Fortinet Document Library

Version:


Table of Contents

RSA Netwitness SIEM

1.0.0
Copy Link

About the connector

The RSA NetWitness Platform is an evolved SIEM and threat detection and response solution that allows security teams to rapidly detect and respond to any threat, anywhere. 

This document provides information about the RSA Netwitness SIEM connector, which facilitates automated interactions, with a RSA Netwitness SIEM server using FortiSOAR™ playbooks. Add the RSA Netwitness SIEM connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving incidents from RSA Netwitness SIEM and retrieving alerts associated with incidents from RSA Netwitness SIEM.

Version information

Connector Version: 1.0.0

Authored By: Fortinet

Certified: No

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-rsa-netwitness-siem

Prerequisites to configuring the connector

  • You must have the URL of RSA Netwitness SIEM server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance. 

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the RSA Netwitness SIEM connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Server URL URL of the RSA Netwitness SIEM server to which you will connect and perform the automated operations.
Username Username of the RSA Netwitness SIEM server to which you will connect and perform the automated operations.
Password Password of the RSA Netwitness SIEM server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Get Incident Retrieves a single incident from RSA Netwitness SIEM based on the incident’s unique identifier. get_incident
Investigation
Get Incidents by Date Range Retrieves all incidents from RSA Netwitness SIEM based on the date and time they were created in RSA Netwitness SIEM. get_incident_by_date_range
Investigation
Get Incident Related Alerts Retrieves all alerts that are associated with an incident from RSA Netwitness SIEM based on the incident’s unique identifier. get_incidents_alerts
Investigation

operation: Get Incident

Input parameters

Parameter Description
Incident ID Unique identifier of the incident based on which you want to retrieve the incident from RSA Netwitness SIEM.

Output

The output contains the following populated JSON schema:

     "eventCount": "", 
     "riskScore": "", 
     "summary": "", 
     "journalEntries": [ 
         { 
             "milestone": "", 
             "id": "", 
             "author": "", 
             "lastUpdated": "", 
             "created": "", 
             "notes": "" 
         } 
     ], 
     "createdBy": "", 
     "priority": "", 
     "sources": [], 
     "lastUpdatedBy": "", 
     "status": "", 
     "totalRemediationTaskCount": "", 
     "alertCount": "", 
     "firstAlertTime": "", 
     "sealed": "", 
     "id": "", 
     "averageAlertRiskScore": "", 
     "title": "", 
     "assignee": "", 
     "ruleId": "", 
     "lastUpdated": "", 
     "created": "", 
     "alertMeta": { 
         "SourceIp": [], 
         "DestinationIp": [] 
     }, 
     "deletedAlertCount": "", 
     "openRemediationTaskCount": "", 
     "categories": [ 
         { 
             "parent": "", 
             "id": "", 
             "name": "" 
         } 
     ] 
}

operation: Get Incidents by Date Range

Input parameters

Parameter Description
Start Time Timestamp based on which incidents will be retrieved from RSA Netwitness SIEM. Incidents that are created on or after this timestamp will be retrieved from RSA Netwitness SIEM.
End Time Timestamp based on which incidents will be retrieved from RSA Netwitness SIEM. Incidents that are created on or before this timestamp will be retrieved from RSA Netwitness SIEM.
Page Number (Optional) Page number from which you want to request for data.
Page Size (Optional) Maximum number of records that you want to return in a single page.

Output

The output contains the following populated JSON schema:

     "items": [ 
         { 
             "eventCount": "", 
             "riskScore": "", 
             "summary": "", 
             "journalEntries": [ 
                 { 
                     "milestone": "", 
                     "id": "", 
                     "author": "", 
                     "lastUpdated": "", 
                     "created": "", 
                     "notes": "" 
                 } 
             ], 
             "createdBy": "", 
             "priority": "", 
             "sources": [], 
             "lastUpdatedBy": "", 
             "status": "", 
             "totalRemediationTaskCount": "", 
             "alertCount": "", 
             "firstAlertTime": "", 
             "sealed": "", 
             "id": "", 
             "averageAlertRiskScore": "", 
             "title": "", 
             "assignee": "", 
             "ruleId": "", 
             "lastUpdated": "", 
             "created": "", 
             "alertMeta": { 
                 "SourceIp": [], 
                 "DestinationIp": [] 
             }, 
             "deletedAlertCount": "", 
             "openRemediationTaskCount": "", 
             "categories": [ 
                 { 
                     "parent": "", 
                     "id": "", 
                     "name": "" 
                 } 
             ] 
         } 
     ], 
     "pageNumber": "", 
     "totalPages": "", 
     "hasPrevious": "", 
     "totalItems": "", 
     "hasNext": "", 
     "pageSize": "" 
}

operation: Get Incident Related Alerts

Input parameters

Parameter Description
Incident ID Unique identifier of the incident whose associated alerts you want to retrieve the incident from RSA Netwitness SIEM.
Page Number (Optional) Page number from which you want to request for data.
Page Size (Optional) Maximum number of records that you want to return in a single page.

Output

The output contains the following populated JSON schema:

     "items": [ 
         { 
             "riskScore": "", 
             "events": [ 
                 { 
                     "eventSource": "", 
                     "destination": { 
                         "device": { 
                             "dnsDomain": "", 
                             "port": "", 
                             "dnsHostname": "", 
                             "macAddress": "", 
                             "ipAddress": "" 
                         }, 
                         "user": { 
                             "adUsername": "", 
                             "emailAddress": "", 
                             "username": "", 
                             "adDomain": "" 
                         } 
                     }, 
                     "source": { 
                         "device": { 
                             "dnsDomain": "", 
                             "port": "", 
                             "dnsHostname": "", 
                             "macAddress": "", 
                             "ipAddress": "" 
                         }, 
                         "user": { 
                             "adUsername": "", 
                             "emailAddress": "", 
                             "username": "", 
                             "adDomain": "" 
                         } 
                     }, 
                     "domain": "", 
                     "eventSourceId": "" 
                 } 
             ], 
             "id": "", 
             "detail": "", 
             "title": "", 
             "source": "", 
             "type": "", 
             "created": "" 
         } 
     ], 
     "pageNumber": "", 
     "totalPages": "", 
     "hasPrevious": "", 
     "totalItems": "", 
     "hasNext": "", 
     "pageSize": "" 
}

Included playbooks

The Sample - RSA Netwitness SIEM - 1.0.0 playbook collection comes bundled with the RSA Netwitness SIEM connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the RSA Netwitness SIEM connector.

  • Get Incident
  • Get Incident Related Alerts
  • Get Incidents by Date Range

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

The RSA NetWitness Platform is an evolved SIEM and threat detection and response solution that allows security teams to rapidly detect and respond to any threat, anywhere. 

This document provides information about the RSA Netwitness SIEM connector, which facilitates automated interactions, with a RSA Netwitness SIEM server using FortiSOAR™ playbooks. Add the RSA Netwitness SIEM connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving incidents from RSA Netwitness SIEM and retrieving alerts associated with incidents from RSA Netwitness SIEM.

Version information

Connector Version: 1.0.0

Authored By: Fortinet

Certified: No

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-rsa-netwitness-siem

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the RSA Netwitness SIEM connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Server URL URL of the RSA Netwitness SIEM server to which you will connect and perform the automated operations.
Username Username of the RSA Netwitness SIEM server to which you will connect and perform the automated operations.
Password Password of the RSA Netwitness SIEM server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Get Incident Retrieves a single incident from RSA Netwitness SIEM based on the incident’s unique identifier. get_incident
Investigation
Get Incidents by Date Range Retrieves all incidents from RSA Netwitness SIEM based on the date and time they were created in RSA Netwitness SIEM. get_incident_by_date_range
Investigation
Get Incident Related Alerts Retrieves all alerts that are associated with an incident from RSA Netwitness SIEM based on the incident’s unique identifier. get_incidents_alerts
Investigation

operation: Get Incident

Input parameters

Parameter Description
Incident ID Unique identifier of the incident based on which you want to retrieve the incident from RSA Netwitness SIEM.

Output

The output contains the following populated JSON schema:

     "eventCount": "", 
     "riskScore": "", 
     "summary": "", 
     "journalEntries": [ 
         { 
             "milestone": "", 
             "id": "", 
             "author": "", 
             "lastUpdated": "", 
             "created": "", 
             "notes": "" 
         } 
     ], 
     "createdBy": "", 
     "priority": "", 
     "sources": [], 
     "lastUpdatedBy": "", 
     "status": "", 
     "totalRemediationTaskCount": "", 
     "alertCount": "", 
     "firstAlertTime": "", 
     "sealed": "", 
     "id": "", 
     "averageAlertRiskScore": "", 
     "title": "", 
     "assignee": "", 
     "ruleId": "", 
     "lastUpdated": "", 
     "created": "", 
     "alertMeta": { 
         "SourceIp": [], 
         "DestinationIp": [] 
     }, 
     "deletedAlertCount": "", 
     "openRemediationTaskCount": "", 
     "categories": [ 
         { 
             "parent": "", 
             "id": "", 
             "name": "" 
         } 
     ] 
}

operation: Get Incidents by Date Range

Input parameters

Parameter Description
Start Time Timestamp based on which incidents will be retrieved from RSA Netwitness SIEM. Incidents that are created on or after this timestamp will be retrieved from RSA Netwitness SIEM.
End Time Timestamp based on which incidents will be retrieved from RSA Netwitness SIEM. Incidents that are created on or before this timestamp will be retrieved from RSA Netwitness SIEM.
Page Number (Optional) Page number from which you want to request for data.
Page Size (Optional) Maximum number of records that you want to return in a single page.

Output

The output contains the following populated JSON schema:

     "items": [ 
         { 
             "eventCount": "", 
             "riskScore": "", 
             "summary": "", 
             "journalEntries": [ 
                 { 
                     "milestone": "", 
                     "id": "", 
                     "author": "", 
                     "lastUpdated": "", 
                     "created": "", 
                     "notes": "" 
                 } 
             ], 
             "createdBy": "", 
             "priority": "", 
             "sources": [], 
             "lastUpdatedBy": "", 
             "status": "", 
             "totalRemediationTaskCount": "", 
             "alertCount": "", 
             "firstAlertTime": "", 
             "sealed": "", 
             "id": "", 
             "averageAlertRiskScore": "", 
             "title": "", 
             "assignee": "", 
             "ruleId": "", 
             "lastUpdated": "", 
             "created": "", 
             "alertMeta": { 
                 "SourceIp": [], 
                 "DestinationIp": [] 
             }, 
             "deletedAlertCount": "", 
             "openRemediationTaskCount": "", 
             "categories": [ 
                 { 
                     "parent": "", 
                     "id": "", 
                     "name": "" 
                 } 
             ] 
         } 
     ], 
     "pageNumber": "", 
     "totalPages": "", 
     "hasPrevious": "", 
     "totalItems": "", 
     "hasNext": "", 
     "pageSize": "" 
}

operation: Get Incident Related Alerts

Input parameters

Parameter Description
Incident ID Unique identifier of the incident whose associated alerts you want to retrieve the incident from RSA Netwitness SIEM.
Page Number (Optional) Page number from which you want to request for data.
Page Size (Optional) Maximum number of records that you want to return in a single page.

Output

The output contains the following populated JSON schema:

     "items": [ 
         { 
             "riskScore": "", 
             "events": [ 
                 { 
                     "eventSource": "", 
                     "destination": { 
                         "device": { 
                             "dnsDomain": "", 
                             "port": "", 
                             "dnsHostname": "", 
                             "macAddress": "", 
                             "ipAddress": "" 
                         }, 
                         "user": { 
                             "adUsername": "", 
                             "emailAddress": "", 
                             "username": "", 
                             "adDomain": "" 
                         } 
                     }, 
                     "source": { 
                         "device": { 
                             "dnsDomain": "", 
                             "port": "", 
                             "dnsHostname": "", 
                             "macAddress": "", 
                             "ipAddress": "" 
                         }, 
                         "user": { 
                             "adUsername": "", 
                             "emailAddress": "", 
                             "username": "", 
                             "adDomain": "" 
                         } 
                     }, 
                     "domain": "", 
                     "eventSourceId": "" 
                 } 
             ], 
             "id": "", 
             "detail": "", 
             "title": "", 
             "source": "", 
             "type": "", 
             "created": "" 
         } 
     ], 
     "pageNumber": "", 
     "totalPages": "", 
     "hasPrevious": "", 
     "totalItems": "", 
     "hasNext": "", 
     "pageSize": "" 
}

Included playbooks

The Sample - RSA Netwitness SIEM - 1.0.0 playbook collection comes bundled with the RSA Netwitness SIEM connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the RSA Netwitness SIEM connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.