NetWitness Corporation was earlier Reston, a Virginia-based network security company, that provided real-time network forensics and automated threat analysis solutions. Its flagship product was NetWitness NextGen.
This document provides information about the Netwitness connector, which facilitates automated interactions, with a Netwitness server using FortiSOAR™ playbooks. Add the Netwitness connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting information about PCAP data, and getting metadata information for specified IPs or domains.
Connector Version: 1.0.1
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with Netwitness Versions: 10.6.0.0 and later
Following enhancements have been made to the Netwitness Connector in version 1.0.1:
Masked the text entered in the Password field on the Configuration
page.
Added a link to the online help.
Merged the Get PCAP for IP, Get PCAP for Domain, and Get PCAP for Username functions into a single function, named Get PCAP.
Merged the Get Meta for IP, Get Meta for Domain, and Get Meta for Username functions into a single function, named Get Meta.
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Netwitness connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
IP Address | IP Address of the Concentrator or Broker for the Netwitness server. |
Username | Username to access the Netwitness server. |
Password | Password to access the Netwitness server. |
Port | Port for the Concentrator or Broker. The port of the Concentrator is 50105 and the port of the Broker is 50103. |
Verify SSL | Specifies whether an SSL certificate will be required for the connection between the Netwitness connector and Netwitness server. Defaults to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get PCAP | Gets the PCAP data between the specified start and end time for a given IP, Domain, or Username. | get_pcap Investigation |
Get Meta | Gets metadata information between the specified start and end time for a given IP, Domain, or Username. | get_network_meta Investigation |
Make Raw Netwitness Query | Runs a Generalized SQL query. A generalized SQL query is one where you can write a query you require, for example, "query" : "select * where domain.dst='1e100.net'" . |
run_query Investigation |
Get Session Ids from where statement | Gets Session Ids based on a given SQL query. | run_query Investigation |
Get PCAP for Session Ids | Gets PCAP data from a list of specified Session IDs. | get_pcap Investigation |
Parameter | Description |
---|---|
Type | Type can be an IP address, Domain, or Username. |
Value | Value of the IP address, Domain, or Username for which you want to retrieve PCAP data. |
Start Time | Start time from which you want to retrieve PCAP data. Start time must be in the string format: YYYY-MM-DD HH:MM:SS . |
End Time | End time till when you want to retrieve PCAP data. Start time must be in the string format: YYYY-MM-DD HH:MM:SS . |
The output for this operation is a PCAP file based on the inputs you have specified. The PCAP file is uploaded to the Attachments
module in FortiSOAR™.
When you add this function as a step in your custom playbook or if you run the Get PCAP from IP
sample playbook, which contains get_pcap_from_ip
as a step, then the output of the function is in the JSON format and it contains the FortiSOAR™ attachment IRI as shown as a sample output in the following image.
The following image displays a sample output if you provide an IP address as the input to this operation:
Following image displays a sample output, if you provide a domain as the input to this operation:
Following image displays a sample output, if you provide a username as the input to this operation:
Parameter | Description |
---|---|
Type | Type can be an IP address, Domain, or Username. |
Value | Value of the IP address, Domain, or Username for which you want to retrieve metadata. |
Start Time | Start time from which you want to retrieve metadata. Start time must be in the string format: YYYY-MM-DD HH:MM:SS . |
End Time | End time till when you want to retrieve metadata. Start time must be in the string format: YYYY-MM-DD HH:MM:SS . |
The JSON output contains the metadata information for the specified IP, Domain, or Username.
Following image displays a sample output, if you provide an IP address as the input to this operation:
Following image displays a sample output, if you provide a domain as the input to this operation:
Following image displays a sample output, if you provide a username as the input to this operation:
Parameter | Description |
---|---|
SQL Query | Generalized SQL query based on which you want to retrieve data from the Netwitness server. |
The JSON output contains the query response.
Following image displays a sample output:
Parameter | Description |
---|---|
SQL Query | SQL query based on which you want to retrieve Session IDs from the Netwitness server. |
The JSON output contains the list of Session IDs based on the given SQL query.
Following image displays a sample output:
Parameter | Description |
---|---|
Session Ids | List of session IDs based on which you want to retrieve PCAP data from the Netwitness server. |
The output for this operation is a PCAP file that is retrieved based on the specified Session IDs. The PCAP file is uploaded to the Attachments
module in FortiSOAR™.
When you add this function as a step in your custom playbook or if you run the Get PCAP for Session Ids
sample playbook, which contains get_pcap
as a step, then the output of the function is in the JSON format and it contains the FortiSOAR™ attachment IRI as shown as a sample output in the following image:
The Sample - Netwitness - 1.0.1
playbook collection comes bundled with the Netwitness connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Whois RDAP connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
NetWitness Corporation was earlier Reston, a Virginia-based network security company, that provided real-time network forensics and automated threat analysis solutions. Its flagship product was NetWitness NextGen.
This document provides information about the Netwitness connector, which facilitates automated interactions, with a Netwitness server using FortiSOAR™ playbooks. Add the Netwitness connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting information about PCAP data, and getting metadata information for specified IPs or domains.
Connector Version: 1.0.1
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with Netwitness Versions: 10.6.0.0 and later
Following enhancements have been made to the Netwitness Connector in version 1.0.1:
Masked the text entered in the Password field on the Configuration
page.
Added a link to the online help.
Merged the Get PCAP for IP, Get PCAP for Domain, and Get PCAP for Username functions into a single function, named Get PCAP.
Merged the Get Meta for IP, Get Meta for Domain, and Get Meta for Username functions into a single function, named Get Meta.
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Netwitness connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
IP Address | IP Address of the Concentrator or Broker for the Netwitness server. |
Username | Username to access the Netwitness server. |
Password | Password to access the Netwitness server. |
Port | Port for the Concentrator or Broker. The port of the Concentrator is 50105 and the port of the Broker is 50103. |
Verify SSL | Specifies whether an SSL certificate will be required for the connection between the Netwitness connector and Netwitness server. Defaults to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get PCAP | Gets the PCAP data between the specified start and end time for a given IP, Domain, or Username. | get_pcap Investigation |
Get Meta | Gets metadata information between the specified start and end time for a given IP, Domain, or Username. | get_network_meta Investigation |
Make Raw Netwitness Query | Runs a Generalized SQL query. A generalized SQL query is one where you can write a query you require, for example, "query" : "select * where domain.dst='1e100.net'" . |
run_query Investigation |
Get Session Ids from where statement | Gets Session Ids based on a given SQL query. | run_query Investigation |
Get PCAP for Session Ids | Gets PCAP data from a list of specified Session IDs. | get_pcap Investigation |
Parameter | Description |
---|---|
Type | Type can be an IP address, Domain, or Username. |
Value | Value of the IP address, Domain, or Username for which you want to retrieve PCAP data. |
Start Time | Start time from which you want to retrieve PCAP data. Start time must be in the string format: YYYY-MM-DD HH:MM:SS . |
End Time | End time till when you want to retrieve PCAP data. Start time must be in the string format: YYYY-MM-DD HH:MM:SS . |
The output for this operation is a PCAP file based on the inputs you have specified. The PCAP file is uploaded to the Attachments
module in FortiSOAR™.
When you add this function as a step in your custom playbook or if you run the Get PCAP from IP
sample playbook, which contains get_pcap_from_ip
as a step, then the output of the function is in the JSON format and it contains the FortiSOAR™ attachment IRI as shown as a sample output in the following image.
The following image displays a sample output if you provide an IP address as the input to this operation:
Following image displays a sample output, if you provide a domain as the input to this operation:
Following image displays a sample output, if you provide a username as the input to this operation:
Parameter | Description |
---|---|
Type | Type can be an IP address, Domain, or Username. |
Value | Value of the IP address, Domain, or Username for which you want to retrieve metadata. |
Start Time | Start time from which you want to retrieve metadata. Start time must be in the string format: YYYY-MM-DD HH:MM:SS . |
End Time | End time till when you want to retrieve metadata. Start time must be in the string format: YYYY-MM-DD HH:MM:SS . |
The JSON output contains the metadata information for the specified IP, Domain, or Username.
Following image displays a sample output, if you provide an IP address as the input to this operation:
Following image displays a sample output, if you provide a domain as the input to this operation:
Following image displays a sample output, if you provide a username as the input to this operation:
Parameter | Description |
---|---|
SQL Query | Generalized SQL query based on which you want to retrieve data from the Netwitness server. |
The JSON output contains the query response.
Following image displays a sample output:
Parameter | Description |
---|---|
SQL Query | SQL query based on which you want to retrieve Session IDs from the Netwitness server. |
The JSON output contains the list of Session IDs based on the given SQL query.
Following image displays a sample output:
Parameter | Description |
---|---|
Session Ids | List of session IDs based on which you want to retrieve PCAP data from the Netwitness server. |
The output for this operation is a PCAP file that is retrieved based on the specified Session IDs. The PCAP file is uploaded to the Attachments
module in FortiSOAR™.
When you add this function as a step in your custom playbook or if you run the Get PCAP for Session Ids
sample playbook, which contains get_pcap
as a step, then the output of the function is in the JSON format and it contains the FortiSOAR™ attachment IRI as shown as a sample output in the following image:
The Sample - Netwitness - 1.0.1
playbook collection comes bundled with the Netwitness connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Whois RDAP connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.