Fetches the RAW incidents based on the incident meta. GET /rest/api/incident/fetch "meta_name": the actual meta_name to be fetched "meta_value": the value of the meta_name "numberOfRecords": Total number of records to fetch. Sample Request: curl 'https://api.netwitness.local/rest/api/incident/fetch' -i -X GET \ -H 'Accept: application/json;charset=UTF-8' \ -H 'NetWitness-Token: eyJ...Rs-FA' \ -H 'Content-Type: application/json; charset=UTF-8' \ -d '{"meta_name":"priority", "meta_value":"MEDIUM", "numberOfRecords":"2"}' HTTP request: GET /rest/api/incident/fetch HTTP/1.1 Accept: application/json;charset=UTF-8 NetWitness-Token: eyJ...AT Content-Type: application/json; charset=UTF-8 Host: api.netwitness.local Sample Response: HTTP/1.1 200 Server: nginx Date: Tue, 29 Jun 2021 06:41:22 GMT Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive [ { "id": "INC-26", "name": "testEsa1 for test1", "summary": null, "priority": "MEDIUM", "prioritySort": 1, "riskScore": 30, "status": "NEW", "statusSort": 0, "alertCount": 46, "pinnedAlertCount": 0, "containsPinnedAlerts": false, "averageAlertRiskScore": 30, "sealed": false, "totalRemediationTaskCount": 0, "openRemediationTaskCount": 0, "hasRemediationTasks": false, "created": "2021-06-29T06:27:36.889+00:00", "lastUpdated": "2021-06-29T06:27:36.889+00:00", "lastUpdatedByUser": null, "assignee": null, "sources": [ "Event Stream Analysis" ], "ruleId": "60dabd2e299aa252deb219a4", "firstAlertTime": "2021-06-29T06:27:33.049+00:00", "timeWindowExpiration": "2021-06-29T07:27:33.049+00:00", "groupByValues": [ "test1" ], "categories": [], "notes": null, "createdBy": "testEsa1", "dateIndicatorAggregationStart": "2021-06-19T06:27:33.049+00:00", "breachExportStatus": "NONE", "breachData": null, "breachTag": null, "hasDeletedAlerts": false, "deletedAlertCount": 0, "groupByDomain": null, "enrichment": null, "eventCount": 46, "groupBySourceIp": [ "10.10.10.1", "", "10.10.2.3", "10.10.10.4", "10.10.1.5" ], "groupByDestinationIp": [ "" ], "sentToArcher": false, "createdFromRule": true }, { "id": "INC-27", "name": "testEsa2 for test2", "summary": null, "priority": "MEDIUM", "prioritySort": 1, "riskScore": 30, "status": "NEW", "statusSort": 0, "alertCount": 46, "pinnedAlertCount": 0, "containsPinnedAlerts": false, "averageAlertRiskScore": 30, "sealed": false, "totalRemediationTaskCount": 0, "openRemediationTaskCount": 0, "hasRemediationTasks": false, "created": "2021-06-29T06:27:36.927+00:00", "lastUpdated": "2021-06-29T06:27:36.927+00:00", "lastUpdatedByUser": null, "assignee": null, "sources": [ "Event Stream Analysis" ], "ruleId": "60dabd2e299aa252deb219a5", "firstAlertTime": "2021-06-29T06:27:36.026+00:00", "timeWindowExpiration": "2021-06-29T07:27:36.026+00:00", "groupByValues": [ "test2" ], "categories": [], "notes": null, "createdBy": "testEsa2", "dateIndicatorAggregationStart": "2021-06-19T06:27:36.026+00:00", "breachExportStatus": "NONE", "breachData": null, "breachTag": null, "hasDeletedAlerts": false, "deletedAlertCount": 0, "groupByDomain": null, "enrichment": null, "eventCount": 46, "groupBySourceIp": [ "10.10.10.1", "", "10.10.2.3", "10.10.10.4", "10.10.1.5" ], "groupByDestinationIp": [ "" ], "sentToArcher": false, "createdFromRule": true } ] ==================================== Fetches the RAW alerts based on the alert meta. GET /rest/api/alert/fetch "meta_name": the actual alert meta_name to be fetched "meta_value": the value of the meta_name "numberOfRecords": Total number of records to fetch. "includeFields" : The fields to be included as part of the returned respond. Sample Request: curl 'https://api.netwitness.local/rest/api/alert/fetch' -i -X GET \ -H 'Accept: application/json;charset=UTF-8' \ -H 'NetWitness-Token: eyJ...Rs' \ -H 'Content-Type: application/json; charset=UTF-8' \ -d '{ "meta_name":"alert.name", "meta_value":"test2", "numberOfRecords":"2", "includeFields" : "null" }' HTTP request: GET /rest/api/alert/fetch HTTP/1.1 Accept: application/json;charset=UTF-8 NetWitness-Token: eyJ...AT Content-Type: application/json; charset=UTF-8 Host: api.netwitness.local Sample Response: HTTP/1.1 200 Server: nginx Date: Tue, 29 Jun 2021 06:50:40 GMT Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive [ { "id": "60dabd58299aa252deb219bf", "receivedTime": "2021-06-29T06:27:36.028+00:00", "status": "GROUPED_IN_INCIDENT", "errorMessage": null, "originalHeaders": { "name": "test2", "description": null, "version": 0, "severity": 3, "timestamp": 1624948056026, "signatureId": "c4148f75e47204ca2e279a693d7514a9751ee1cb8e62bfbec5940fb2d76ff040", "deviceVendor": "RSA Netwitness", "deviceProduct": "Event Stream Analysis", "deviceVersion": "11.6" }, "originalRawAlert": null, "originalAlert": { "severity": 3, "eventSourceId": "10.125.249.10:50005:2213", "respondEnabled": true, "moduleType": "ESA_BASIC", "engineUri": "test-sa-managed", "moduleName": "test2", "suppressMessageBus": false, "transientAlert": false, "notificationReasons": [], "actualEventsCount": 1, "instanceId": "c4148f75e47204ca2e279a693d7514a9751ee1cb8e62bfbec5940fb2d76ff040", "statement": "Module_60c9aef8e4b035381fea8fed_Alert", "id": "0ee0787c-5210-4f5c-8ede-113fd90bc1f4", "time": "Jun 29, 2021 06:27:36 AM UTC", "moduleId": "60c9aef8e4b035381fea8fed", "events": [ { "ec_activity": "Logon", "header_id": "0013", "alias_host": [ "ibm132" ], "event_cat_name": "User.Activity.Successful Logins", "com_rsa_netwitness_streams_stream": "test-sa-managed-stream", "ip_src": "10.10.10.1", "device_type": "aix", "sessionid": 2213, "medium": 32, "rid": 2213, "forward_ip": "127.0.0.1", "client": "ftpd", "msg_id": "00002", "device_disc": 50, "ec_subject": "User", "event_source_id": "10.125.249.10:50005:2213", "com_rsa_netwitness_streams_arrival_timestamp": 1624948055024, "esa_time": 1624948056026, "ec_theme": "Authentication", "device_disc_type": "aix", "com_rsa_netwitness_streams_source_trail": [ "admin@10.125.249.10:50005" ], "device_ip": "2.2.2.2", "event_desc": "ftpd login", "user_dst": "userA", "size": 149, "netname": [ "private src" ], "device_class": "Unix", "time": 1624948050000, "ec_outcome": "Success", "com_rsa_netwitness_streams_arrival_sequence": 25, "did": "loghybrid" } ], "suppressNotification": false }, "incidentId": "INC-27", "partOfIncident": true, "incidentCreated": "2021-06-29T06:27:36.927+00:00", "pinnedEventIds": null, "name": "test2", "alert": { "groupby_source_device_mac_address": "", "user_summary": [ "userA" ], "groupby_dst_device_geolocation_domain": "", "source": "Event Stream Analysis", "type": [ "Log" ], "groupby_user_src": "", "groupby_src_device_dns_domain": "", "groupby_source_country": "", "groupby_analysis_file": "", "groupby_filename": "", "groupby_source_username": "", "groupby_detector_ip": "2.2.2.2", "groupby_dst_usr_username": "userA", "events": [ { "agent_id": "", "data": [ { "filename": "", "size": 149, "hash": "" } ], "destination": { "path": "", "file_SHA256": "", "filename": "", "launch_argument": "", "device": { "compliance_rating": "", "netbios_name": "", "port": "", "mac_address": "", "criticality": "", "asset_type": "", "ip_address": "", "facility": "", "business_unit": "", "geolocation": { "country": "", "city": "", "latitude": null, "organization": "", "domain": "", "longitude": null } }, "user": { "email_address": "", "ad_username": "", "ad_domain": "", "username": "userA" }, "hash": "" }, "description": "ftpd login", "domain_src": "", "device_type": "aix", "event_source": "10.125.249.10:50005", "source": { "path": "", "file_SHA256": "", "filename": "", "launch_argument": "", "device": { "compliance_rating": "", "netbios_name": "", "port": "", "mac_address": "", "criticality": "", "asset_type": "", "ip_address": "10.10.10.1", "facility": "", "business_unit": "", "geolocation": { "country": "", "city": "", "latitude": null, "organization": "", "domain": "", "longitude": null } }, "user": { "email_address": "", "ad_username": "", "ad_domain": "", "username": "" }, "hash": "" }, "type": "Log", "analysis_file": "", "enrichment": "", "user_src": "", "hostname": "ibm132", "analysis_service": "", "detected_by": "Unix-aix,2.2.2.2", "process_vid": "", "host_src": "", "action": "", "operating_system": "", "alias_ip": "", "from": "10.10.10.1", "timestamp": 1624948050000, "event_source_id": "2213", "related_links": [ { "type": "investigate_original_event", "url": "/investigation/host/10.125.249.10:50005/navigate/event/AUTO/2213" }, { "type": "investigate_destination_domain", "url": "/investigation/10.125.249.10:50005/navigate/query/alias.host%3D'ibm132'%2Fdate%2F2021-06-29T06%3A17%3A30.000Z%2F2021-06-29T06%3A37%3A30.000Z" } ], "port_dst": "", "domain_dst": "", "user_dst": "userA", "host_dst": "", "domain": "ibm132", "user_account": "", "to": "", "category": "", "detector": { "device_class": "Unix", "ip_address": "2.2.2.2", "product_name": "aix" }, "user": "userA", "analysis_session": "", "site_categorization": null, "username": "" } ], "groupby_detector_dns_hostname": "", "host_summary": [ "10.10.10.1" ], "groupby_username": "", "groupby_file_sha_256": "", "groupby_user_dst": "userA", "groupby_dst_device_dns_hostname": "", "groupby_os": "", "groupby_src_usr_ad_domain": "", "groupby_dst_usr_ad_username": "", "name": "test2", "groupby_detector_dns_domain": "", "groupby_host_src": "", "groupby_analysis_service": "", "groupby_destination_device_mac_address": "", "groupby_version": "0", "groupby_dst_device_netbios_name": "", "destination_country": [], "groupby_type": "Log", "groupby_device_type": "aix", "groupby_domain": "ibm132", "groupby_destination_country": "", "groupby_dst_device_dns_domain": "", "groupby_analysis_session": "", "signature_id": "c4148f75e47204ca2e279a693d7514a9751ee1cb8e62bfbec5940fb2d76ff040", "groupby_data_hash": "", "groupby_domain_dst": "", "groupby_src_device_netbios_name": "", "groupby_destination_ip": "", "groupby_host_dst": "", "groupby_source_ip": "10.10.10.1", "groupby_detector_mac_address": "", "timestamp": 1624948056026, "severity": 30.0, "related_links": [ { "type": "investigate_session", "url": "/investigation/10.125.249.10:50005/navigate/query/sessionid%3D2213" }, { "type": "investigate_device_ip", "url": "/investigation/10.125.249.10:50005/navigate/query/device.ip%3D2.2.2.2%2Fdate%2F2021-06-29T06%3A17%3A30.000Z%2F2021-06-29T06%3A37%3A30.000Z" }, { "type": "investigate_src_ip", "url": "/investigation/10.125.249.10:50005/navigate/query/ip.src%3D10.10.10.1%2Fdate%2F2021-06-29T06%3A17%3A30.000Z%2F2021-06-29T06%3A37%3A30.000Z" }, { "type": "investigate_destination_domain", "url": "/investigation/10.125.249.10:50005/navigate/query/alias.host%3D'ibm132'%2Fdate%2F2021-06-29T06%3A17%3A30.000Z%2F2021-06-29T06%3A37%3A30.000Z" } ], "risk_score": 30.0, "groupby_src_device_geolocation_domain": "", "groupby_dst_usr_ad_domain": "", "groupby_destination_port": "", "groupby_c2domain": "", "groupby_host_name": "ibm132", "groupby_src_usr_ad_username": "", "groupby_src_device_dns_hostname": "", "source_country": [], "groupby_domain_src": "", "numEvents": 1, "groupby_agent_id": "" }, "timestamp": "2021-06-29T06:27:36.026+00:00" }, { "id": "60dabd58299aa252deb219c0", "receivedTime": "2021-06-29T06:27:36.029+00:00", "status": "GROUPED_IN_INCIDENT", "errorMessage": null, "originalHeaders": { "name": "test2", "description": null, "version": 0, "severity": 3, "timestamp": 1624948056026, "signatureId": "fcbc492f26c382cc909ba35a641719d4db621f2f4e9b0b699ec121acf0ff93bb", "deviceVendor": "RSA Netwitness", "deviceProduct": "Event Stream Analysis", "deviceVersion": "11.6" }, "originalRawAlert": null, "originalAlert": { "severity": 3, "eventSourceId": "10.125.249.10:50005:2215", "respondEnabled": true, "moduleType": "ESA_BASIC", "engineUri": "test-sa-managed", "moduleName": "test2", "suppressMessageBus": false, "transientAlert": false, "notificationReasons": [], "actualEventsCount": 1, "instanceId": "fcbc492f26c382cc909ba35a641719d4db621f2f4e9b0b699ec121acf0ff93bb", "statement": "Module_60c9aef8e4b035381fea8fed_Alert", "id": "79ebd46c-359b-4c10-ad05-b940c68a339f", "time": "Jun 29, 2021 06:27:36 AM UTC", "moduleId": "60c9aef8e4b035381fea8fed", "events": [ { "header_id": "0013", "alias_host": [ "ibm132" ], "event_cat_name": "Network.Connections.Terminations", "com_rsa_netwitness_streams_stream": "test-sa-managed-stream", "ip_src": "10.10.10.1", "device_type": "aix", "sessionid": 2215, "medium": 32, "rid": 2215, "forward_ip": "127.0.0.1", "client": "sshd", "msg_id": "00003", "device_disc": 45, "event_source_id": "10.125.249.10:50005:2215", "com_rsa_netwitness_streams_arrival_timestamp": 1624948055024, "esa_time": 1624948056026, "device_disc_type": "aix", "com_rsa_netwitness_streams_source_trail": [ "admin@10.125.249.10:50005" ], "device_ip": "2.2.2.2", "event_desc": "closed connection", "size": 148, "netname": [ "private src" ], "device_class": "Unix", "time": 1624948050000, "com_rsa_netwitness_streams_arrival_sequence": 27, "did": "loghybrid" } ], "suppressNotification": false }, "incidentId": "INC-27", "partOfIncident": true, "incidentCreated": "2021-06-29T06:27:36.927+00:00", "pinnedEventIds": null, "name": "test2", "alert": { "groupby_source_device_mac_address": "", "user_summary": [], "groupby_dst_device_geolocation_domain": "", "source": "Event Stream Analysis", "type": [ "Log" ], "groupby_user_src": "", "groupby_src_device_dns_domain": "", "groupby_source_country": "", "groupby_analysis_file": "", "groupby_filename": "", "groupby_source_username": "", "groupby_detector_ip": "2.2.2.2", "groupby_dst_usr_username": "", "events": [ { "agent_id": "", "data": [ { "filename": "", "size": 148, "hash": "" } ], "destination": { "path": "", "file_SHA256": "", "filename": "", "launch_argument": "", "device": { "compliance_rating": "", "netbios_name": "", "port": "", "mac_address": "", "criticality": "", "asset_type": "", "ip_address": "", "facility": "", "business_unit": "", "geolocation": { "country": "", "city": "", "latitude": null, "organization": "", "domain": "", "longitude": null } }, "user": { "email_address": "", "ad_username": "", "ad_domain": "", "username": "" }, "hash": "" }, "description": "closed connection", "domain_src": "", "device_type": "aix", "event_source": "10.125.249.10:50005", "source": { "path": "", "file_SHA256": "", "filename": "", "launch_argument": "", "device": { "compliance_rating": "", "netbios_name": "", "port": "", "mac_address": "", "criticality": "", "asset_type": "", "ip_address": "10.10.10.1", "facility": "", "business_unit": "", "geolocation": { "country": "", "city": "", "latitude": null, "organization": "", "domain": "", "longitude": null } }, "user": { "email_address": "", "ad_username": "", "ad_domain": "", "username": "" }, "hash": "" }, "type": "Log", "analysis_file": "", "enrichment": "", "user_src": "", "hostname": "ibm132", "analysis_service": "", "detected_by": "Unix-aix,2.2.2.2", "process_vid": "", "host_src": "", "action": "", "operating_system": "", "alias_ip": "", "from": "10.10.10.1", "timestamp": 1624948050000, "event_source_id": "2215", "related_links": [ { "type": "investigate_original_event", "url": "/investigation/host/10.125.249.10:50005/navigate/event/AUTO/2215" }, { "type": "investigate_destination_domain", "url": "/investigation/10.125.249.10:50005/navigate/query/alias.host%3D'ibm132'%2Fdate%2F2021-06-29T06%3A17%3A30.000Z%2F2021-06-29T06%3A37%3A30.000Z" } ], "port_dst": "", "domain_dst": "", "user_dst": "", "host_dst": "", "domain": "ibm132", "user_account": "", "to": "", "category": "", "detector": { "device_class": "Unix", "ip_address": "2.2.2.2", "product_name": "aix" }, "user": "", "analysis_session": "", "site_categorization": null, "username": "" } ], "groupby_detector_dns_hostname": "", "host_summary": [ "10.10.10.1" ], "groupby_username": "", "groupby_file_sha_256": "", "groupby_user_dst": "", "groupby_dst_device_dns_hostname": "", "groupby_os": "", "groupby_src_usr_ad_domain": "", "groupby_dst_usr_ad_username": "", "name": "test2", "groupby_detector_dns_domain": "", "groupby_host_src": "", "groupby_analysis_service": "", "groupby_destination_device_mac_address": "", "groupby_version": "0", "groupby_dst_device_netbios_name": "", "destination_country": [], "groupby_type": "Log", "groupby_device_type": "aix", "groupby_domain": "ibm132", "groupby_destination_country": "", "groupby_dst_device_dns_domain": "", "groupby_analysis_session": "", "signature_id": "fcbc492f26c382cc909ba35a641719d4db621f2f4e9b0b699ec121acf0ff93bb", "groupby_data_hash": "", "groupby_domain_dst": "", "groupby_src_device_netbios_name": "", "groupby_destination_ip": "", "groupby_host_dst": "", "groupby_source_ip": "10.10.10.1", "groupby_detector_mac_address": "", "timestamp": 1624948056026, "severity": 30.0, "related_links": [ { "type": "investigate_session", "url": "/investigation/10.125.249.10:50005/navigate/query/sessionid%3D2215" }, { "type": "investigate_device_ip", "url": "/investigation/10.125.249.10:50005/navigate/query/device.ip%3D2.2.2.2%2Fdate%2F2021-06-29T06%3A17%3A30.000Z%2F2021-06-29T06%3A37%3A30.000Z" }, { "type": "investigate_src_ip", "url": "/investigation/10.125.249.10:50005/navigate/query/ip.src%3D10.10.10.1%2Fdate%2F2021-06-29T06%3A17%3A30.000Z%2F2021-06-29T06%3A37%3A30.000Z" }, { "type": "investigate_destination_domain", "url": "/investigation/10.125.249.10:50005/navigate/query/alias.host%3D'ibm132'%2Fdate%2F2021-06-29T06%3A17%3A30.000Z%2F2021-06-29T06%3A37%3A30.000Z" } ], "risk_score": 30.0, "groupby_src_device_geolocation_domain": "", "groupby_dst_usr_ad_domain": "", "groupby_destination_port": "", "groupby_c2domain": "", "groupby_host_name": "ibm132", "groupby_src_usr_ad_username": "", "groupby_src_device_dns_hostname": "", "source_country": [], "groupby_domain_src": "", "numEvents": 1, "groupby_agent_id": "" }, "timestamp": "2021-06-29T06:27:36.026+00:00" } ] ================================================ Removes the alerts from the incidents based on the alertIds. GET /rest/api/alert/delete "removePinnedAlerts" : "true" - remove all the alerts including the pinned ones. "false" - remove only the alerts which are not pinned "alertIds": List of alertIds to remove. Sample Request: curl 'https://api.netwitness.local/rest/api/alert/delete' -i -X GET \ -H 'Accept: application/json;charset=UTF-8' \ -H 'NetWitness-Token: eyJ...FA' \ -H 'Content-Type: application/json; charset=UTF-8' \ -d '{ "removePinnedAlerts" : ["false"], "alertIds":["5f9c0720-ef6e-4b0e-ad50-5b82d56be3c7", "0e6d569c-530b-4826-b12d-237075f89ecc"] }' HTTP request: GET /rest/api/alert/delete HTTP/1.1 Accept: application/json;charset=UTF-8 NetWitness-Token: eyJ...AT Content-Type: application/json; charset=UTF-8 Host: api.netwitness.local Sample Response: HTTP/1.1 200 Server: nginx Date: Tue, 29 Jun 2021 06:55:26 GMT Content-Type: application/json;charset=UTF-8 Content-Length: 143 Connection: keep-alive Deleted 1 alerts, still 1 pinned alerts present in the provided request. To remove all the alerts, consider setting removePinnedAlerts to true If "removePinnedAlerts" set to true, removes all the alerts irrespective of pinned alerts. Sample Request: -d '{ "removePinnedAlerts" : ["true"], "alertIds":["5f9c0720-ef6e-4b0e-ad50-5b82d56be3c7", "0e6d569c-530b-4826-b12d-237075f89ecc"] }' Sample Response: Deleted 2 alerts ============================================ Adds the alerts to an incident based on the alertIds. GET /rest/api/alert/add "incidentId" : An incidentId for the alerts to associate. "alertIds": List of alertIds to associate with the incidentId. Sample Request: curl 'https://api.netwitness.local/rest/api/alert/add' -i -X GET \ -H 'Accept: application/json;charset=UTF-8' \ -H 'NetWitness-Token: eyJ...Rs' \ -H 'Content-Type: application/json; charset=UTF-8' \ -d '{ "incidentId":["INC-28"], "alertIds":["5f9c0720-ef6e-4b0e-ad50-5b82d56be3c7", "0e6d569c-530b-4826-b12d-237075f89ecc"] }' HTTP request: GET /rest/api/alert/add HTTP/1.1 Accept: application/json;charset=UTF-8 NetWitness-Token: eyJ...AT Content-Type: application/json; charset=UTF-8 Host: api.netwitness.local Sample Response: HTTP/1.1 200 Server: nginx Date: Tue, 29 Jun 2021 06:55:26 GMT Content-Type: application/json;charset=UTF-8 Content-Length: 143 Connection: keep-alive [ "60dabd5d299aa252deb219d6", "60dabd63299aa252deb219d8" ]