Fortinet Document Library

Version:


Table of Contents

RSA Netwitness Logs and Packets

1.0.2
Copy Link

 

About the connector

NetWitness Corporation was earlier Reston, a Virginia-based network security company, that provided real-time network forensics and automated threat analysis solutions. Its flagship product was NetWitness NextGen.

This document provides information about the RSA Netwitness Logs and Packets connector, which facilitates automated interactions, with a Netwitness server using FortiSOAR™ playbooks. Add the RSA Netwitness Logs and Packets connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting information about PCAP data, and getting metadata information for specified IPs or domains.

 

Version information

Connector Version: 1.0.2

FortiSOAR™ Version Tested on: 4.11.0-1161

Netwitness Version Tested on: 10.6.0.0 and later

 

Release Notes for version 1.0.2

Following enhancements have been made to the RSA Netwitness Logs and Packets Connector in version 1.0.2:

  • Changed the name of the connector from Netwitness to RSA Netwitness Logs and Packets.

  • Added tags and descriptions to the playbooks

  • Changed the the following operation names:

    • Make Raw Netwitness Query to Netwitness Search
    • Get Meta to Get Metadata
    • Get Get PCAP to Get PCAP Data
  • Added the Size parameter to the Get PCAP Data, Get Metadata, Netwitness Search, and Get Session IDs operations so that you can limit the result of query.

  • Added the Keys parameter to the Get PCAP Data and Get Metadata operations so that enter the appropriate key value.

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-rsa-netwitness-logs-and-packets

For the detailed procedure to install a connector, click here.

 

Prerequisites to configuring the connector

  • You must have the IP address of the Concentrator or Broker for the Netwitness server to which you will connect and perform automated operations and credentials to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
     

Important: Following are the minimal roles that are required to configure the connector for Netwitness: 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Netwitness connector and click Configure to configure the following parameters:

 

Parameter Description
Address of Concentrator or Broker: IP address of the Concentrator or Broker for the Netwitness server to which you will connect and perform automated operations.
Username Username of the Concentrator or Broker for the Netwitness server to which you will connect and perform automated operations.
Password Password of the Concentrator or Broker for the Netwitness server to which you will connect and perform automated operations.
Port Port for the Concentrator or Broker. The port of the Concentrator is 50105 and the port of the Broker is 50103.
Protocol Protocol used to remotely connect to the Netwitness server. Choose between HTTP or HTTPS.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get PCAP Data Retrieves the PCAP data between the specified start and end time for a given IP, Domain, or Username, and other input parameters from the Netwitness server get_pcap
Investigation
Get Metadata Retrieves the Metadata information between the specified start and end time for a given IP, Domain, or Username, and other input parameters from the Netwitness server. get_network_meta
Investigation
Netwitness Search Runs a Generalized SQL query on the Netwitness server.
A generalized SQL query is one where you can write a query you require, for example, "query" : "select * where domain.dst='1e100.net'".
run_query
Investigation
Get Session IDs Retrieves Session Ids based on a SQL query that you have specified from the Netwitness server. run_query
Investigation
Get PCAP Data for Session IDs Retrieves PCAP data for a list of Session IDs that you have specified from the Netwitness server. get_pcap
Investigation

 

operation: Get PCAP Data

Input parameters

 

Parameter Description
Type Type of object for which you want to retrieve PCAP data from the Netwitness server. You can choose between IP address, Domain, or Username.
Key Key value of the type for which you want to retrieve PCAP data from the Netwitness server.
For example, If you choose IP address, then enter ip.src,ip.dst. If you choose Domain, then enter domain.src,domain.dst. If you choose Username, then enter username.
Value Value of the IP address, Domain, or Username for which you want to retrieve PCAP data from the Netwitness server.
Start Time (Optional) Start time from which you want to retrieve PCAP data from the Netwitness server. Start time must be in the string format: YYYY-MM-DD HH:MM:SS.
End Time (Optional) End time till when you want to retrieve PCAP data from the Netwitness server. End time must be in the string format: YYYY-MM-DD HH:MM:SS.
Size (Optional) Maximum number of search results this operation should return.

 

Output

The output for this operation is a PCAP file based on the inputs you have specified. The PCAP file is uploaded to theAttachments module in FortiSOAR™.

When you add this function as a step in your custom playbook or if you run the Get PCAP from IP sample playbook, which contains get_pcap_from_ip as a step, then the output of the function is in the JSON format and it contains the FortiSOAR™ Attachment IRI as shown as a sample output in the following image:

Sample output of the Get PCAP Data operation with IP as input

operation: Get Metadata

Input parameters

 

Parameter Description
Type Type of object for which you want to retrieve Metadata information from the Netwitness server. You can choose between IP address, Domain, or Username.
Key Key value of the type for which you want to retrieve Metadata information from the Netwitness server.
For example, If you choose IP address, then enter ip.src,ip.dst. If you choose Domain, then enter domain.src,domain.dst. If you choose Username, then enter username.
Value Value of the IP address, Domain, or Username for which you want to retrieve Metadata information from the Netwitness server.
Start Time Start time from which you want to retrieve Metadata information. Start time must be in the string format: YYYY-MM-DD HH:MM:SS.
End Time End time till when you want to retrieve Metadata information. Start time must be in the string format: YYYY-MM-DD HH:MM:SS.
Size (Optional) Maximum number of search results this operation should return.

 

Output

The JSON output contains the metadata information for the IP address, Domain, or Username that you have specified retrieved from the Netwitness server.

Following image displays a sample output, if you provide an IP address as the input to this operation:

Following image displays a sample output, if you provide a domain as the input to this operation:

Following image displays a sample output, if you provide a username as the input to this operation:

operation: Netwitness Search

Input parameters

 

Parameter Description
SQL Query Generalized SQL query based on which you want to retrieve data from the Netwitness server.
Size (Optional) Maximum number of search results this operation should return.

 

Output

The JSON output contains the search results based on the query that you have specified, retrieved from the Netwitness server.

Following image displays a sample output:

Sample output of the Netwitness Search operation

operation: Get Session IDs

Input parameters

 

Parameter Description
SQL Query SQL query based on which you want to retrieve Session IDs from the Netwitness server.
Size (Optional) Maximum number of search results this operation should return.

 

Output

The JSON output contains a list of Session IDs based on the SQL query that you had specified, retrieved from the Netwitness server.

Following image displays a sample output:

Sample output of the Get Session IDs operation

operation: Get PCAP for Session IDs

Input parameters

 

Parameter Description
Session IDs List of session IDs based on which you want to retrieve PCAP data from the Netwitness server.

 

Output

The output for this operation is a PCAP file that is retrieved based on the Session IDs you have specified. The PCAP file is uploaded to the Attachments module in FortiSOAR™.

When you add this function as a step in your custom playbook or if you run the Get PCAP for Session Ids sample playbook, which contains get_pcap as a step, then the output of the function is in the JSON format and it contains the FortiSOAR™ Attachment IRI as shown as a sample output in the following image:

Sample output of the Get PCAP for Session IDs operation

Included playbooks

The Sample - RSA Netwitness Logs and Packages - 1.0.2 playbook collection comes bundled with the RSA Netwitness Logs and Packages connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the RSA Netwitness Logs and Packages connector.

  • Get Metadata for Domain
  • Get Metadata for IP Address
  • Get Metadata for Username
  • Get PCAP data for Domain
  • Get PCAP data for IP Address
  • Get PCAP data for Session IDs
  • Get PCAP data for Username
  • Get Session IDs
  • Netwitness Search

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

 

 

 

About the connector

NetWitness Corporation was earlier Reston, a Virginia-based network security company, that provided real-time network forensics and automated threat analysis solutions. Its flagship product was NetWitness NextGen.

This document provides information about the RSA Netwitness Logs and Packets connector, which facilitates automated interactions, with a Netwitness server using FortiSOAR™ playbooks. Add the RSA Netwitness Logs and Packets connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting information about PCAP data, and getting metadata information for specified IPs or domains.

 

Version information

Connector Version: 1.0.2

FortiSOAR™ Version Tested on: 4.11.0-1161

Netwitness Version Tested on: 10.6.0.0 and later

 

Release Notes for version 1.0.2

Following enhancements have been made to the RSA Netwitness Logs and Packets Connector in version 1.0.2:

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-rsa-netwitness-logs-and-packets

For the detailed procedure to install a connector, click here.

 

Prerequisites to configuring the connector

Important: Following are the minimal roles that are required to configure the connector for Netwitness: 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Netwitness connector and click Configure to configure the following parameters:

 

Parameter Description
Address of Concentrator or Broker: IP address of the Concentrator or Broker for the Netwitness server to which you will connect and perform automated operations.
Username Username of the Concentrator or Broker for the Netwitness server to which you will connect and perform automated operations.
Password Password of the Concentrator or Broker for the Netwitness server to which you will connect and perform automated operations.
Port Port for the Concentrator or Broker. The port of the Concentrator is 50105 and the port of the Broker is 50103.
Protocol Protocol used to remotely connect to the Netwitness server. Choose between HTTP or HTTPS.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get PCAP Data Retrieves the PCAP data between the specified start and end time for a given IP, Domain, or Username, and other input parameters from the Netwitness server get_pcap
Investigation
Get Metadata Retrieves the Metadata information between the specified start and end time for a given IP, Domain, or Username, and other input parameters from the Netwitness server. get_network_meta
Investigation
Netwitness Search Runs a Generalized SQL query on the Netwitness server.
A generalized SQL query is one where you can write a query you require, for example, "query" : "select * where domain.dst='1e100.net'".
run_query
Investigation
Get Session IDs Retrieves Session Ids based on a SQL query that you have specified from the Netwitness server. run_query
Investigation
Get PCAP Data for Session IDs Retrieves PCAP data for a list of Session IDs that you have specified from the Netwitness server. get_pcap
Investigation

 

operation: Get PCAP Data

Input parameters

 

Parameter Description
Type Type of object for which you want to retrieve PCAP data from the Netwitness server. You can choose between IP address, Domain, or Username.
Key Key value of the type for which you want to retrieve PCAP data from the Netwitness server.
For example, If you choose IP address, then enter ip.src,ip.dst. If you choose Domain, then enter domain.src,domain.dst. If you choose Username, then enter username.
Value Value of the IP address, Domain, or Username for which you want to retrieve PCAP data from the Netwitness server.
Start Time (Optional) Start time from which you want to retrieve PCAP data from the Netwitness server. Start time must be in the string format: YYYY-MM-DD HH:MM:SS.
End Time (Optional) End time till when you want to retrieve PCAP data from the Netwitness server. End time must be in the string format: YYYY-MM-DD HH:MM:SS.
Size (Optional) Maximum number of search results this operation should return.

 

Output

The output for this operation is a PCAP file based on the inputs you have specified. The PCAP file is uploaded to theAttachments module in FortiSOAR™.

When you add this function as a step in your custom playbook or if you run the Get PCAP from IP sample playbook, which contains get_pcap_from_ip as a step, then the output of the function is in the JSON format and it contains the FortiSOAR™ Attachment IRI as shown as a sample output in the following image:

Sample output of the Get PCAP Data operation with IP as input

operation: Get Metadata

Input parameters

 

Parameter Description
Type Type of object for which you want to retrieve Metadata information from the Netwitness server. You can choose between IP address, Domain, or Username.
Key Key value of the type for which you want to retrieve Metadata information from the Netwitness server.
For example, If you choose IP address, then enter ip.src,ip.dst. If you choose Domain, then enter domain.src,domain.dst. If you choose Username, then enter username.
Value Value of the IP address, Domain, or Username for which you want to retrieve Metadata information from the Netwitness server.
Start Time Start time from which you want to retrieve Metadata information. Start time must be in the string format: YYYY-MM-DD HH:MM:SS.
End Time End time till when you want to retrieve Metadata information. Start time must be in the string format: YYYY-MM-DD HH:MM:SS.
Size (Optional) Maximum number of search results this operation should return.

 

Output

The JSON output contains the metadata information for the IP address, Domain, or Username that you have specified retrieved from the Netwitness server.

Following image displays a sample output, if you provide an IP address as the input to this operation:

Following image displays a sample output, if you provide a domain as the input to this operation:

Following image displays a sample output, if you provide a username as the input to this operation:

operation: Netwitness Search

Input parameters

 

Parameter Description
SQL Query Generalized SQL query based on which you want to retrieve data from the Netwitness server.
Size (Optional) Maximum number of search results this operation should return.

 

Output

The JSON output contains the search results based on the query that you have specified, retrieved from the Netwitness server.

Following image displays a sample output:

Sample output of the Netwitness Search operation

operation: Get Session IDs

Input parameters

 

Parameter Description
SQL Query SQL query based on which you want to retrieve Session IDs from the Netwitness server.
Size (Optional) Maximum number of search results this operation should return.

 

Output

The JSON output contains a list of Session IDs based on the SQL query that you had specified, retrieved from the Netwitness server.

Following image displays a sample output:

Sample output of the Get Session IDs operation

operation: Get PCAP for Session IDs

Input parameters

 

Parameter Description
Session IDs List of session IDs based on which you want to retrieve PCAP data from the Netwitness server.

 

Output

The output for this operation is a PCAP file that is retrieved based on the Session IDs you have specified. The PCAP file is uploaded to the Attachments module in FortiSOAR™.

When you add this function as a step in your custom playbook or if you run the Get PCAP for Session Ids sample playbook, which contains get_pcap as a step, then the output of the function is in the JSON format and it contains the FortiSOAR™ Attachment IRI as shown as a sample output in the following image:

Sample output of the Get PCAP for Session IDs operation

Included playbooks

The Sample - RSA Netwitness Logs and Packages - 1.0.2 playbook collection comes bundled with the RSA Netwitness Logs and Packages connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the RSA Netwitness Logs and Packages connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.