This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Drilling into NetWitness Investigator from Web IP addresses and Hostnames

Anonymous
Not applicable
‎2013-04-09 08:50 AM

This post is primarily for customers of RSA NetWitness (Security Analytics), although it may be interesting to security practitioners that conduct security investigations.  We describe how to use the the Threat Analytics Chrome Extension (http://www.criticalstart.com/2013/01/threat-analytics-search-extension-for-chrome/) to open a NetWitness Investigator drill from a Chrome browser.  This is similar to the SIEMLink tool but doesn't require any software to be installed.  This could also be used to create custom REST API queries.

alias-host.jpg

 

Many people use security tools that have a web interface in conjunction with NetWitness Investigator.

You will need:

  1. Chrome Browser with Threat Analytics Extension installed (available on Chrome Store at http://www.criticalstart.com/2013/01/threat-analytics-search-extension-for-chrome/)
  2. IP address and port of NetWitness concentrator/broker you will be using with Investigator
  3. Investigator collection name you want to use
  4. NetWitness Investigator must be installed on same machine as the Chrome browser

 

The easiest way to find the last two items is to “Copy URL” from Investigator and paste into a text editor.

copy-info.jpg

 

You will get something like:

nw://10.1.1.1:50003/collection=BROKER&name=%s&where=ip.dst%3D%s&time=Last+24+Hours+of+Collection+Time&
history=collection%3BROKER%26time%3DLast+24+Hours+of+Collection+Time

 

The IP address and port is highlighted in yellow.  The collection name is highlighted in green.  Your information should be different than the example shown.

 

We will manually add three different search providers to the Chrome Extensions (in Chrome use Tools > Extensions – Options).  You will need to modify the examples below in a text editor by replacing the IP address and collection information with your specific information obtained in the steps above.

 

NW DST IP < 24
nw://10.1.1.1:50003/?collection=BROKER&name=%s&where=ip.dst%3D%s&time=Last+24+Hours+of+Collection+Time
&history=collection%3DBROKER%26time%3DLast+24+Hours+of+Collection+Time

 

NW IP SRC < 24
nw://10.1.1.1:50003/?collection=BROKER&name=%s&where=ip.src%3D%s&time=Last+24+Hours+of+Collection+Time
&history=collection%3DBROKER%26time%3DLast+24+Hours+of+Collection+Time

 

NW Alias.Host < 24
nw://10.1.1.1:50003/?collection=BROKER&name=%22%s%22&where=alias.host%3D%22%s%22&time=Last+24+Hours+of+Collection+Time
&history=collection%3DBROKER%26time%3DLast+24+Hours+of+Collection+Time

 

Example of adding a search provider in the Chrome Extension:

enter-extension-info.jpg

Example of using extension to drill into destination IP address in Investigator.

dst-ip.jpg

Any feedback let me know.

2 Comments
© 2022 RSA Security LLC or its affiliates. All rights reserved.