RSA NetWitness Platform

Integration version: 11.0

Configure RSA NetWitness Platform integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
Instance Name String N/A No Name of the Instance you intend to configure integration for.
Description String N/A No Description of the Instance.
Broker API Root String http://x.x.x.x:50103 No API Root of the Broker API.
Broker API Username String N/A No Username for the Broker API.
Broker API Password Password N/A No Password for the Broker API.
Concentrator API Root String http://x.x.x.x:50105 No API Root of the Concentrator API.
Concentrator API Username String N/A No Username for the Concentrator API.
Concentrator API Password Password N/A No Password for the Concentrator API.
Web API Root String https://{ip}/rest/api/ No API Root of the Netwitness Platform Instance.
Web Username String N/A No Username for the Netwitness Platform Instance.
Web Password Password N/A No Password for the Netwitness Platform Instance.
Verify SSL Checkbox Unchecked No If enabled, verifies that the SSL certificate for the connection to the RSA Netwitness Platform server is valid.
Run Remotely Checkbox Unchecked No Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Ping

Description

Test connectivity to RSA Netwitness Platform.

Parameters

N/A

Use cases

N/A

Run On

This action is doesn't run on entities, nor has mandatory input parameters.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False

Enrich Endpoint

Description

Fetch endpoint's system information by its hostname or IP address. Requires RSA Netwitness Respond license, endpoint server service running in the background, configured Web Username and Web Password in the integration configuration.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Risk Score Threshold Integer 50 False Specify risk threshold for the endpoint. If the endpoint exceeds the threshold, the related entity will be marked as suspicious. If nothing is specified, action won't check the risk score.

Run On

This action runs on the following entities:

  • IP Address
  • Host

Action Results

Entity Enrichment
Enrichment Field Name Source (JSON Key) Logic - When to apply
RSA_NTW_agentId agentId When available in JSON
RSA_NTW_hostName hostName When available in JSON
RSA_NTW_riskScore riskScore When available in JSON
RSA_NTW_networkInterfaces_{id}_name networkInterfaces/name When available in JSON
RSA_NTW_networkInterfaces_{id}_macAddress networkInterfaces/macAddress When available in JSON
RSA_NTW_networkInterfaces_{id}_ipv4 Space separated list networkInterfaces/ipv4 When available in JSON
RSA_NTW_networkInterfaces_{id}_ipv6 Space separated list networkInterfaces/ipv6 When available in JSON
RSA_NTW_networkInterfaces_{id}_networkIdv6 Space separated list networkInterfaces/networkIdv6 When available in JSON
RSA_NTW_networkInterfaces_{id}_gateway Space separated list networkInterfaces/gateway When available in JSON
RSA_NTW_networkInterfaces_{id}_dns Space separated list networkInterfaces/dns When available in JSON
RSA_NTW_networkInterfaces_{id}_promiscuous networkInterfaces/promiscuous When available in JSON
RSA_NTW_lastSeenTime lastSeenTime When available in JSON
Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "items": [
        {
            "agentId": "575EDC44-BDF9-6D00-FFCD-D354FB641E27",
            "hostName": "RSA-HOST-1",
            "riskScore": 100,
            "networkInterfaces": [
                {
                    "name": "Intel(R) 82574L Gigabit Network Connection",
                    "macAddress": "00:50:56:A2:30:03",
                    "ipv4": [
                        "172.30.203.145"
                    ],
                    "ipv6": [
                        "fe80::dce6:5825:454a:968d"
                    ],
                    "networkIdv6": [
                        "fe80::"
                    ],
                    "gateway": [
                        "172.30.203.1"
                    ],
                    "dns": [
                        "8.8.8.8"
                    ],
                    "promiscuous": false
                }
            ],
            "lastSeenTime": "2020-08-23T12:32:33.107Z"
        }
    ],
    "pageNumber": 0,
    "pageSize": 100,
    "totalPages": 1,
    "totalItems": 1,
    "hasNext": false,
    "hasPrevious": false
}
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one of the provided entities were enriched (is_success = true):

Print "Successfully enriched the following endpoints from RSA Netwitness: \n {0}".format(entity.identifier list)

If fail to enrich specific entities(is_success = true):

Print "Action was not able to enrich the following endpoints from RSA Netwitness \n: {0}".format([entity.identifier])

If fail to enrich for all entities (is_success = false):

Print: "No entities were enriched."

The action should fail and stop a playbook execution:
If fatal error, like wrong credentials, no connection to server, other:

Print "Error executing action "Enrich Endpoint". Reason: {0}''.format(error.Stacktrace)

If endpoint service was not found:

Print "Error executing action "Enrich Endpoint". Reason: Endpoint server wasn't found."

General

Enrich File

Description

Fetch information about the file using hashes or file names. Only MD5 and SHA256 are supported. Requires RSA Netwitness Respond license, endpoint server service running in the background, configured Web Username and Web Password in the integration configuration.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Risk Score Threshold Integer 50 No Specify risk threshold for the file. If the file exceeds the threshold, the related entity will be marked as suspicious. If nothing is specified, action won't check the risk score.

Run On

This action runs on all entities.

Action Results

Entity Enrichment
Enrichment Field Name Source (JSON Key) Logic - When to apply
RSA_NTW_filename firstFileName When available in JSON
RSA_NTW_reputationStatus reputationStatus When available in JSON
RSA_NTW_globalRiskScore globalRiskScore When available in JSON
RSA_NTW_machineOsType machineOsType When available in JSON
RSA_NTW_size size When available in JSON
RSA_NTW_checksumMd5 checksumMd5 When available in JSON
RSA_NTW_checksumSha1 checksumSha1 When available in JSON
RSA_NTW_checksumSha256 checksumSha256 When available in JSON
RSA_NTW_entropy entropy When available in JSON
RSA_NTW_format pe When available in JSON
RSA_NTW_fileStatus Neutral When available in JSON
RSA_NTW_remediationAction Unblock When available in JSON
Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "items": [
        {
            "firstFileName": "AM_Delta_Patch_1.321.1947.0.exe",
            "reputationStatus": "Known Good",
            "globalRiskScore": 0,
            "firstSeenTime": "2020-08-23T00:46:25.288Z",
            "machineOsType": "windows",
            "signature": {
                "timeStamp": "2020-08-22T21:01:55.552Z",
                "thumbprint": "c6573d9ba5efc55b1ad1c59b9cafc33d232b13cc",
                "context": [
                    "microsoft",
                    "signed",
                    "valid"
                ],
                "signer": "Microsoft Corporation"
            },
            "size": 441280,
            "checksumMd5": "40d93a5ed9d2d55e35857c1f1de162db",
            "checksumSha1": "3096e9e4ac4cc46dcfa11a053583c2d3e14b14b8",
            "checksumSha256": "34261adf58ac3c8e38724d5fbfba21037d868a2c0b6291e2a61e5a023b55c3f9",
            "pe": {
                "timeStamp": "2020-08-22T20:57:28.000Z",
                "imageSize": 454656,
                "numberOfExportedFunctions": 0,
                "numberOfNamesExported": 0,
                "numberOfExecuteWriteSections": 0,
                "context": [
                    "file.exe",
                    "file.arch64",
                    "file.versionInfoPresent",
                    "file.resourceDirectoryPresent",
                    "file.relocationDirectoryPresent",
                    "file.debugDirectoryPresent",
                    "file.tlsDirectoryPresent",
                    "file.richSignaturePresent",
                    "file.companyNameContainsText",
                    "file.descriptionContainsText",
                    "file.versionContainsText",
                    "file.internalNameContainsText",
                    "file.legalCopyrightContainsText",
                    "file.originalFilenameContainsText",
                    "file.productNameContainsText",
                    "file.productVersionContainsText",
                    "file.standardVersionMetaPresent"
                ],
                "resources": {
                    "originalFileName": "AM_Delta_Patch_1.321.1947.0.exe",
                    "company": "Microsoft Corporation",
                    "description": "Microsoft Antimalware WU Stub",
                    "version": null
                },
                "sectionNames": [
                    ".text",
                    ".rdata",
                    ".data",
                    ".pdata",
                    ".rsrc",
                    ".reloc"
                ],
                "importedLibraries": [
                    "ADVAPI32.dll",
                    "KERNEL32.dll",
                    "RPCRT4.dll",
                    "ntdll.dll"
                ]
            },
            "elf": null,
            "macho": null,
            "entropy": 7.378079119412321,
            "format": "pe",
            "fileStatus": "Neutral",
            "remediationAction": "Unblock"
        }
    ],
    "pageNumber": 0,
    "pageSize": 100,
    "totalPages": 1,
    "totalItems": 1,
    "hasNext": false,
    "hasPrevious": false
}
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:
If successful and at least one of the provided entities were enriched (is_success = true):
Print "Successfully enriched the following files from RSA Netwitness: \n {0}".format(entity.identifier list)

If fail to enrich specific entities(is_success = true):
Print "Action was not able to enrich the following files from RSA Netwitness \n: {0}".format([entity.identifier])

If fail to enrich for all entities (is_success = false):
Print: "No entities were enriched."

The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other:

Print "Error executing action "Enrich File". Reason: {0}''.format(error.Stacktrace)


If fatal error, like wrong credentials, no connection to server, other:

Print "Error executing action "Enrich File". Reason: Endpoint server wasn't found."

General

Isolate Endpoint

Description

Request endpoint isolation in RSA Netwitness. Requires RSA Netwitness Respond license, endpoint server service running in the background, configured Web Username and Web Password in the integration configuration.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Comment String N/A Yes Add comment, which describes the reason behind the isolation request.

Run On

This action runs on the following entities:

  • IP Address
  • Host

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:
If successful for all of the provided entities(is_success = true):
Print "Successfully requested isolation for the following endpoints from RSA Netwitness: \n {0}".format(entity.identifier list)

If fail to isolate at least one of the provided entities(is_success = false):
Print "Action was not able to request isolation for the following endpoints from RSA Netwitness \n: {0}".format([entity.identifier])

The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other:

Print "Error executing action "Isolate Endpoint". Reason: {0}''.format(error.Stacktrace)

If endpoint service was not found:

Print "Error executing action "Isolate Endpoint". Reason: Endpoint server wasn't found."

General

Unisolate Endpoint

Description

Request endpoint unisolation in RSA Netwitness. Requires RSA Netwitness Respond license, endpoint server service running in the background, configured Web Username and Web Password in the integration configuration.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Comment String N/A Yes Add comment, which describes the reason behind the isolation request.

Run On

This action runs on the following entities:

  • IP Address
  • Host

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:
If successful for all of the provided entities(is_success = true):
Print "Successfully requested unisolation for the following endpoints from RSA Netwitness: \n {0}".format(entity.identifier list)

If fail to isolate at least one of the provided entities(is_success = false):
Print "Action was not able to request unisolation for the following endpoints from RSA Netwitness \n: {0}".format([entity.identifier])

The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other:

Print "Error executing action "Unisolate Endpoint". Reason: {0}''.format(error.Stacktrace)

If endpoint service was not found:

Print "Error executing action "Unisolate Endpoint". Reason: Endpoint server wasn't found."

General

Update Incident

Description

Update Incident in RSA Netwitness. Requires RSA Netwitness Respond license, configured Web Username and Web Password in the integration configuration.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Incident ID String N/A Yes Specify ID of the incident that needs to be updated.
Status DDL N/A No Specify new status for the incident.
Assignee String N/A No Specify new assignee for the incident.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "id": "INC-128",
    "title": "High Risk Alerts: NetWitness Endpoint for RSA-HOST-1",
    "summary": "",
    "priority": "High",
    "riskScore": 72,
    "status": "RemediationRequested",
    "alertCount": 136,
    "averageAlertRiskScore": 72,
    "sealed": true,
    "totalRemediationTaskCount": 0,
    "openRemediationTaskCount": 0,
    "created": "2020-08-26T12:56:57.867Z",
    "lastUpdated": "2020-08-26T15:31:27.953Z",
    "lastUpdatedBy": null,
    "assignee": "admin",
    "sources": [
        "ECAT"
    ],
    "ruleId": "5ef1b33614c0552a2884c590",
    "firstAlertTime": "2020-08-26T12:56:56.097Z",
    "categories": [],
    "journalEntries": null,
    "createdBy": "High Risk Alerts: NetWitness Endpoint",
    "deletedAlertCount": 0,
    "eventCount": 136,
    "alertMeta": {
        "SourceIp": [
            ""
        ],
        "DestinationIp": [
            ""
        ]
    }
}
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If status code == 200 (is_success = true):

Print "Successfully updated incident with ID {0} in RSA Netwitness".format(incident_id).

If status code 400 (is_success=false):

Print "Action wasn't able to update incident with ID {0} in RSA Netwitness. Reason: {1}".format(incident_id, errors/message).

The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other:

Print "Error executing action "Update Incident". Reason: {0}''.format(error.Stacktrace)

General

Add Note to Incident

Description

Add Note to Incident in RSA Netwitness. Requires RSA Netwitness Respond license, configured Web Username and Web Password in the integration configuration..

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Incident ID String N/A Yes Specify ID of the incident that needs to be updated.
Note String N/A Yes Specify which note should be added to.
Author String N/A Yes Specify the author of the note.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If status code == 200 (is_success = true):

Print "Successfully added note to incident with ID {0} in RSA Netwitness".format(incident_id).

If status code 400 (is_success=false):

Print "Action wasn't able to add note to incident with ID {0} in RSA Netwitness. Reason: {1}".format(incident_id, errors/message).

The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other:

Print "Error executing action "Add Note to Incident". Reason: {0}''.format(error.Stacktrace)

General

Connector

RSA Netwitness Platform - Incidents Connector

Description

Pull incidents from RSA Netwitness Platform.

How to work with Credential JSON Object

Credential JSON object provides a more flexible way of authenticating to the data sources. The most basic configuration of the JSON will look like this:

{
    "default_username": "username",
    "default_password": "password"
}

Without "default_username" and "default_password" connector will throw an error. This configuration is suitable for environments, where all data sources share the same username and password. If you need to provide specific credentials for the data sources then the structure of the JSON will look like this:

{
    "default_username": "username",
    "default_password": "password",
    "dataSources": [
        {
            "api_root": "172.30.203.151:50102",
            "username": "username",
            "password": "password"
        },
        {
            "api_root": "172.30.203.151:50105",
            "username": "username",
            "password": "password"
        },
        {
            "api_root": "172.30.203.151:50103",
            "username": "username",
            "password": "password"
        }
    ]
}

Connector will scan the events for the source api root and then compare it with what is available in the Credential JSON Object. If the match is found, then the connector will take the username + password from "dataSources" list, if there is no match, it will use "default_username" and default_password. Additionally, you don't need to provide both username and password in the "dataSources" list. If, for example, only username is provided, then the connector will take username from "dataSource" list and password from "default_password".

Configure RSA Netwitness Platform - Incidents Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter Display Name Type Default Value Is Mandatory Description
Product Field Name String Product Name Yes Enter the source field name in order to retrieve the Product Field name.
Event Field Name String type Yes Enter the source field name in order to retrieve the Event Field name.
Environment Field Name String "" No

Describes the name of the field where the environment name is stored.

If the environment field isn't found, the environment is the default environment.

Environment Regex Pattern String .* No

A regex pattern to run on the value found in the "Environment Field Name" field.

Default is .* to catch all and return the value unchanged.

Used to allow the user to manipulate the environment field via regex logic.

If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.

Script Timeout (Seconds) Integer 180 Yes Timeout limit for the python process running the current script.
Web API Root String https://{ip}/rest/api/ Yes Web API Root of the RSA Netwitness Platform instance.
Web Username String N/A Yes Username of the RSA Netwitness Platform account.
Web Password Password N/A Yes Password of the RSA Netwitness Platform account.
Fetch Max Hours Backwards Integer 1 No Amount of hours from where to fetch incidents. Note: connector will wait for the provided time for the updates to incidents.
Lowest Risk Score To Fetch Integer N/A No Lowest risk score of the incidents to fetch. By default, the connector will ingest all of the incidents.Maximum is 100.
Severity Fallback String Informational Yes Specify what should be the fallback severity for the Google Security Operations SOAR alert, when risk score is not available. Possible Values: Informational, Low, Medium, High, Critical.
Max Incidents To Fetch Integer 10 No How many incidents to process per one connector iteration. Maximum is 100.
Use whitelist as a blacklist Checkbox Unchecked Yes If enabled, whitelist will be used as a blacklist.
Verify SSL Checkbox Unchecked Yes If enabled, verify the SSL certificate for the connection to the RSA Netwitness Platform server is valid.
Proxy Server Address String No The address of the proxy server to use.
Proxy Username String No The proxy username to authenticate with.
Proxy Password Password No The proxy password to authenticate with.
Credential JSON Object Password N/A No This parameter is needed for storing the data source credentials. This parameter has priority over "Broker API Root", "Broker API Username", "Broker API Password", "Concentrator API Root", "Concentrator API Username", "Concentrator API Password". Please refer to the documentation portal for more details.

Connector rules

Proxy support

The connector supports proxy.