RSA NetWitness Platform
App Vendor: RSA NetWitness Platform
App Category: Network Security
Connector Version: 2.0.0
API Version: 1.0.0
About App
RSA NetWitness Platform applies the most advanced technology to detect, prioritize, and investigate threats in a fraction of the time of other security products.
The RSA NetWitness Platform app is configured with Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Add Journal Entry | This action adds a journal entry or a note to an existing incident. |
Delete Incident | This action deletes an incident using the incident’s unique identifier. |
Fetch Alert | This action fetches alerts based on the criteria. |
Fetch Incident | This action fetches an incident based on the criteria. |
Generic Action | This action transcends all actions implemented by making a request to any RSA NetWitness Platform-related endpoints. |
Get Alerts for File | This action gets all alerts triggered for a given file. |
Get Alerts for Host | This action gets all alerts triggered for a given host. |
Get File | This action gets information about a particular file and can be used for incident investigation. This information is specific to the unique file and does not include any host information. |
Get Host | The action gets the list of all hosts' information from a particular endpoint server. |
Get Incident | This action gets details of an incident using an incident's unique identifier. |
Get Incident Alerts | This action gets all alerts that are associated with an incident using the incident’s unique identifier. |
Get Incident by Date Range | This action retrieves incidents by the date and time they were created. |
Get Service IDs of all Services | This action lists all services with their service IDs. |
List snapshots for Host | This action gets a list of snapshots, which are IDs to fetch the snapshot details of the host. |
Multiple Files Download to Server | This action downloads multiple files and can be used for incident investigation. |
Process Dump Download | This action initiates the download of the process dump to the endpoint server. |
Release From Network Isolation | This action restores the network connection and removes IP addresses added to the exclusion list for the host with the specified agent ID. |
Request File Download to Server | This action downloads a particular file and can be used for incident investigation. |
Request Network Isolation | This action isolates the host with the specified agent ID from the network. |
Request Scan | This action scans for the host with the specified agent ID. |
Snapshot details for Host | This action gets the snapshot details of the given host for the provided snapshot time. |
System Dump Download | This action initates the download of the system dump to the endpoint server. |
Update Incident | This action updates an incident's status and assignee details using the incident’s endpoint. |
Configuration Parameters
The following configuration parameters are required for the RSA NetWitness Platform app to communicate with the RSA NetWitness Platform enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL to connect with the RSA NetWitness Platform. | Text | Required | |
Username | Enter the username of the RSA NetWitness Platform | Text | Required | |
Password | Enter the password for the RSA NetWitness Platform | Password | Required | |
SSL/TLS verification | Choose your preference to verify SSL or TLS while making requests. | Boolean | Optional | Default value: false |
Timeout | Enter the connection timeout value in seconds to connect to the RSA NetWitness Platform. | Integer | Optional | Default value: 15 |
Action: Add Journal Entry
This action adds a journal entry or a note to an existing incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | The unique identifier of the incident. Example: INC-100 | Text | Required | |
Author | The NetWitness user ID of the user creating the journal entry. | Text | Required | |
Milestone | The incident milestone classifier. Example: Containment, Delivery, Exploitation, Installation, Action on objective, Eradication, Closure, Command, and Control | Text | Required | |
Notes | Notes and observations about the incident. | Text | Required |
Action: Delete Incident
This action deletes an incident using the incident ID
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Incident’s unique identifier. Example: INC-100 | Text | Required |
Action: Fetch Alert
This action fetches alerts based on the specified request parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Meta Name | Enter the field of the alert based on which incident query will be made. Example: alert.source | Text | Required | |
Meta Value | Enter the value of the alert based on which incident query will be made. Example: event stream analysis | Text | Required | |
Number of Records | Enter the number of records to be fetched. Example: 20 | Integer | Optional | Default value: 50 |
Include Fields | Enter the fields to be included in response for the specified meta name from the alert. | Text | Optional | Default: null |
Action: Fetch Incident
This action fetches incidents based on the specified request parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Meta Name | Enter the field of the incident based on which incident query will be made. Example: priority | Text | Required | |
Meta Value | Enter the value of the incident based on which incident query will be made. Example: medium | Text | Required | |
Number of Records | Enter the number of records to be fetched. Example: 20 | Integer | Optional | Default value: 50 |
Action: Generic Action
This action transcends all actions implemented by making a request to any RSA NetWitness Platform-related endpoints.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the HTTP method to make the request Example: GET | Text | Required | |
Endpoint | Enter the endpoint to make the request. Example: /samples | Text | Required | |
Query Params | Enter the query parameters to pass to the API | Key Value | Optional | |
Payload | Enter the payload to pass to the API | Any | Optional | |
Extra Fields | Enter any additional fields applicable | Key Value | Optional |
Action: Get Alerts for File
This action gets all alerts triggered for a given file.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Check Sum | The supported checksums are SHA-256 and MD5. Example: d1c79a36593f0d5f7d07502b963d97acc851dc0291 f4556ce8f110a58a48fda4 | Text | Required | |
Service ID | Service ID of the endpoint server to be connected. Example: ae87eeff-ce95-46b3-ab51-e938431f3867 | Text | Required | |
Alert Category | Enter the alert category. | Text | Optional | Allowed values:
Default value: none |
Action: Get Alerts for Host
This action gets all alerts triggered for a given host.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Unique identifier of the host. | Text | Required | |
Service ID | Service ID of the endpoint server to be connected. Example: ae87eeff-ce95-46b3-ab51-e938431f3867 | Text | Required | |
Alert category | Enter the alert category | Text | Optional | Allowed values:
Default value: None |
Action: Get File
This action gets information about a particular file that can be used for incident investigation. This information is specific to the unique file and does not include any host-related information.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Service ID | Service ID of the endpoint server to be connected. Example: ae87eeff-ce95-46b3-ab51-e938431f3867 | Text | Required | |
Page number | Enter the page number for the response. | Integer | Optional | Default value: 0 |
Page size | Enter the number of records in a page. | Integer | Optional | Default value: 90 |
Action: Get Host
The action gets the list of all hosts and related information from a particular endpoint server.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Service ID | Service ID of the endpoint server to be connected. Example: ae87eeff-ce95-46b3-ab51-e938431f3867 | Text | Required | |
Filters | Enter filters in the required dictionary format. | Any | Optional | |
Page number | Enter the page number for the response | Integer | Optional | Default value : 0 |
Page size | Number of records to be returned in a single page. | Integer | Optional | Default value: 100 |
Action: Get Incident
This action gets the details of an incident using its incident's unique identifier.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | The unique identifier of the incident. Example: INC-100 | Text | Required |
Action: Get Incident Alerts
This action gets all alerts that are associated with an incident using the incident’s unique identifier.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Incident’s unique identifier. Example: INC-100 | Text | Required | |
Page Number | Enter the page number | Integer | Optional | Default value: 0 |
Page size | The maximum number of records to be returned in a single page. | Integer | Optional | Default value: 10 |
Action: Get Incident by Date Range
This action retrieves incidents by the date and time they were created.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Since Date and Time | Retrieve incidents created on and after this timestamp. Enter the timestamp in ISO 8601 format. Example: 1018-01-01t14:00:00.000z | Text | Required | |
Until Date and Time | Retrieve incidents created on and before this timestamp. Enter the timestamp in ISO 8601 format. Example: 1018-01-01t14:00:00.000z | Text | Required | |
Page Number | The requested page number. | Integer | Optional | Default value: 0 |
Page Size | The maximum number of items to be returned in a single page. | Integer | Optional | Default value: 100 |
Action: Get Service IDs of all Services
Lists all services with their service IDs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Service Name | Name of the service. Example: endpoint-server. | Text | Optional |
Action: List snapshots for Host
This action gets a list of snapshots, which are IDs to fetch the snapshot details of the host.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host Agent ID | Agent ID of the host. | Text | Required | |
Service ID | Service ID of the endpoint server to be connected. Example: ae87eeff-ce95-46b3-ab51-e938431f3867 | Text | Required |
Action: Multiple Files Download to Server
This action downloads multiple files that can be used for incident investigation.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Unique identifier of the host. | Text | Required | |
File Path | Enter the file of the path. Example: c:\\\\users\\\\sample\\\\test.exe | Text | Required | |
Service ID | Enter the service ID of the endpoint server to be connected. Example: ae87eeff-ce95-46b3-ab51-e938431f3867 | Text | Required | |
Count Files | Enter the maximum number of files returned by the host matching the wildcard path. | Integer | Optional | Default value: 10 |
Max File Size | Maximum size of each file (in MB) | Integer | Optional | Default value: 100 |
Action: Process Dump Download
This action can be used to initiate the download of the process dump to the endpoint server.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Enter the unique identifier of the host. | Text | Required | |
Service ID | Enter the service ID of the endpoint server to be connected. Example: ae87eeff-ce95-46b3-ab51-e938431f3867 | Text | Required | |
Process ID | Enter the process ID. Example: 5744 | Text | Required | |
E Process | Example: 0xffffe10dc62c6440 | Text | Required | |
File Name | Enter the file name. Example: sample.txt | Text | Required | |
Path | Enter the path of the file. Example: e\\\\windows\\\\reportserver\\\\policydefinitions | Text | Required | |
Hash | Enter the hash value of the system script file. Example: 687685b7531648c39fbb24fa81312b7fd2 e3ece1bf1347b386f8725783767e5c | Text | Required | |
Create UTC Time | Enter the Epoch time. Example: 1595496025034 | Text | Optional |
Action: Release From Network Isolation
This action restores the network connection and removes IP addresses added to the exclusion list for the host with the specified agent ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Unique identifier of the host. | Text | Required | |
Service ID | Service ID of the endpoint server to be connected. Example: ae87eeff-ce95-46b3-ab51-e938431f3867 | Text | Required | |
Allow Dns Only by System | Set allow DNS by system to be true or false | Boolean | Required | |
Exclusions | Enter networks to exclude. | Any | Optional | Default value: None |
Comment | Enter any comments | Text | Optional | Default value: release from isolation |
Action: Request File Download to Server
This action downloads a particular file and can be used for incident investigation.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Unique identifier of the host. | Text | Required | |
File Path | Enter the file of the path. Example: c:\\\\users\\\\sample\\\\test.exe | Text | Required | |
Service ID | Service ID of the endpoint server to be connected. Example: ae87eeff-ce95-46b3-ab51-e938431f3867 | Text | Required |
Action: Request Network Isolation
This action isolates the host with the specified agent ID from the network.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Unique identifier of the host. | Text | Required | |
Service ID | Service ID of the endpoint server to be connected. Example: ae87eeff-ce95-46b3-ab51-e938431f3867 | Text | Required | |
Allow Dns Only By System | Set allow DNS by system to be true or false. | Boolean | Required | |
Comment | Enter the comment to add. Example: found malicious | Text | Required | |
Exclusions | Enter the list of IP networks to exclude. Example: [{"ip":"10.125.0.1","v4":true}] | Any | Optional |
Action: Request Scan
This action can be used to start a scan for the host with the specified agent ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Unique identifier of the host. | Text | Required | |
Service ID | Service ID of the endpoint server to be connected. Example: ae87eeff-ce95-46b3-ab51-e938431f3867 | Text | Required | |
Scan Type | Type of scan command. Example: quick_scan | Text | Required | |
Cpu Max | You can use cpumax to specify the amount of CPU the agent can use to run the scan. Choose a value from 5 to 100. If you do not specify a value, the agent uses the default 25% CPU for the scan. | Integer | Optional |
Action: Snapshot details for Host
This action gets snapshot details of the given host for the provided snapshot time.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host agent ID | Agent ID of the host. | Text | Required | |
Service ID | Service ID of the endpoint server to be connected. Example: ae87eeff-ce95-46b3-ab51-e938431f3867 | Text | Required | |
Snapshot Time | Example: 2017-12-22t14:34:05.985z | Text | Required |
Action: System Dump Download
This action can be used to initiate the download of the system dump to the endpoint server.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent ID | Unique identifier of the host. | Text | Required | |
Service ID | Service ID of the endpoint server to be connected. Example: ae87eeff-ce95-46b3-ab51-e938431f3867 | Text | Required |
Action: Update Incident
This action can be used to update the status and assignee details of an incident using the incident’s endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Incident’s unique identifier. Example: INC-100 | Text | Required | |
Assignee | The NetWitness user identifier of the user currently working on the incident. | Text | Optional | |
Status | Update the status of the incident. | Text | Optional | Allowed values: new, assigned, inprogress, remediationrequested, remediationcomplete, closed, closedfalsepositive. |