."
}
],
"threads": []
}
}
]
}
}

Human Readable Output#

Snapshot details for agent id 1-#

showing 2 results out of 2 |hostName|agentId|scanStartTime|directory|fileName| |---|---|---|---|---| | hostName | 1 | 2022-01-09T16:42:45.661Z | C:\Windows\System32\ | cmd.exe |

rsa-nw-files-list#


Lists all related file information from a specific endpoint server. You can limit the results using the limit argument or the page size argument.

Base Command#

rsa-nw-files-list

Input#

Argument NameDescriptionRequired
service_idThe service ID of the specific endpoint Server. View all service IDs using the 'rsa-nw-services-list' command. If none is given, the service ID configured in the integration configuration is used.Optional
page_numberThe requested page number, first page is number 0. Cannot be supplied with the limit argument.Optional
page_sizeThe maximum number of items to return in a single page. Cannot be supplied with the limit argument.Optional
limitThe maximum number of results to be returned. If not set, the first 10 results are returned. Cannot be supplied with page_size/page_number arguments.Optional

Context Output#

PathTypeDescription
RSANetWitness115.FilesList.windows.autoruns.typeStringThe autorun type.
RSANetWitness115.FilesList.windows.autoruns.registryPathStringThe registry path where autorun is located.
RSANetWitness115.FilesList.windows.autoruns.launchArgumentsStringThe autorun launch argument.
RSANetWitness115.FilesList.windows.imageHooks.process.pidStringThe PID of the process the hook was detected in.
RSANetWitness115.FilesList.windows.imageHooks.process.fileNameStringThe file name of the process the hook was detected in.
RSANetWitness115.FilesList.windows.imageHooks.process.createUtcTimeStringThe creation time of the process the hook was detected in.
RSANetWitness115.FilesList.windows.imageHooks.hookLocation.sectionStringThe name of the image section modified by the hook.
RSANetWitness115.FilesList.windows.imageHooks.hookLocation.sectionBaseStringThe image section base modified by the hook.
RSANetWitness115.FilesList.windows.imageHooks.hookLocation.symbolStringThe closest symbol name to the memory location that was modified.
RSANetWitness115.FilesList.windows.imageHooks.hookLocation.symbolOffsetNumberThe closest symbol +/- offset to the hook location when relevant.
RSANetWitness115.FilesList.windows.imageHooks.inlinePatch.originalBytesStringThe hexadecimal bytes that were replaced.
RSANetWitness115.FilesList.windows.imageHooks.inlinePatch.originalAsmUnknownThe array of decoded ASM instructions that were replaced.
RSANetWitness115.FilesList.windows.imageHooks.inlinePatch.currentBytesStringThe hexadecimal bytes that overwrote the original code.
RSANetWitness115.FilesList.windows.imageHooks.inlinePatch.currentAsmUnknownThe array of decoded ASM instructions that overwrote the original code.
RSANetWitness115.FilesList.windows.kernelHooks.hookLocation.objectNameStringThe name of the object that was hooked in the kernel.
RSANetWitness115.FilesList.windows.kernelHooks.hookLocation.objectFunctionStringThe name of the object function that was hooked in the kernel.
RSANetWitness115.FilesList.mac.processes.priorityNumberThe process priority.
RSANetWitness115.FilesList.mac.processes.flagsNumberThe process flags.
RSANetWitness115.FilesList.mac.processes.niceNumberThe process nice value.
RSANetWitness115.FilesList.mac.processes.openFilesCountNumberThe number of open files by the process at scan time.
RSANetWitness115.FilesList.mac.processes.contextUnknownThe process context.
RSANetWitness115.FilesList.mac.processes.pidNumberThe process ID.
RSANetWitness115.FilesList.mac.processes.parentPidNumberThe parent process ID.
RSANetWitness115.FilesList.mac.processes.imageBaseNumberThe process image base address.
RSANetWitness115.FilesList.mac.processes.createUtcTimeStringThe process UTC creation time.
RSANetWitness115.FilesList.mac.processes.ownerStringThe user name.
RSANetWitness115.FilesList.mac.processes.launchArgumentsStringThe process launch arguments.
RSANetWitness115.FilesList.mac.processes.threadCountNumberThe number of threads running in the process.
RSANetWitness115.FilesList.mac.dylibs.pidNumberThe process ID in dylibs which is loaded.
RSANetWitness115.FilesList.mac.dylibs.processNameStringThe process name in dylibs.
RSANetWitness115.FilesList.mac.dylibs.imageBaseStringThe process image base address in dylibs.
RSANetWitness115.FilesList.mac.drivers.preLinkedBooleanTrue if the kext bundle is prelinked.
RSANetWitness115.FilesList.mac.drivers.numberOfReferencesNumberThe number of references.
RSANetWitness115.FilesList.mac.drivers.dependenciesUnknownThe list of kexts(name) the driver is linked against.
RSANetWitness115.FilesList.mac.drivers.imageBaseStringThe driver image base address.
RSANetWitness115.FilesList.mac.drivers.imageSizeStringThe driver image size.
RSANetWitness115.FilesList.mac.daemons.nameStringThe daemon label.
RSANetWitness115.FilesList.mac.daemons.sessionNameStringThe name of the session in which daemon runs.
RSANetWitness115.FilesList.mac.daemons.userStringThe name of the user under which the daemon runs.
RSANetWitness115.FilesList.mac.daemons.pidNumberThe daemon ID.
RSANetWitness115.FilesList.mac.daemons.onDemandBooleanTrue if the daemon is configured to run on demand.
RSANetWitness115.FilesList.mac.daemons.lastExitCodeNumberThe daemon last exit code.
RSANetWitness115.FilesList.mac.daemons.timeoutNumberThe daemon timeout value.
RSANetWitness115.FilesList.mac.daemons.daemons.launchArgumentsStringThe daemon launch argument.
RSANetWitness115.FilesList.mac.daemons.daemons.configStringThe full path of the configuration file used to configure the daemon.
RSANetWitness115.FilesList.mac.tasks.nameStringThe task name.
RSANetWitness115.FilesList.mac.tasks.cronJobBooleanTrue if the task is a cron job, else launchd.
RSANetWitness115.FilesList.mac.tasks.launchArgumentsStringThe task launch argument.
RSANetWitness115.FilesList.mac.tasks.userStringThe name of the user under which this task will run.
RSANetWitness115.FilesList.mac.tasks.triggerStringStringThe task trigger string.
RSANetWitness115.FilesList.mac.tasks.configFileStringThe full path of the configuration file used to configure the task.
RSANetWitness115.FilesList.mac.autoruns.typeStringThe autorun type.
RSANetWitness115.FilesList.mac.autoruns.userStringThe name of the user under which the autorun is run.
RSANetWitness115.FilesList.mac.autoruns.nameStringThe autorun label.
RSANetWitness115.FilesList.mac.autoruns.detailStringThe autorun details.
RSANetWitness115.FilesList.linux.processes.priorityNumberThe process priority.
RSANetWitness115.FilesList.linux.processes.uidNumberThe user UID.
RSANetWitness115.FilesList.linux.processes.environmentStringThe environment variables.
RSANetWitness115.FilesList.linux.processes.niceNumberThe process nice value.
RSANetWitness115.FilesList.linux.processes.securityContextStringThe process security context.
RSANetWitness115.FilesList.linux.processes.pidNumberThe process ID.
RSANetWitness115.FilesList.linux.processes.parentPidNumberThe parent process ID.
RSANetWitness115.FilesList.linux.processes.imageBaseNumberThe process base address.
RSANetWitness115.FilesList.linux.processes.createUtcTimeStringThe process UTC creation time.
RSANetWitness115.FilesList.linux.processes.ownerStringThe user name.
RSANetWitness115.FilesList.linux.processes.launchArgumentsStringThe process launch arguments.
RSANetWitness115.FilesList.linux.processes.threadCountNumberThe number of threads running in the process.
RSANetWitness115.FilesList.linux.loadedLibraries.pidStringThe process ID in the loaded library.
RSANetWitness115.FilesList.linux.loadedLibraries.processNameStringThe process name in the loaded library.
RSANetWitness115.FilesList.linux.loadedLibraries.imageBaseStringThe process image base address in the loaded library.
RSANetWitness115.FilesList.linux.drivers.numberOfInstancesNumberThe number of instances loaded in memory.
RSANetWitness115.FilesList.linux.drivers.loadStateStringThe driver load state.
RSANetWitness115.FilesList.linux.drivers.dependenciesUnknownThe dependent driver names.
RSANetWitness115.FilesList.linux.drivers.authorStringThe driver author name.
RSANetWitness115.FilesList.linux.drivers.descriptionStringThe driver description.
RSANetWitness115.FilesList.linux.drivers.sourceVersionStringThe driver source version.
RSANetWitness115.FilesList.linux.drivers.versionMagicStringThe driver version magic.
RSANetWitness115.FilesList.linux.initds.initdHashSha256StringThe init-d script file hash.
RSANetWitness115.FilesList.linux.initds.initdPathsStringThe init-d script file path.
RSANetWitness115.FilesList.linux.initds.pidNumberThe init-d script file process ID.
RSANetWitness115.FilesList.linux.initds.descriptionStringThe init-d script file description.
RSANetWitness115.FilesList.linux.initds.statusStringThe init-d script file status.
RSANetWitness115.FilesList.linux.initds.runLevelsUnknownThe ist of run levels in which the init-d script file is enabled.
RSANetWitness115.FilesList.linux.systemds.systemdHashSha256StringThe systemd script file hash value.
RSANetWitness115.FilesList.linux.systemds.systemdPathsStringThe systemd script file path value.
RSANetWitness115.FilesList.linux.systemds.nameStringThe systemd script file name.
RSANetWitness115.FilesList.linux.systemds.descriptionStringThe systemd script file description.
RSANetWitness115.FilesList.linux.systemds.stateStringThe systemd script file state.
RSANetWitness115.FilesList.linux.systemds.launchArgumentsStringThe systemd script file launch argument.
RSANetWitness115.FilesList.linux.systemds.pidNumberThe systemd script file process ID.
RSANetWitness115.FilesList.linux.systemds.triggeredByUnknownThe systemd script file triggered by list.
RSANetWitness115.FilesList.linux.systemds.triggerStringsUnknownThe systemd script file trigger strings.
RSANetWitness115.FilesList.linux.autoruns.typeStringThe autorun type.
RSANetWitness115.FilesList.linux.autoruns.labelStringThe autorun label.
RSANetWitness115.FilesList.linux.autoruns.commentsStringThe autorun comments.
RSANetWitness115.FilesList.linux.crons.userStringThe user account under which cron job was created.
RSANetWitness115.FilesList.linux.crons.triggerStringStringThe trigger string that launches the cron job.
RSANetWitness115.FilesList.linux.crons.launchArgumentsStringThe cron job launch arguments.
RSANetWitness115.FilesList.firstFileNameStringThe first name of the file sent by the agent.
RSANetWitness115.FilesList.reputationStatusStringThe file reputation status.
RSANetWitness115.FilesList.globalRiskScoreStringThe global risk score.
RSANetWitness115.FilesList.firstSeenTimeStringThe time the file was first seen by the endpoint server.
RSANetWitness115.FilesList.fileProperties.machineOsTypeStringThe operating system type (Windows, Mac, Linux).
RSANetWitness115.FilesList.signatureObjectThe file signatory information.
RSANetWitness115.FilesList.signature.timeStampStringThe signature timestamp.
RSANetWitness115.FilesList.signature.thumbprintStringThe certificate thumbprint.
RSANetWitness115.FilesList.signature.contextUnknownThe certificate context information.
RSANetWitness115.FilesList.signature.signerStringThe certificate signer information.
RSANetWitness115.FilesList.sizeStringThe file size.
RSANetWitness115.FilesList.checksumMd5StringThe file MD5.
RSANetWitness115.FilesList.checksumSha1StringThe file SHA1.
RSANetWitness115.FilesList.checksumSha256StringThe file SHA256.
RSANetWitness115.FilesList.peObjectThe file PE information. This is applicable for Windows files.
RSANetWitness115.FilesList.pe.timeStampStringThe PE file timestamp.
RSANetWitness115.FilesList.pe.imageSizeStringThe PE file image size.
RSANetWitness115.FilesList.pe.numberOfExportedFunctionsStringThe number of exported functions in the PE file.
RSANetWitness115.FilesList.pe.numberOfNamesExportedStringThe number of names exported in the PE file.
RSANetWitness115.FilesList.pe.numberOfExecuteWriteSectionsStringThe number of execute write sections in the PE file.
RSANetWitness115.FilesList.pe.contextUnknownThe PE file context information.
RSANetWitness115.FilesList.pe.resourcesObjectThe PE file resources.
RSANetWitness115.FilesList.pe.resources.originalFileNameStringThe original filename as per PE information.
RSANetWitness115.FilesList.pe.resources.companyStringThe company name as per PE information.
RSANetWitness115.FilesList.pe.resources.descriptionStringThe file description as per PE information.
RSANetWitness115.FilesList.pe.resources.versionStringThe file version as per PE information.
RSANetWitness115.FilesList.pe.sectionNamesUnknownThe list of section names in the PE file.
RSANetWitness115.FilesList.pe.importedLibrariesUnknownThe list of imported libraries in the PE file.
RSANetWitness115.FilesList.elfObjectThe file ELF information. This is applicable for Linux files.
RSANetWitness115.FilesList.elf.classTypeStringThe ELF file Class type.
RSANetWitness115.FilesList.elf.dataStringThe ELF file data.
RSANetWitness115.FilesList.elf.entryPointStringThe ELF file entry point.
RSANetWitness115.FilesList.elf.contextUnknownThe ELF file context information.
RSANetWitness115.FilesList.elf.typeStringThe ELF file type.
RSANetWitness115.FilesList.elf.sectionNamesUnknownThe list of section names in the ELF file.
RSANetWitness115.FilesList.elf.importedLibrariesUnknownThe list of imported libraries in the ELF file.
RSANetWitness115.FilesList.machoObjectThe file Macho information. This is applicable for Mac files.
RSANetWitness115.FilesList.macho.uuidStringThe Macho file UUID.
RSANetWitness115.FilesList.macho.identifierStringThe Macho file identifier.
RSANetWitness115.FilesList.macho.minOsxVersionStringThe minimum OSx version for the Macho file.
RSANetWitness115.FilesList.macho.contextUnknownThe Macho file context information.
RSANetWitness115.FilesList.macho.flagsStringThe Macho file flags.
RSANetWitness115.FilesList.macho.numberOfLoadCommandsStringThe number of load commands for the Macho file.
RSANetWitness115.FilesList.macho.versionStringThe Macho file version.
RSANetWitness115.FilesList.macho.sectionNamesUnknownThe Macho file section names.
RSANetWitness115.FilesList.macho.importedLibrariesUnknownThe Macho file imported libraries list.
RSANetWitness115.FilesList.entropyStringThe file entropy.
RSANetWitness115.FilesList.formatStringThe file format.
RSANetWitness115.FilesList.fileStatusStringThe file status as assigned by the analyst. Can be Whitelist, Blacklist, Neutral, or Graylist.
RSANetWitness115.FilesList.remediationActionStringThe remediation action as assigned by the analyst. For example, Blocked.
RSANetWitness115.FilesList.localRiskScoreNumberThe file score based on alerts triggered in the given agent.

Command example#

!rsa-nw-files-list limit=1

Context Example#

{
"RSANetWitness115": {
"FilesList": {
"checksumMd5": "1",
"checksumSha1": "1",
"checksumSha256": "1",
"elf": null,
"entropy": 7.940328994398384,
"fileStatus": "Neutral",
"firstFileName": "AM_Delta_Patch_1.355.1597.0.exe",
"firstSeenTime": "2022-01-09T08:31:01.525Z",
"format": "pe",
"globalRiskScore": 0,
"machineOsType": "windows",
"macho": null,
"pe": {
"context": [
"file.exe",
"file.arch64",
"file.versionInfoPresent",
"file.resourceDirectoryPresent",
"file.relocationDirectoryPresent",
"file.debugDirectoryPresent",
"file.tlsDirectoryPresent",
"file.richSignaturePresent",
"file.companyNameContainsText",
"file.descriptionContainsText",
"file.versionContainsText",
"file.internalNameContainsText",
"file.legalCopyrightContainsText",
"file.originalFilenameContainsText",
"file.productNameContainsText",
"file.productVersionContainsText",
"file.standardVersionMetaPresent"
],
"imageSize": 2617344,
"importedLibraries": [
"ADVAPI32.dll",
"KERNEL32.dll",
"RPCRT4.dll",
"ntdll.dll"
],
"numberOfExecuteWriteSections": 0,
"numberOfExportedFunctions": 0,
"numberOfNamesExported": 0,
"resources": {
"company": "Microsoft Corporation",
"description": "Microsoft Antimalware WU Stub",
"originalFileName": "AM_Delta_Patch_1.355.1597.0.exe",
"version": null
},
"sectionNames": [
".text",
".rdata",
".data",
".pdata",
".rsrc",
".reloc"
],
"timeStamp": "2022-01-09T03:25:21.000Z"
},
"remediationAction": "Unblock",
"reputationStatus": null,
"signature": {
"context": [
"microsoft",
"signed",
"valid"
],
"signer": "Microsoft Corporation",
"thumbprint": "1",
"timeStamp": "2022-01-09T03:30:35.633Z"
},
"size": 2618848
},
"paging": {
"FilesList": {
"hasNext": true,
"hasPrevious": false,
"pageNumber": 0,
"pageSize": 1,
"totalItems": 1449,
"totalPages": 1449
}
}
}
}

Human Readable Output#

Total Retrieved Files : 1#

Page number 0 out of 1449 |File Name|Risk Score|First Seen Time|Size|Signature|PE Resources|File Status|Remediation| |---|---|---|---|---|---|---|---| | AM_Delta_Patch_1.355.1597.0.exe | 0 | 2022-01-09T08:31:01.525Z | 2618848 | timeStamp: 2022-01-09T03:30:35.633Z
thumbprint: 1
context: microsoft,
signed,
valid
signer: Microsoft Corporation | originalFileName: AM_Delta_Patch_1.355.1597.0.exe
company: Microsoft Corporation
description: Microsoft Antimalware WU Stub
version: null | Neutral | Unblock |

rsa-nw-scan-request#


Starts a scan for the host with the specified agent ID. Each scan produces a snapshot, the full details can be seen using the 'rsa-nw-snapshot-details-get' command.

Base Command#

rsa-nw-scan-request

Input#

Argument NameDescriptionRequired
agent_idThe host agent ID.Required
service_idThe service ID of the specific endpoint server. View all service IDs using the 'rsa-nw-services-list' command. If none is given, the service ID configured in the integration configuration is used.Optional
cpu_maxYou can use cpuMax to specify the amount of CPU the agent can use to run the scan. You can choose a value from 5 to 100. If you do not specify a value, the agent uses the default 25% CPU for the scan.Optional

Context Output#

There is no context output for this command.

Command example#

!rsa-nw-scan-request agent_id=1

Human Readable Output#

Scan request for host 1 Sent Successfully

rsa-nw-scan-stop-request#


Stop a scan for the host with the specified agent ID.

Base Command#

rsa-nw-scan-stop-request

Input#

Argument NameDescriptionRequired
agent_idUnique identifier of the host.Required
service_idThe service ID of the specific endpoint server. View all service IDs using the 'rsa-nw-services-list' command. If none is given, the service ID configured in the integration configuration is used.Optional

Context Output#

There is no context output for this command.

Command example#

!rsa-nw-scan-stop-request agent_id=1

Human Readable Output#

Scan cancellation request for host 1, sent successfully

rsa-nw-host-alerts-list#


Gets all alerts triggered for a given host.

Base Command#

rsa-nw-host-alerts-list

Input#

Argument NameDescriptionRequired
agent_idUnique host identifier.Required
service_idThe service ID of the specific endpoint server. View all service IDs using the 'rsa-nw-services-list' command. If none is given, the service ID configured in the integration configuration is used.Optional
alert_categoryFilter alerts based on the category. Can be Critical, High, Medium, or Low. Possible values are: Critical, High, Medium, Low.Optional

Context Output#

PathTypeDescription
RSANetWitness115.HostAlerts.idStringThe entity ID for which the score needs to be queried. Use agent ID for hosts and checksum for files.
RSANetWitness115.HostAlerts.distinctAlertCount.criticalNumberThe number of critical alerts.
RSANetWitness115.HostAlerts.distinctAlertCount.highNumberThe number of high alerts.
RSANetWitness115.HostAlerts.distinctAlertCount.mediumNumberThe number of medium alerts.
RSANetWitness115.HostAlerts.distinctAlertCount.lowNumberThe number of low alerts.
RSANetWitness115.HostAlerts.categorizedAlertsStringThe alert and event count for a file/host, categorized by severity.

Command example#

!rsa-nw-host-alerts-list agent_id=1

Context Example#

{
"RSANetWitness115": {
"HostAlerts": {
"categorizedAlerts": {},
"distinctAlertCount": {
"critical": 0,
"high": 0,
"low": 0,
"medium": 0
},
"id": "1"
}
}
}

Human Readable Output#

Results#

categorizedAlertsdistinctAlertCountid
critical: 0
high: 0
medium: 0
low: 0
1

rsa-nw-file-alerts-list#


Gets all alerts triggered for a given file.

Base Command#

rsa-nw-file-alerts-list

Input#

Argument NameDescriptionRequired
check_sumThe file hash, either md5 or sha256. Possible values are: .Required
service_idThe service ID of the specific endpoint server. View all service IDs using the 'rsa-nw-services-list' command. If none is given, the service ID configured in the integration configuration is used.Optional
alert_categoryFilter alerts based on the category. Can be Critical, High, Medium, or Low. Possible values are: Critical, High, Medium, Low.Optional

Context Output#

PathTypeDescription
RSANetWitness115.FileAlerts.idStringThe entity ID for which score needs to be queried. Use agent ID for hosts and checksum for files.
RSANetWitness115.FileAlerts.distinctAlertCount.criticalNumberThe number of critical alerts.
RSANetWitness115.FileAlerts.distinctAlertCount.highNumberThe number of high alerts.
RSANetWitness115.FileAlerts.distinctAlertCount.mediumNumberThe number of medium alerts.
RSANetWitness115.FileAlerts.distinctAlertCount.lowNumberThe number of low alerts.
RSANetWitness115.FileAlerts.categorizedAlertsStringThe alert and event count for a file/host, categorized by severity.

Command example#

!rsa-nw-file-alerts-list check_sum=5dad5b58ad14d95b29ef7fc2e685fa3270e9c3a347d4183c84b1cbbf29ab2510

Context Example#

{
"RSANetWitness115": {
"FileAlerts": {
"categorizedAlerts": {},
"distinctAlertCount": {
"critical": 0,
"high": 0,
"low": 0,
"medium": 0
},
"id": "1"
}
}
}

Human Readable Output#

Results#

categorizedAlertsdistinctAlertCountid
critical: 0
high: 0
medium: 0
low: 0
1

rsa-nw-file-download#


Initiate file download for a single file or multiple files to the endpoint server.

Base Command#

rsa-nw-file-download

Input#

Argument NameDescriptionRequired
agent_idThe host agent ID.Required
service_idThe service ID of the specific endpoint server. View all service IDs using the 'rsa-nw-services-list' command. If none is given, the service ID configured in the integration configuration is used.Optional
pathThe path where the files may be present, either specify a single file path or use a wild card. for example - "C:\Users\sample*" . To see scanned files paths use the command 'rsa-nw-snapshot-details-get'.Required
count_filesThe maximum number of files returned by the host matching the wild card path. Default is 10.Optional
max_file_sizeThe maximum size of each file (in MB) when using a wild card path. Default is 100.Optional

Context Output#

There is no context output for this command.

Command example#

!rsa-nw-file-download agent_id=1 path=path/to/file

Human Readable Output#

Request for download path/to/file sent successfully

rsa-nw-mft-download-request#


Initiates the MFT download to the endpoint server.

Base Command#

rsa-nw-mft-download-request

Input#

Argument NameDescriptionRequired
agent_idThe host agent ID.Required
service_idThe service ID of the endpoint server to be connected.Optional
pathDrive or NTFS mount path for which MFT is requested.Optional

Context Output#

There is no context output for this command.

rsa-nw-system-dump-download-request#


Initiates the download of the system dump to the endpoint server.

Base Command#

rsa-nw-system-dump-download-request

Input#

Argument NameDescriptionRequired
agent_idThe host agent ID.Required
service_idThe service ID of the endpoint server to be connected.Optional

Context Output#

There is no context output for this command.

rsa-nw-process-dump-download-request#


Initiates the download of the process dump to the endpoint server. You can find the process details by using the 'rsa-nw-snapshot-details-get' and filter by category=PROCESSES, or use the RSA NW UI.

Base Command#

rsa-nw-process-dump-download-request

Input#

Argument NameDescriptionRequired
agent_idThe host agent ID.Required
service_idThe service ID of the endpoint server to be connected.Optional
process_idThe process ID.Required
eprocessThe process identifier in Windows.Required
file_namethe file name.Required
pathThe file path.Optional
hashThe hash (sha256 or md5) of the file. Can be found in the 'rsa-nw-snapshot-details-get' command response under field fileProperties.checksumSha256 or fileProperties.checksumMd5.Required
process_create_utctimeThe process UTC created time. Can be found in the 'rsa-nw-snapshot-details-get' response under field windows.processes.createUtcTime.Required

Context Output#

There is no context output for this command.

rsa-nw-endpoint-isolate-from-network#


Isolates the host with the specified agent ID from the network.

Base Command#

rsa-nw-endpoint-isolate-from-network

Input#

Argument NameDescriptionRequired
agent_idThe unique host identifier.Required
service_idThe service ID of the endpoint server to be connected.Optional
allow_dns_only_by_systemAllow DNS communication. Possible values are: True, False.Optional
exclusion_listA comma-separated list of IPv4 or IPv6 addresses to excluded from isolation. For example, 1.2.3.4,11:22:33:44.Optional
commentAdditional information.Required

Context Output#

There is no context output for this command.

rsa-nw-endpoint-update-exclusions#


Updates the network isolation exclusion list for the host with the specified agent ID.

Base Command#

rsa-nw-endpoint-update-exclusions

Input#

Argument NameDescriptionRequired
agent_idThe unique host identifier.Required
service_idThe service ID of the endpoint server to be connected.Optional
allow_dns_only_by_systemAllows DNS communication.Optional
exclusion_listA comma-separated list of IPv4 or IPv6 addresses to excluded from isolation. For example, 1.2.3.4,11:22:33:44.Required
commentAdditional information.Required

Context Output#

There is no context output for this command.

rsa-nw-endpoint-isolation-remove#


Restores the network connection and removes IP addresses added to the exclusion list for the host with the specified agent ID.

Base Command#

rsa-nw-endpoint-isolation-remove

Input#

Argument NameDescriptionRequired
agent_idThe unique host identifier.Required
service_idThe service ID of the endpoint server to be connected.Optional
allow_dns_only_by_systemAllows DNS communication.Optional
commentAdditional information.Required

Context Output#

There is no context output for this command.

Create a filter for hosts-list command#

You can create a custom filter for the ras-nw-hosts-list command, here is a short explanation. The basic filter that can be used is of this format -

'{
"criteria": {
"criteriaList": [
{
"expressionList": [{ "propertyName": "agentId", "restrictionType":
"EQUAL","propertyValues": [{"value": "2F53FC2C-A737-B34B-6813-12E48379C15D"}]}]
} ]
}'

The following are the supported 'restrictionType'

• Operators that require no value: IS_NULL, IS_NOT_NULL.

• Operators that require one value: LIKE, NOT_LIKE, EQUAL, NOT_EQUAL, LESS_THAN,LESS_THAN_OR_EQUAL_TO, GREATER_THAN, GREATER_THAN_OR_EQUAL_TO.

• Operators that require two value: BETWEEN, NOT_BETWEEN.

• Operators that uses multiple value: IN, NOT_IN.

The following are the supported 'predicateType' - AND, OR, NOT.

a more complex example -

{
"criteria": {
"criteriaList": [
{
"criteriaList": [],
"expressionList": [
{
"propertyName": "hostName",
"restrictionType": "LIKE",
"propertyValues": [
{
"value": "WIN-854PACLCQ07-VC",
"relative": false
}
]
}
],
"predicateType": "AND"
},
{
"criteriaList": [],
"expressionList": [
{
"propertyName": "riskScore",
"restrictionType": "BETWEEN",
"propertyValues": [
{
"value": 0,
"relative": false
},
{
"value": 100,
"relative": false
}
]
}
],
"predicateType": "OR"
}
],
"expressionList": [],
"predicateType": "AND"
},
"sort": {
"keys": [
"riskScore"
],
"descending": true
}
}