RSA NetWitness Platform
App Vendor: RSA Security
Connector Category: Network Security
Connector Version: 1.0.0
API Version: 1.0.0
About App
The RSA NetWitness Platform accelerates threat detection and response by collecting and analyzing data across an array of capture points (logs, packets, netflow, and endpoint) and computing platforms (physical, virtual, and cloud). The platform can also enrich this data with threat intelligence and business context. The platform allows security analysts to prioritize, investigate, and respond to threats in their environment and respond quickly and precisely.
The RSA NetWitness app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Release from network isolation | This action restores the network connection and removes IP addresses added to the exclusion list for the host with the specified agent ID. |
Request Network Isolation | This action isolates the host with the specified agent ID from the network. |
Request process dump download | This action initiates the download of the process dump to the endpoint server. |
Request system dump download | This action can be used to initiate the download of the system dump to the Endpoint Server. |
Request multiple files download to server | This action downloads multiple files and can be used for incident investigation. |
Request file download to server | This action downloads a particular file and can be used for incident investigation. |
Get alerts for File | This action retrieves all alerts triggered for a given file. |
Get alerts for Host | This action retrieves all alerts triggered for a given host. |
Request Scan | This action starts a scan for the host with the specified agent ID. |
Get File Information | This action retrieves information about a particular file and can be used for incident investigation. This information is specific to the unique file and does not include any host info. |
Snapshot details for Host | This action retrieves snapshot details of the given host for the provided snapshot time. |
List snapshots for Host | This action retrieves a list of snapshots, which are IDs to fetch the snapshot details of the host. |
Get Host | The action retrieves the list of all hosts' information from a particular Endpoint Server. |
Get Incident Alerts | This action retrieves all alerts that are associated with an incident using the incident’s unique identifier. |
Add Journal Entry | This action adds a Journal entry or a note to an existing incident. |
Delete Incident | This action deletes an incident using the incident’s unique identifier. |
Update Incident | This action updates the status and assignee details of an incident using the incident’s endpoint. |
Get Incident by Date Range | This action retrieves incidents by the date and time they were created. |
Get Incident | This action retrieves details of an incident using an incident's unique identifier. |
Get Service IDs of all Services | This action retrieves the list of all service IDs of all services. |
Configuration Parameters
The following configuration parameters are required for the RSA NetWitness app to communicate with the RSA NetWitness enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL for your RSA NetWitness platform. Example: https://rsa.domain.corp | Text | Required | |
Username | Enter the username to access the RSA NetWitness Platform. Example: "exampleusername" | Text | Required | |
Password | Enter the password to access the RSA NetWitness Platform. Example: "examplePassword" | Password | Required |
Action: Release from network isolation
This action restores the network connection and removes IP addresses added to the exclusion list for the host with the specified agent ID.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Specify the unique ID for the host. Example: "FFXXXXX8-266C-5871-6BAA-CACDXXXXX942" | Text | Required | |
Service ID | Specify the unique service ID for the host. Example: "axxxxxff-ce95-4xx3-ab51-e93xxxxx67" | Text | Required | |
Allow Dns Only By System | Specify if you want to allow the DNS by system. Example: "True" | Boolean | Required | Allowed values:
|
Exclusions | Enter any networks that you want to exclude from this task. Example: "Null" | Any | Optional | Default value:
|
Comment | Enter the comment to add to the network isolation. Example: "ExampleComment" | Text | Optional |
[
{
"agentId": "FFXXXXX8-266C-5871-6BAA-CACDXXXXXX942",
"serviceId": "21xx75-691e-4df1-8d4f-52xxx0f5d",
"allowDnsOnlyBySystem": true
}
]Action: Request Network Isolation
This action isolates the host with the specified agent ID from the network.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Specify the unique ID for the host. Example: "FFXXXXX8-266C-5871-6BAA-CACDXXXXX942" | Text | Required | |
Service ID | Specify the unique service ID for the host. Example: "axxxxxff-ce95-4xx3-ab51-e93xxxxx67" | Text | Required | |
Allow Dns Only By System | Specify if you want to allow the DNS by system. Example: "True" | Boolean | Required | Allowed values:
|
Exclusions | Enter any networks that you want to exclude from this task. Example: "Null" | Any | Optional | |
Comment | Enter the comment to add to the network isolation. Example: "ExampleComment" | Text | Optional |
[
{
"agentId": "FFXXXXX8-266C-5871-6BAA-CACDXXXXXX942",
"serviceId": "21xx75-691e-4df1-8d4f-52xxx0f5d",
"allowDnsOnlyBySystem": true
}
]Action: Request process dump download
This action initiates the download of the process dump to the endpoint server.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Specify the unique ID for the host. Example: "FFXXXXX8-266C-5871-6BAA-CACDXXXXX942" | Text | Required | |
Service ID | Specify the unique service ID for the host. Example: "axxxxxff-ce95-4xx3-ab51-e93xxxxx67" | Text | Required | |
Process ID | Specify the unique process ID for the host. Example: "5756" | Text | Required | |
E Process | Specify the unique process ID for the host. Example: "0xFFFFE10DC62C6440"" | Text | Required | |
File Name | Specify the file name to dump the download. Example: "example.txt" | Text | Required | |
Path | Enter the file path of the dump file location. Example: "C:\Windows\ReportServer\PolicyDefinitions" | Text | Required | |
Hash | Enter the hash file value of the systemd script file. Example: "687685b7531648c39fbb24fa81312b7fd2 e3ece1bf1347b386f8725783767e5c" | Text | Required | |
Process Create Utc Time | Enter the UTC time for the process creation. Example: "1595496025034" | Text | Optional |
[
{
"hash": "5f9axx928f7xxxxxf84fd2c8xxxxca0",
"path": "C:\Windows\ReportServer\PolicyDefinitions",
"agentId": "FFxx08-2xxC-5xx1-6BAA-CACDCxxxx942",
"fileName": "amazon-ssm-agent.exe",
"e_process": "0xFFFF800718FC0080",
"processId": "444",
"serviceId": "21xxxe75-691e-4df1-8d4f-52axxxxx0f5d"
}
]Action: Request system dump download
This action can be used to initiate the download of the system dump to the Endpoint Server.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Specify the unique ID for the host. Example: "FFXXXXX8-266C-5871-6BAA-CACDXXXXX942" | Text | Required | |
Service ID | Specify the unique service ID for the host. Example: "axxxxxff-ce95-4xx3-ab51-e93xxxxx67" | Text | Required |
[
{
"agentId": "FFxx08-2xxC-5xx1-6BAA-CACDCxxxx942",
"serviceId": "21xxxe75-691e-4df1-8d4f-52axxxxx0f5d"
}
]Action: Request multiple files download to server
This action downloads multiple files and can be used for incident investigation.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Specify the unique ID for the host. Example: "FFXXXXX8-266C-5871-6BAA-CACDXXXXX942" | Text | Required | |
Path | Enter the file path of the dump file location. Example: "C:\Windows\ReportServer\PolicyDefinitions" | Text | Required | |
Service ID | Specify the unique service ID for the host. Example: "axxxxxff-ce95-4xx3-ab51-e93xxxxx67" | Text | Required | |
Count Files | Specify the maximum number of files returned by the host matching the wildcard path. Example: "8" | Integer | Optional | |
Max File Size | Specify the maximum size of every file for download. Example: "50" | Integer | Optional |
[
{
"path": "C:\Windows\ReportServer\PolicyDefinitions",
"agentId": "FXXXXX08-2XXC-5XX1-6XXA-CACDXXX65942",
"serviceId": "2xxxxx75-691e-4df1-8d4f-52aefxxxxd"
}
]Action: Request file download to server
This action downloads a particular file and can be used for incident investigation.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Specify the unique ID for the host. Example: "FFXXXXX8-266C-5871-6BAA-CACDXXXXX942" | Text | Required | |
Service ID | Specify the unique service ID for the host. Example: "axxxxxff-ce95-4xx3-ab51-e93xxxxx67" | Text | Required | |
Path | Enter the file path of the dump file location. Example: "C:\Windows\ReportServer\PolicyDefinitions" | Text | Required |
[
{
"path": "C:\Windows\ReportServer\PolicyDefinitions",
"agentId": "FFCB8C08-266C-5871-6BAA-CACDCB765942",
"serviceId": "213b6e75-691e-4df1-8d4f-52aef2970f5d"
}
]Action: Get alerts for File
This action retrieves all alerts triggered for a given file.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Check Sum | Enter the checksum ID for the file. The file has can be SHA256 and MD5. Example: "d1c79a36593f0d5f7d07502b963c0291 f4556ce8f110a58a48fda4" | Text | Required | |
Service ID | Enter the service ID endpoint server to be connected. Example: "aexxxff-ce95-46b3-ab51-e9xxxx7" | Text | Required | |
Alert Category | Specify the alert category to retrieve alerts. Example: "Critical" | Text | Optional | Allowed values:
|
[
{
"checksum": "b30xxxxc92a989a6557c6xxx8d2",
"serviceId": "21xxx75-691e-4df1-8d4f-52aexxx5d"
}
]Action: Get alerts for Host
This action retrieves all alerts triggered for a given host.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Specify the unique ID for the host. Example: "FFXXXXX8-266C-5871-6BAA-CACDXXXXX942" | Text | Required | |
Service ID | Specify the unique service ID for the host. Example: "axxxxxff-ce95-4xx3-ab51-e93xxxxx67" | Text | Required | |
Alert Category | Specify the alert category for the alerts. Example: "Critical" | Text | Optional | Allowed values:
|
[
{
"agentId": "FXXXX8-266C-5871-6BAA-CAXXXX42",
"serviceId": "21xx75-691e-4df1-8d4f-52xxxxx5d"
}
]Action: Request Scan
This action starts a scan for the host with the specified agent ID.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Specify the unique ID for the host. Example: "FFXXXXX8-266C-5871-6BAA-CACDXXXXX942" | Text | Required | |
Service ID | Specify the unique service ID for the host. Example: "axxxxxff-ce95-4xx3-ab51-e93xxxxx67" | Text | Required | |
Scan Type | Specify the scan type for the request. Example: "QUICK_SCAN" | Text | Required | Allowed values:
|
CPU Max | Specify the amount of CPU the agent can use to run the scan. You can choose a value from 5 to 100. If you do not specify a value, the agent uses the default value. | Integer | Optional | Default value:
|
[
{
"agentId": "Fxxxx8-266C-5871-6BAA-CAxxxxxx42",
"scanType": "QUICK_SCAN",
"serviceId": "21xxx5-691e-4df1-8d4f-52axxxxd"
}
]Action: Get File Information
This action retrieves information about a particular file and can be used for incident investigation. This information is specific to the unique file and does not include any host info.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Service ID | Specify the unique service ID for the host. Example: "axxxxxff-ce95-4xx3-ab51-e93xxxxx67" | Text | Required | |
Page Number | Specify the page number to get the file. Example: "6" | Integer | Optional | |
Page Size | Specify the page size to retrieve the file results. Example: "40" | Integer | Optional |
[
{
"serviceId": "213b6e75-691e-4df1-8d4f-52aef2970f5d"
}
]Action: Snapshot details for Host
This action retrieves snapshot details of the given host for the provided snapshot time.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host Agent ID | Enter the host ID to get the snapshot details. Example: "FXXXX8-266C-5871-6BAA-CAXXXX2" | Text | Required | |
Service ID | Enter the service ID of the endpoint server to be connected. Example: "axxxxxff-ce95-4xx3-ab51-e93xxxxx67" | Text | Required | |
Snapshot Time | Enter the snapshot time to get the details. Example: "2020-12-22T14:34:05.985Z" | Text | Required |
[
{
"serviceId": "213b6e75-691e-4df1-8d4f-52aef2970f5d",
"host_agent_id": "FFCB8C08-266C-5871-6BAA-CACDCB765942",
"snapshot_time": "2020-12-22T14:34:05.985Z"
}
]Action: List snapshots for Host
This action retrieves a list of snapshots, which are IDs to fetch the snapshot details of the host.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host Agent ID | Enter the unique agent ID for the host. Example: "FFXXX8-266C-5871-6BAA-CXXX942" | Text | Required | |
Service ID | Specify the unique service ID for the host. Example: "axxxxxff-ce95-4xx3-ab51-e93xxxxx67" | Text | Required |
[
{
"serviceId": "213b6e75-691e-4df1-8d4f-52aef2970f5d",
"host_agent_id": "FFCB8C08-266C-5871-6BAA-CACDCB765942"
}
]Action: Get Host
The action retrieves the list of all hosts' information from a particular Endpoint Server.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Service ID | Specify the unique service ID for the host. Example: "axxxxxff-ce95-4xx3-ab51-e93xxxxx67" | Text | Required | |
Filters | Enter filters in the required JSON format. | Any | Optional | |
Page Number | Enter the page number to get the host. Example: "3" | Integer | Optional | |
Page Size | Enter the number of items to return on a single page. Example: "80" | Integer | Optional |
[
{
"serviceId":"213b6e75-691e-4df1-8d4f-52aef2970f5d"
}
{
"criteria":{
"criteriaList":[
{
"criteriaList":[
],
"expressionList":[
{
"propertyName":"hostName",
"restrictionType":"LIKE",
"propertyValues":[
{
"value":"WIN-854PACLCQ07-VC",
"relative":false
}
]
}
],
"predicateType":"AND"
},
{
"criteriaList":[
],
"expressionList":[
{
"propertyName":"riskScore",
"restrictionType":"BETWEEN",
"propertyValues":[
{
"value":0,
"relative":false
},
{
"value":100,
"relative":false
}
]
}
],
"predicateType":"OR"
}
],
"expressionList":[
],
"predicateType":"AND"
},
"sort":{
"keys":[
"riskScore"
],
"descending":true
}
}
]Action: Get Incident Alerts
This action retrieves all alerts that are associated with an incident using the incident’s unique identifier.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the unique ID for the incident. Example: "INC-100" | Text | Required | |
Page Number | Enter the page number to get the incident alerts. Example: "3" | Integer | Optional | |
Page Size | Enter the page size to get the maximum number of items on a page. Example: "8" | Integer | Optional |
[
{
"incident_id": "INC-34"
}
]Action: Add Journal Entry
This action adds a journal entry or a note to an existing incident.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the unique ID for the incident to add a journal entry. Example: "INC-100" | Text | Required | |
Author | Enter the NetWitness user ID of the user creating the journal entry. Example: "exampleuser" | Text | Required | |
Notes | Enter the notes and observations about the incident. Example: "sampletext" | Text | Required | |
Milestone | Enter the incident milestone classification. Example: "Containment" | Text | Required | Allowed values:
|
[
{
"notes": "sampletext",
"author": "exampleuser",
"milestone": "Containment",
"incident_id": "INC-100"
}
]Action: Delete Incident
This action deletes an incident using the incident’s unique identifier.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the unique ID for the incident. Example: "INC-100" | Text | Required |
[
{
"incident_id": "INC-28"
}
]Action: Update Incident
This action updates the status and assignee details of an incident using the incident’s endpoint.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the unique ID for the incident. Example: "INC-28" | Text | Required | |
Status | Specify the status of the incident to update. Example: "New" | Text | Optional | Allowed values:
|
Assignee | Specify the user/assignee working on the incident. Example: "exampleuser" | Text | Optional |
[
{
"status": "Assigned",
"incident_id": "INC-28"
}
]Action: Get Incident by Date Range
This action retrieves incidents by the date and time they were created.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page No | Enter the page number to get the incident details. Example: "2" | Integer | Optional | |
Page Size | Enter the maximum number of items to return on a single page. Example: "10" | Integer | Optional | |
Since Date and Time | Enter the start time after which you want to retrieve the incidents. The timestamp should be in ISO 8601 format. Example: "1018-01-01T14:00:00.000Z" | Text | Required | |
Until Date and Time | Enter the start time after which you want to retrieve the incidents. The timestamp should be in ISO 8601 format. Example: "1019-01-01T14:00:00.000Z" | Text | Required |
{
"since": "2021-01-01T00:00:00.000Z",
"until": "2021-07-09T05:35:45.578Z"
}
]Action: Get Incident
This action retrieves details of an incident using an incident's unique identifier.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the unique ID of the incident to retrieve the details. Example: "INC-100" | Text | Required |
[
{
"incident_id": "INC-28"
}
]Action: Get Service IDs of all Services
This action retrieves the list of all service IDs of all services.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Service Name | Enter the service name to retrieve the ID. Example: "endpoint-server" | Text | Optional |
[
{
"service_name": "endpoint-server"
}
]