NetWitness Community

regexone · ‎2022-10-17

Hi RSA Community!!

How can I fetch meta data using RSA API using curl method for example I would like to pull destination port meta from one alert.

Thank you!!!

Anonymous · ‎2022-10-19

I guess with "alert" you mean an alert that is in the Respond database.

For that purpose you should use the Respond api. The guide is here: https://community.netwitness.com//t5/netwitness-platform-online/api-guide-for-11-6/ta-p/627466

You first need to retrieve an access token, by performing a login request and then you can get the respective alert as a JSON.

so not directly to be used in a curl, but can be scripted to get the destination port.

Anonymous · ‎2022-10-20

Reading from the Respond API documentation it seems to imply that you can only search for alerts based on files or hosts, not just generically 'alerts' when looking under Respond > Alerts.

Anonymous · ‎2022-10-20

Well, the original question was not about a search for an alert. If you know the alert id, because e.g. it is part of an incident, you will be able to retrieve this information.

In version 11.7.1, through a Hotfix, and later as part of the product, there is however a new "Fetch" for Incidents / Alerts, which allow searching for more information.

Haven't seen the documentation yet, but i am using it already in some scripts.

Anonymous · ‎2022-10-20

That's interesting that the ability to fetch alerts is something that I've wanted for a while now because not all alerts are part of an incident. For alerts is it fetching alerts 'within' an incident or just generically fetching alerts? For instance if I was to go to Respond > Alerts?

Are you saying that I need a hotfix on top of 11.7.1 or it's part of 11.7.1? Is it included as part of later versions?

Anonymous · ‎2022-10-21

The hotfix is available for 11.7.1 and is available through support. it is for ASOC-119064.

All later versions have the feature enabled.

you can "Fetch" = Search for Alerts individually, outside of an incident.

Attached are some samples.

Note that you can only specifiy 1 search

regexone · ‎2022-10-24

Hi All!! appreciate your response, it is possible to pull the raw meta coming from one traffic/event in the alert?. Based on the API documentation it is limited only, I would like to pull meta like detector IP, IOC score etc.

Anonymous · ‎2022-10-27

You get always a complete JSON object back and need then extract the value that you want. So not possible by simply doing a curl only, but using a script and access the json element from the script, you can extract whatever you want.

regexone · ‎2022-10-30

Ow I see, do you have any sample script sir?

Anonymous · ‎2022-10-31

sure. i put together 2 samples.

no error handling and it contains also the credentials in the script. Just to show you the concept.

both script take an incident as argument.

e.g. nw-fetchincident INC-123

nw-fetchincident will fetch the incident given and print the complete JSON structure, which you can use then as a reference to see which details you need.

it also prints the Status and the Name/Title of the incident, to give you an idea on how to access the JSON objects.

nw-fetchalert will retrieve all the alerts for the given incident. is looping then trough the alerts and prints the name, severity and eventsource for every single alert.

In every script you need to change lines 5-7 with the URL of your Admin server and a userid and password that can access the respond server

NetWitness Community

API Meta pull