This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

NW Respond integration with TheHive

Anonymous
Not applicable

‎2020-07-19 05:26 AM

I use the TheHive - https://thehive-project.org/  as our Incident Case management tool of choice. I've started the investigation process of integrating NetWitness and the TheHive together for alerts and recording of incident response investigation cases.

 

I thought before I go down the rabbit hole, I'll ask to see if anyone else has done this and if they have what capability they got, if there were any gotcha's etc.

 

TheHive has a pretty capable API and utilises Webhooks as well, I was thinking I'd like to be able to synchronise alerts and incidents between the two tools so if an alert is generated in NW it gets created in TheHive, or if an alert is dismissed in TheHive, it then gets dismissed in NetWitness. The same going with incidents as well.

 

I'm sure I'd be able to script something together, is the NW API for Respond capable of these sorts of things?

Labels:
0 Likes
6 REPLIES 6

AaronMartin2
Employee
Employee

‎2020-07-20 07:18 AM

I don't know anything about Hive but this is the guide you want to look at for accessing the Respond module item.

 

https://community.rsa.com/docs/DOC-110164 

0 Likes

Anonymous
Not applicable
In response to AaronMartin2

‎2020-07-20 07:24 AM

That's very helpful Aaron, thanks.

I hope this question makes sense, in the Respond module is there a way to 'send' an incident to an external system? Or perhaps another way to look at it is could I have a task or action that executes a script to do an action?

 

What I'm thinking is from an analyst point of view, I'm in respond, I've been looking at an incident, and now I said to myself, I want to send this to another system (eg. TheHive). Maybe a notification task that instead of an email, a script is run.

0 Likes

AaronMartin2
Employee
Employee
In response to Anonymous

‎2020-07-20 07:59 AM

With the current architecture, these are the quirks of our Alert/Incident notification system. If the expectation is that NetWitness will send the notification as opposed to Hive pulling it in:

 

  • Incidents created has the ability to send an email but the body of the email is lacking. You'd still have to reach out to our system to get the juicy information. This is subject to change in later releases as I know they are trying to add more customizable emails in later releases.
  • Alert creation can be configured to fire a script, syslog, snmp, and email. This is great and all unless you wanted to have multiple alerts compiled into one single event for your ticketing platform, which we call the incident, which we are limited with the above notification that I mentioned.

If this were my system, I'd probably write a script that runs frequently to reach out for new incidents, pull those and the associated alerts in to my ticketing system. I'd maintain a bookmark of the last call I made (perhaps based on date based on what API methods we offer).

0 Likes

Anonymous
Not applicable
In response to AaronMartin2

‎2020-07-20 08:06 AM

Thanks Aaron, that's good information to keep in the back of my mind when working on this issue. I'm thinking your idea of a pull mechanism from NW is probably the way to go.

 

Do you know what improvements are in the pipeline for Respond for future releases?

0 Likes

AaronMartin2
Employee
Employee
In response to Anonymous

‎2020-07-20 08:11 AM

I'm afraid I am too low in the trenches to know and it's always subject to change. I hear what I hear.

0 Likes

Anonymous
Not applicable
In response to AaronMartin2

‎2020-07-20 08:12 AM

Fair enough 🙂

Thanks for the help.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.