NetWitness Corporation was earlier Reston, a Virginia-based network security company, that provided real-time network forensics and automated threat analysis solutions. Its flagship product was NetWitness NextGen.
This document provides information about the RSA Netwitness Logs and Packets connector, which facilitates automated interactions, with a Netwitness server using FortiSOAR™ playbooks. Add the RSA Netwitness Logs and Packets connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting information about PCAP data, and getting metadata information for specified IPs or domains.
Connector Version: 1.0.2
FortiSOAR™ Version Tested on: 4.11.0-1161
Netwitness Version Tested on: 10.6.0.0 and later
Following enhancements have been made to the RSA Netwitness Logs and Packets Connector in version 1.0.2:
Changed the name of the connector from Netwitness to RSA Netwitness Logs and Packets.
Added tags and descriptions to the playbooks
Changed the the following operation names:
Added the Size parameter to the Get PCAP Data, Get Metadata, Netwitness Search, and Get Session IDs operations so that you can limit the result of query.
Added the Keys parameter to the Get PCAP Data and Get Metadata operations so that enter the appropriate key value.
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-rsa-netwitness-logs-and-packets
For the detailed procedure to install a connector, click here.
Important: Following are the minimal roles that are required to configure the connector for Netwitness:
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Netwitness connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Address of Concentrator or Broker: | IP address of the Concentrator or Broker for the Netwitness server to which you will connect and perform automated operations. |
Username | Username of the Concentrator or Broker for the Netwitness server to which you will connect and perform automated operations. |
Password | Password of the Concentrator or Broker for the Netwitness server to which you will connect and perform automated operations. |
Port | Port for the Concentrator or Broker. The port of the Concentrator is 50105 and the port of the Broker is 50103. |
Protocol | Protocol used to remotely connect to the Netwitness server. Choose between HTTP or HTTPS. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get PCAP Data | Retrieves the PCAP data between the specified start and end time for a given IP, Domain, or Username, and other input parameters from the Netwitness server | get_pcap Investigation |
Get Metadata | Retrieves the Metadata information between the specified start and end time for a given IP, Domain, or Username, and other input parameters from the Netwitness server. | get_network_meta Investigation |
Netwitness Search | Runs a Generalized SQL query on the Netwitness server. A generalized SQL query is one where you can write a query you require, for example, "query" : "select * where domain.dst='1e100.net'" . |
run_query Investigation |
Get Session IDs | Retrieves Session Ids based on a SQL query that you have specified from the Netwitness server. | run_query Investigation |
Get PCAP Data for Session IDs | Retrieves PCAP data for a list of Session IDs that you have specified from the Netwitness server. | get_pcap Investigation |
Parameter | Description |
---|---|
Type | Type of object for which you want to retrieve PCAP data from the Netwitness server. You can choose between IP address, Domain, or Username. |
Key | Key value of the type for which you want to retrieve PCAP data from the Netwitness server. For example, If you choose IP address, then enter ip.src,ip.dst . If you choose Domain, then enter domain.src,domain.dst . If you choose Username, then enter username . |
Value | Value of the IP address, Domain, or Username for which you want to retrieve PCAP data from the Netwitness server. |
Start Time | (Optional) Start time from which you want to retrieve PCAP data from the Netwitness server. Start time must be in the string format: YYYY-MM-DD HH:MM:SS . |
End Time | (Optional) End time till when you want to retrieve PCAP data from the Netwitness server. End time must be in the string format: YYYY-MM-DD HH:MM:SS . |
Size | (Optional) Maximum number of search results this operation should return. |
The output for this operation is a PCAP file based on the inputs you have specified. The PCAP file is uploaded to theAttachments
module in FortiSOAR™.
When you add this function as a step in your custom playbook or if you run the Get PCAP from IP
sample playbook, which contains get_pcap_from_ip
as a step, then the output of the function is in the JSON format and it contains the FortiSOAR™ Attachment IRI as shown as a sample output in the following image:
Parameter | Description |
---|---|
Type | Type of object for which you want to retrieve Metadata information from the Netwitness server. You can choose between IP address, Domain, or Username. |
Key | Key value of the type for which you want to retrieve Metadata information from the Netwitness server. For example, If you choose IP address, then enter ip.src,ip.dst . If you choose Domain, then enter domain.src,domain.dst . If you choose Username, then enter username . |
Value | Value of the IP address, Domain, or Username for which you want to retrieve Metadata information from the Netwitness server. |
Start Time | Start time from which you want to retrieve Metadata information. Start time must be in the string format: YYYY-MM-DD HH:MM:SS . |
End Time | End time till when you want to retrieve Metadata information. Start time must be in the string format: YYYY-MM-DD HH:MM:SS . |
Size | (Optional) Maximum number of search results this operation should return. |
The JSON output contains the metadata information for the IP address, Domain, or Username that you have specified retrieved from the Netwitness server.
Following image displays a sample output, if you provide an IP address as the input to this operation:
Following image displays a sample output, if you provide a domain as the input to this operation:
Following image displays a sample output, if you provide a username as the input to this operation:
Parameter | Description |
---|---|
SQL Query | Generalized SQL query based on which you want to retrieve data from the Netwitness server. |
Size | (Optional) Maximum number of search results this operation should return. |
The JSON output contains the search results based on the query that you have specified, retrieved from the Netwitness server.
Following image displays a sample output:
Parameter | Description |
---|---|
SQL Query | SQL query based on which you want to retrieve Session IDs from the Netwitness server. |
Size | (Optional) Maximum number of search results this operation should return. |
The JSON output contains a list of Session IDs based on the SQL query that you had specified, retrieved from the Netwitness server.
Following image displays a sample output:
Parameter | Description |
---|---|
Session IDs | List of session IDs based on which you want to retrieve PCAP data from the Netwitness server. |
The output for this operation is a PCAP file that is retrieved based on the Session IDs you have specified. The PCAP file is uploaded to the Attachments
module in FortiSOAR™.
When you add this function as a step in your custom playbook or if you run the Get PCAP for Session Ids
sample playbook, which contains get_pcap
as a step, then the output of the function is in the JSON format and it contains the FortiSOAR™ Attachment IRI as shown as a sample output in the following image:
The Sample - RSA Netwitness Logs and Packages - 1.0.2
playbook collection comes bundled with the RSA Netwitness Logs and Packages connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the RSA Netwitness Logs and Packages connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
NetWitness Corporation was earlier Reston, a Virginia-based network security company, that provided real-time network forensics and automated threat analysis solutions. Its flagship product was NetWitness NextGen.
This document provides information about the RSA Netwitness Logs and Packets connector, which facilitates automated interactions, with a Netwitness server using FortiSOAR™ playbooks. Add the RSA Netwitness Logs and Packets connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting information about PCAP data, and getting metadata information for specified IPs or domains.
Connector Version: 1.0.2
FortiSOAR™ Version Tested on: 4.11.0-1161
Netwitness Version Tested on: 10.6.0.0 and later
Following enhancements have been made to the RSA Netwitness Logs and Packets Connector in version 1.0.2:
Changed the name of the connector from Netwitness to RSA Netwitness Logs and Packets.
Added tags and descriptions to the playbooks
Changed the the following operation names:
Added the Size parameter to the Get PCAP Data, Get Metadata, Netwitness Search, and Get Session IDs operations so that you can limit the result of query.
Added the Keys parameter to the Get PCAP Data and Get Metadata operations so that enter the appropriate key value.
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-rsa-netwitness-logs-and-packets
For the detailed procedure to install a connector, click here.
Important: Following are the minimal roles that are required to configure the connector for Netwitness:
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Netwitness connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Address of Concentrator or Broker: | IP address of the Concentrator or Broker for the Netwitness server to which you will connect and perform automated operations. |
Username | Username of the Concentrator or Broker for the Netwitness server to which you will connect and perform automated operations. |
Password | Password of the Concentrator or Broker for the Netwitness server to which you will connect and perform automated operations. |
Port | Port for the Concentrator or Broker. The port of the Concentrator is 50105 and the port of the Broker is 50103. |
Protocol | Protocol used to remotely connect to the Netwitness server. Choose between HTTP or HTTPS. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get PCAP Data | Retrieves the PCAP data between the specified start and end time for a given IP, Domain, or Username, and other input parameters from the Netwitness server | get_pcap Investigation |
Get Metadata | Retrieves the Metadata information between the specified start and end time for a given IP, Domain, or Username, and other input parameters from the Netwitness server. | get_network_meta Investigation |
Netwitness Search | Runs a Generalized SQL query on the Netwitness server. A generalized SQL query is one where you can write a query you require, for example, "query" : "select * where domain.dst='1e100.net'" . |
run_query Investigation |
Get Session IDs | Retrieves Session Ids based on a SQL query that you have specified from the Netwitness server. | run_query Investigation |
Get PCAP Data for Session IDs | Retrieves PCAP data for a list of Session IDs that you have specified from the Netwitness server. | get_pcap Investigation |
Parameter | Description |
---|---|
Type | Type of object for which you want to retrieve PCAP data from the Netwitness server. You can choose between IP address, Domain, or Username. |
Key | Key value of the type for which you want to retrieve PCAP data from the Netwitness server. For example, If you choose IP address, then enter ip.src,ip.dst . If you choose Domain, then enter domain.src,domain.dst . If you choose Username, then enter username . |
Value | Value of the IP address, Domain, or Username for which you want to retrieve PCAP data from the Netwitness server. |
Start Time | (Optional) Start time from which you want to retrieve PCAP data from the Netwitness server. Start time must be in the string format: YYYY-MM-DD HH:MM:SS . |
End Time | (Optional) End time till when you want to retrieve PCAP data from the Netwitness server. End time must be in the string format: YYYY-MM-DD HH:MM:SS . |
Size | (Optional) Maximum number of search results this operation should return. |
The output for this operation is a PCAP file based on the inputs you have specified. The PCAP file is uploaded to theAttachments
module in FortiSOAR™.
When you add this function as a step in your custom playbook or if you run the Get PCAP from IP
sample playbook, which contains get_pcap_from_ip
as a step, then the output of the function is in the JSON format and it contains the FortiSOAR™ Attachment IRI as shown as a sample output in the following image:
Parameter | Description |
---|---|
Type | Type of object for which you want to retrieve Metadata information from the Netwitness server. You can choose between IP address, Domain, or Username. |
Key | Key value of the type for which you want to retrieve Metadata information from the Netwitness server. For example, If you choose IP address, then enter ip.src,ip.dst . If you choose Domain, then enter domain.src,domain.dst . If you choose Username, then enter username . |
Value | Value of the IP address, Domain, or Username for which you want to retrieve Metadata information from the Netwitness server. |
Start Time | Start time from which you want to retrieve Metadata information. Start time must be in the string format: YYYY-MM-DD HH:MM:SS . |
End Time | End time till when you want to retrieve Metadata information. Start time must be in the string format: YYYY-MM-DD HH:MM:SS . |
Size | (Optional) Maximum number of search results this operation should return. |
The JSON output contains the metadata information for the IP address, Domain, or Username that you have specified retrieved from the Netwitness server.
Following image displays a sample output, if you provide an IP address as the input to this operation:
Following image displays a sample output, if you provide a domain as the input to this operation:
Following image displays a sample output, if you provide a username as the input to this operation:
Parameter | Description |
---|---|
SQL Query | Generalized SQL query based on which you want to retrieve data from the Netwitness server. |
Size | (Optional) Maximum number of search results this operation should return. |
The JSON output contains the search results based on the query that you have specified, retrieved from the Netwitness server.
Following image displays a sample output:
Parameter | Description |
---|---|
SQL Query | SQL query based on which you want to retrieve Session IDs from the Netwitness server. |
Size | (Optional) Maximum number of search results this operation should return. |
The JSON output contains a list of Session IDs based on the SQL query that you had specified, retrieved from the Netwitness server.
Following image displays a sample output:
Parameter | Description |
---|---|
Session IDs | List of session IDs based on which you want to retrieve PCAP data from the Netwitness server. |
The output for this operation is a PCAP file that is retrieved based on the Session IDs you have specified. The PCAP file is uploaded to the Attachments
module in FortiSOAR™.
When you add this function as a step in your custom playbook or if you run the Get PCAP for Session Ids
sample playbook, which contains get_pcap
as a step, then the output of the function is in the JSON format and it contains the FortiSOAR™ Attachment IRI as shown as a sample output in the following image:
The Sample - RSA Netwitness Logs and Packages - 1.0.2
playbook collection comes bundled with the RSA Netwitness Logs and Packages connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the RSA Netwitness Logs and Packages connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.