About the connector
NetWitness Corporation was earlier Reston, a Virginia-based network security company, that provided real-time network forensics and automated threat analysis solutions. Its flagship product was NetWitness NextGen.
This document provides information about the RSA Netwitness Logs and Packets connector, which facilitates automated interactions, with a Netwitness server using FortiSOAR™ playbooks. Add the RSA Netwitness Logs and Packets connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting information about PCAP data, and getting metadata information for specified IPs or domains.
Version information
Connector Version: 1.0.2
FortiSOAR™ Version Tested on: 4.11.0-1161
Netwitness Version Tested on: 10.6.0.0 and later
Release Notes for version 1.0.2
Following enhancements have been made to the RSA Netwitness Logs and Packets Connector in version 1.0.2:
-
Changed the name of the connector from Netwitness to RSA Netwitness Logs and Packets.
-
Added tags and descriptions to the playbooks
-
Changed the the following operation names:
- Make Raw Netwitness Query to Netwitness Search
- Get Meta to Get Metadata
- Get Get PCAP to Get PCAP Data
-
Added the Size parameter to the Get PCAP Data, Get Metadata, Netwitness Search, and Get Session IDs operations so that you can limit the result of query.
-
Added the Keys parameter to the Get PCAP Data and Get Metadata operations so that enter the appropriate key value.
Installing the connector
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-rsa-netwitness-logs-and-packets
For the detailed procedure to install a connector, click here.
Prerequisites to configuring the connector
- You must have the IP address of the Concentrator or Broker for the Netwitness server to which you will connect and perform automated operations and credentials to access that server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Important: Following are the minimal roles that are required to configure the connector for Netwitness:
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Connectors page, select the Netwitness connector and click Configure to configure the following parameters:
| Parameter |
Description |
| Address of Concentrator or Broker: |
IP address of the Concentrator or Broker for the Netwitness server to which you will connect and perform automated operations. |
| Username |
Username of the Concentrator or Broker for the Netwitness server to which you will connect and perform automated operations. |
| Password |
Password of the Concentrator or Broker for the Netwitness server to which you will connect and perform automated operations. |
| Port |
Port for the Concentrator or Broker. The port of the Concentrator is 50105 and the port of the Broker is 50103. |
| Protocol |
Protocol used to remotely connect to the Netwitness server. Choose between HTTP or HTTPS. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| Get PCAP Data |
Retrieves the PCAP data between the specified start and end time for a given IP, Domain, or Username, and other input parameters from the Netwitness server |
get_pcap
Investigation |
| Get Metadata |
Retrieves the Metadata information between the specified start and end time for a given IP, Domain, or Username, and other input parameters from the Netwitness server. |
get_network_meta
Investigation |
| Netwitness Search |
Runs a Generalized SQL query on the Netwitness server.
A generalized SQL query is one where you can write a query you require, for example, "query" : "select * where domain.dst='1e100.net'". |
run_query
Investigation |
| Get Session IDs |
Retrieves Session Ids based on a SQL query that you have specified from the Netwitness server. |
run_query
Investigation |
| Get PCAP Data for Session IDs |
Retrieves PCAP data for a list of Session IDs that you have specified from the Netwitness server. |
get_pcap
Investigation |
operation: Get PCAP Data
Input parameters
| Parameter |
Description |
| Type |
Type of object for which you want to retrieve PCAP data from the Netwitness server. You can choose between IP address, Domain, or Username. |
| Key |
Key value of the type for which you want to retrieve PCAP data from the Netwitness server.
For example, If you choose IP address, then enter ip.src,ip.dst. If you choose Domain, then enter domain.src,domain.dst. If you choose Username, then enter username. |
| Value |
Value of the IP address, Domain, or Username for which you want to retrieve PCAP data from the Netwitness server. |
| Start Time |
(Optional) Start time from which you want to retrieve PCAP data from the Netwitness server. Start time must be in the string format: YYYY-MM-DD HH:MM:SS. |
| End Time |
(Optional) End time till when you want to retrieve PCAP data from the Netwitness server. End time must be in the string format: YYYY-MM-DD HH:MM:SS. |
| Size |
(Optional) Maximum number of search results this operation should return. |
Output
The output for this operation is a PCAP file based on the inputs you have specified. The PCAP file is uploaded to theAttachments module in FortiSOAR™.
When you add this function as a step in your custom playbook or if you run the Get PCAP from IP sample playbook, which contains get_pcap_from_ip as a step, then the output of the function is in the JSON format and it contains the FortiSOAR™ Attachment IRI as shown as a sample output in the following image:
operation: Get Metadata
Input parameters
| Parameter |
Description |
| Type |
Type of object for which you want to retrieve Metadata information from the Netwitness server. You can choose between IP address, Domain, or Username. |
| Key |
Key value of the type for which you want to retrieve Metadata information from the Netwitness server.
For example, If you choose IP address, then enter ip.src,ip.dst. If you choose Domain, then enter domain.src,domain.dst. If you choose Username, then enter username. |
| Value |
Value of the IP address, Domain, or Username for which you want to retrieve Metadata information from the Netwitness server. |
| Start Time |
Start time from which you want to retrieve Metadata information. Start time must be in the string format: YYYY-MM-DD HH:MM:SS. |
| End Time |
End time till when you want to retrieve Metadata information. Start time must be in the string format: YYYY-MM-DD HH:MM:SS. |
| Size |
(Optional) Maximum number of search results this operation should return. |
Output
The JSON output contains the metadata information for the IP address, Domain, or Username that you have specified retrieved from the Netwitness server.
Following image displays a sample output, if you provide an IP address as the input to this operation:
Following image displays a sample output, if you provide a domain as the input to this operation:
Following image displays a sample output, if you provide a username as the input to this operation:
operation: Netwitness Search
Input parameters
| Parameter |
Description |
| SQL Query |
Generalized SQL query based on which you want to retrieve data from the Netwitness server. |
| Size |
(Optional) Maximum number of search results this operation should return. |
Output
The JSON output contains the search results based on the query that you have specified, retrieved from the Netwitness server.
Following image displays a sample output:
operation: Get Session IDs
Input parameters
| Parameter |
Description |
| SQL Query |
SQL query based on which you want to retrieve Session IDs from the Netwitness server. |
| Size |
(Optional) Maximum number of search results this operation should return. |
Output
The JSON output contains a list of Session IDs based on the SQL query that you had specified, retrieved from the Netwitness server.
Following image displays a sample output:
operation: Get PCAP for Session IDs
Input parameters
| Parameter |
Description |
| Session IDs |
List of session IDs based on which you want to retrieve PCAP data from the Netwitness server. |
Output
The output for this operation is a PCAP file that is retrieved based on the Session IDs you have specified. The PCAP file is uploaded to the Attachments module in FortiSOAR™.
When you add this function as a step in your custom playbook or if you run the Get PCAP for Session Ids sample playbook, which contains get_pcap as a step, then the output of the function is in the JSON format and it contains the FortiSOAR™ Attachment IRI as shown as a sample output in the following image:
Included playbooks
The Sample - RSA Netwitness Logs and Packages - 1.0.2 playbook collection comes bundled with the RSA Netwitness Logs and Packages connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the RSA Netwitness Logs and Packages connector.
- Get Metadata for Domain
- Get Metadata for IP Address
- Get Metadata for Username
- Get PCAP data for Domain
- Get PCAP data for IP Address
- Get PCAP data for Session IDs
- Get PCAP data for Username
- Get Session IDs
- Netwitness Search
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
