NetWitness Community

Sounds like a good RFE if not already on the docket.  Many other uses cases can be implemented by exposing the RE List from an automated standpoint (similar to how Recurring Feeds work today). 

I agree. A proper REST like interface for the UI server that exposes the functionality of the UI componenets, not unlike the one used by the primary componets (broker, concentrator, decoder, etc), I think would be very helpful in automating pieces for power users, Professional Services and Support. I believe this has been brought up before with our Engineering team but unsure of what their thoughts are about it.

Sample use case:

Analyst obtains a fresh set of malicious C2 domains and needs to "put them into NetWitness". They should have the ability to paste in the domains in a list somewhere and have options to:

   1) add to a new/existing Recurring Feed (so that detection can happen going forward)

   2) add to a RE List that is preconfigured to query the existing db to look back & see if there are pre-existing sessions matching these domains.

Anyone agree?

The first scenario you could do without a REST API as long as you had the recurring feeds CSV file somewhere that an analyst could manipulate the csv file. Or, this would need to be created by the customer, a web interface that generates and manipulates a recurring feed repository. Though it would be nice if we had our own area that could do this since the NetWitness UI server has its own webserver already Granted you could use a none recurring feed and just download the csv file from the Netwitness UI, make the changes you need and then reupload the file. The UI server keeps it unencrypted within itself somewhere. 

The second scenario I you could do as well even without the API. If you had a report that contained rules that referenced lists within the Reporting Engine. You could open the lists in RE and then just copy and past in what you wanted to the list. just by going to the list and click the Insert Values button. Once that was run you could run an adhoc report over the old data to see if it shows up.

However either scenario could be enhanced with a REST API for the UI

I'd find it useful to see both options exist in a single pane.  It's clumsy to have to go to Live Feeds for one part and then go dig and find the RE List to put the same data into, and scripting this option is not customer friendly.   I think the theme here is as you stated 'it would be nice if we had our own area that could do this' ---- meaning an RFE with priority assignment ... not just some idea that gets thrown into the mix and never gets implemented. Agreed with the idea of a REST API for the UI (leveraging the existing web server)--- lots of use cases could be implemented without all of the hacking around the platform.  

Thanks john. So What does the lookup from the raw zip reporting list file ( /home/rsasoc/rsa/soc/reporting-engine/liststore), to the GUI reporting list name? For me to efficiently script this out, i'll need the ability to realtime find out what each zip file is mapped to, in terms of a reporting list name (user friendly name). There has to be something that gives us the user friendly reporting list name in the GUI.