Fortinet Document Library

Version:


Table of Contents

1.0.1
Copy Link

About the connector

NetWitness Corporation was earlier Reston, a Virginia-based network security company, that provided real-time network forensics and automated threat analysis solutions. Its flagship product was NetWitness NextGen.

This document provides information about the Netwitness connector, which facilitates automated interactions, with a Netwitness server using FortiSOAR™ playbooks. Add the Netwitness connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting information about PCAP data, and getting metadata information for specified IPs or domains.

 

Version information

Connector Version: 1.0.1

Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later

Compatibility with Netwitness Versions: 10.6.0.0 and later

 

Release Notes for version 1.0.1

Following enhancements have been made to the Netwitness Connector in version 1.0.1:

  • Masked the text entered in the Password field on the Configuration page.

  • Added a link to the online help.

  • Merged the Get PCAP for IP, Get PCAP for Domain, and Get PCAP for Username functions into a single function, named Get PCAP.

  • Merged the Get Meta for IP, Get Meta for Domain, and Get Meta for Username functions into a single function, named Get Meta.

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

  • You must have the URL of Netwitness server to which you will connect and perform the automated operations and credentials to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Netwitness connector and click Configure to configure the following parameters:

 

Parameter Description
IP Address IP Address of the Concentrator or Broker for the Netwitness server.
Username Username to access the Netwitness server.
Password Password to access the Netwitness server.
Port Port for the Concentrator or Broker. The port of the Concentrator is 50105 and the port of the Broker is 50103.
Verify SSL Specifies whether an SSL certificate will be required for the connection between the Netwitness connector and Netwitness server.
Defaults to True.

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get PCAP Gets the PCAP data between the specified start and end time for a given IP, Domain, or Username. get_pcap
Investigation
Get Meta Gets metadata information between the specified start and end time for a given IP, Domain, or Username. get_network_meta
Investigation
Make Raw Netwitness Query Runs a Generalized SQL query. A generalized SQL query is one where you can write a query you require, for example, "query" : "select * where domain.dst='1e100.net'". run_query
Investigation
Get Session Ids from where statement Gets Session Ids based on a given SQL query. run_query
Investigation
Get PCAP for Session Ids Gets PCAP data from a list of specified Session IDs. get_pcap
Investigation

 

 

operation: Get PCAP

Input parameters

 

Parameter Description
Type Type can be an IP address, Domain, or Username.
Value Value of the IP address, Domain, or Username for which you want to retrieve PCAP data.
Start Time Start time from which you want to retrieve PCAP data. Start time must be in the string format: YYYY-MM-DD HH:MM:SS.
End Time End time till when you want to retrieve PCAP data. Start time must be in the string format: YYYY-MM-DD HH:MM:SS.

 

Output

The output for this operation is a PCAP file based on the inputs you have specified. The PCAP file is uploaded to the Attachments module in FortiSOAR™.

When you add this function as a step in your custom playbook or if you run the Get PCAP from IP sample playbook, which contains get_pcap_from_ip as a step, then the output of the function is in the JSON format and it contains the FortiSOAR™ attachment IRI as shown as a sample output in the following image. 

The following image displays a sample output if you provide an IP address as the input to this operation:

 

Sample output of the Get PCAP operation with IP as input

 

Following image displays a sample output, if you provide a domain as the input to this operation:

 

Sample output of the Get PCAP operation with Domain as input

 

Following image displays a sample output, if you provide a username as the input to this operation:

 

Sample output of the Get PCAP operation with Username as input

 

operation: Get Meta

Input parameters

 

Parameter Description
Type Type can be an IP address, Domain, or Username.
Value Value of the IP address, Domain, or Username for which you want to retrieve metadata.
Start Time Start time from which you want to retrieve metadata. Start time must be in the string format: YYYY-MM-DD HH:MM:SS.
End Time End time till when you want to retrieve metadata. Start time must be in the string format: YYYY-MM-DD HH:MM:SS.

 

Output

The JSON output contains the metadata information for the specified IP, Domain, or Username.

Following image displays a sample output, if you provide an IP address as the input to this operation:

 

Sample output of the Get Meta operation with IP as input

 

Following image displays a sample output, if you provide a domain as the input to this operation:

 

Sample output of the Get Meta operation with Domain as input

 

Following image displays a sample output, if you provide a username as the input to this operation:

 

Sample output of the Get Meta operation with Username as input

 

operation: Make Raw Netwitness Query

Input parameters

 

Parameter Description
SQL Query Generalized SQL query based on which you want to retrieve data from the Netwitness server.

 

Output

The JSON output contains the query response.

Following image displays a sample output:

Sample output of the Make Raw Netwitness Query operation

 

operation: Get Session Ids from where statement

Input parameters

 

Parameter Description
SQL Query SQL query based on which you want to retrieve Session IDs from the Netwitness server.

 

Output

The JSON output contains the list of Session IDs based on the given SQL query.

Following image displays a sample output:

 

Sample output of the Get Session Ids from where statement operation

 

operation: Get PCAP for Session Ids

Input parameters

 

Parameter Description
Session Ids List of session IDs based on which you want to retrieve PCAP data from the Netwitness server.

 

Output

The output for this operation is a PCAP file that is retrieved based on the specified Session IDs. The PCAP file is uploaded to the Attachments module in FortiSOAR™.

When you add this function as a step in your custom playbook or if you run the Get PCAP for Session Idssample playbook, which contains get_pcap as a step, then the output of the function is in the JSON format and it contains the FortiSOAR™ attachment IRI as shown as a sample output in the following image:

 

Sample output of the Get PCAP for Session Ids operation

 

Included playbooks

The Sample - Netwitness - 1.0.1 playbook collection comes bundled with the Netwitness connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Whois RDAP connector.

  • Get PCAP from IP
  • Get PCAP from Domain
  • Get PCAP from Username
  • Get Meta from IP
  • Get Meta from Domain
  • Get Meta from Username
  • Run Raw Netwitness Query
  • Get Session IDs from where statement
  • Get PCAP for Session Ids

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

 

About the connector

NetWitness Corporation was earlier Reston, a Virginia-based network security company, that provided real-time network forensics and automated threat analysis solutions. Its flagship product was NetWitness NextGen.

This document provides information about the Netwitness connector, which facilitates automated interactions, with a Netwitness server using FortiSOAR™ playbooks. Add the Netwitness connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting information about PCAP data, and getting metadata information for specified IPs or domains.

 

Version information

Connector Version: 1.0.1

Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later

Compatibility with Netwitness Versions: 10.6.0.0 and later

 

Release Notes for version 1.0.1

Following enhancements have been made to the Netwitness Connector in version 1.0.1:

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Netwitness connector and click Configure to configure the following parameters:

 

Parameter Description
IP Address IP Address of the Concentrator or Broker for the Netwitness server.
Username Username to access the Netwitness server.
Password Password to access the Netwitness server.
Port Port for the Concentrator or Broker. The port of the Concentrator is 50105 and the port of the Broker is 50103.
Verify SSL Specifies whether an SSL certificate will be required for the connection between the Netwitness connector and Netwitness server.
Defaults to True.

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get PCAP Gets the PCAP data between the specified start and end time for a given IP, Domain, or Username. get_pcap
Investigation
Get Meta Gets metadata information between the specified start and end time for a given IP, Domain, or Username. get_network_meta
Investigation
Make Raw Netwitness Query Runs a Generalized SQL query. A generalized SQL query is one where you can write a query you require, for example, "query" : "select * where domain.dst='1e100.net'". run_query
Investigation
Get Session Ids from where statement Gets Session Ids based on a given SQL query. run_query
Investigation
Get PCAP for Session Ids Gets PCAP data from a list of specified Session IDs. get_pcap
Investigation

 

 

operation: Get PCAP

Input parameters

 

Parameter Description
Type Type can be an IP address, Domain, or Username.
Value Value of the IP address, Domain, or Username for which you want to retrieve PCAP data.
Start Time Start time from which you want to retrieve PCAP data. Start time must be in the string format: YYYY-MM-DD HH:MM:SS.
End Time End time till when you want to retrieve PCAP data. Start time must be in the string format: YYYY-MM-DD HH:MM:SS.

 

Output

The output for this operation is a PCAP file based on the inputs you have specified. The PCAP file is uploaded to the Attachments module in FortiSOAR™.

When you add this function as a step in your custom playbook or if you run the Get PCAP from IP sample playbook, which contains get_pcap_from_ip as a step, then the output of the function is in the JSON format and it contains the FortiSOAR™ attachment IRI as shown as a sample output in the following image. 

The following image displays a sample output if you provide an IP address as the input to this operation:

 

Sample output of the Get PCAP operation with IP as input

 

Following image displays a sample output, if you provide a domain as the input to this operation:

 

Sample output of the Get PCAP operation with Domain as input

 

Following image displays a sample output, if you provide a username as the input to this operation:

 

Sample output of the Get PCAP operation with Username as input

 

operation: Get Meta

Input parameters

 

Parameter Description
Type Type can be an IP address, Domain, or Username.
Value Value of the IP address, Domain, or Username for which you want to retrieve metadata.
Start Time Start time from which you want to retrieve metadata. Start time must be in the string format: YYYY-MM-DD HH:MM:SS.
End Time End time till when you want to retrieve metadata. Start time must be in the string format: YYYY-MM-DD HH:MM:SS.

 

Output

The JSON output contains the metadata information for the specified IP, Domain, or Username.

Following image displays a sample output, if you provide an IP address as the input to this operation:

 

Sample output of the Get Meta operation with IP as input

 

Following image displays a sample output, if you provide a domain as the input to this operation:

 

Sample output of the Get Meta operation with Domain as input

 

Following image displays a sample output, if you provide a username as the input to this operation:

 

Sample output of the Get Meta operation with Username as input

 

operation: Make Raw Netwitness Query

Input parameters

 

Parameter Description
SQL Query Generalized SQL query based on which you want to retrieve data from the Netwitness server.

 

Output

The JSON output contains the query response.

Following image displays a sample output:

Sample output of the Make Raw Netwitness Query operation

 

operation: Get Session Ids from where statement

Input parameters

 

Parameter Description
SQL Query SQL query based on which you want to retrieve Session IDs from the Netwitness server.

 

Output

The JSON output contains the list of Session IDs based on the given SQL query.

Following image displays a sample output:

 

Sample output of the Get Session Ids from where statement operation

 

operation: Get PCAP for Session Ids

Input parameters

 

Parameter Description
Session Ids List of session IDs based on which you want to retrieve PCAP data from the Netwitness server.

 

Output

The output for this operation is a PCAP file that is retrieved based on the specified Session IDs. The PCAP file is uploaded to the Attachments module in FortiSOAR™.

When you add this function as a step in your custom playbook or if you run the Get PCAP for Session Idssample playbook, which contains get_pcap as a step, then the output of the function is in the JSON format and it contains the FortiSOAR™ attachment IRI as shown as a sample output in the following image:

 

Sample output of the Get PCAP for Session Ids operation

 

Included playbooks

The Sample - Netwitness - 1.0.1 playbook collection comes bundled with the Netwitness connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Whois RDAP connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.