This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base Archive
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to Extract Netwitness Respond Incidents and Alerts using API.

Article Number

000039828

Applies To

RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 11.X
Platform: CentOS
O/S Version: 7
 

Issue

The Orchestrator Server like Threat Connect extracts Netwitness Respond Incidents and Alerts using API. The API queries can be run on any Server to extract Netwitness Respond Incidents and Alerts using API.

Task

This article gives step by step instructions to extract Incidents and Alerts using API.

Resolution

  1. Please run the below command on any Netwitness Node-X to extract the accessToken.
    # curl 'https://<NODE_ZEROIP>/rest/api/auth/userpass' -i -k -X POST -H 'Accept: application/json;charset=UTF-8' -H 'Content-Type: application/x-www-form-urlencoded; charset=ISO-8859-1' -d 'username=admin&password=<UIpassword>'

    <NODE_ZEROIP>= Node-Zero IP
    username and password are Netwitness UI credentials.

    Sample output: 
    
HTTP/1.1 200
Server: nginx
Date: Wed, 18 Aug 2021 07:31:13 GMT
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-NW-UI-PRIMARY: true
X-NW-CBA-ENABLED: false

{"id":"admin","roles":["Administrators"],"accessToken":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MjkzMDA2NzMzMjksImlzcyI6InNlY3VyaXR5LXNlcnZlci1lOWFmMzdhZC0yNWRmLTQzMjYtODVkMy1hYTA5N2FjZGVjZjUiLCJpYXQiOjE2MjkyNzE4NzMzMjksImF1dGhvcml0aWVzIjpbIkFkbWluaXN0cmF0b3JzIl0sInVzZXJfbmFtZSI6ImFkbWluIn0.drqzIDyf2YSwQX4o1VEP5VNnsXUjtQ-WZGFRO0l5cjZXK63xs4dBLrQTs9J6Odn0YctWEMBB2IOi0TGwhYneizboqnob3rfRgUkpYqaCK42R2FWU4UP2qAgH44XpIjsCpNZf997uFyqsuRAUMt1rF4jENZQpE2IB6WOiomRWS10Cmn--7b-Ll61tuce5nv-MFQUz6Y3mbnXlAMDTsapuDaubxS93xIcHaOORNlk0ekysN6tpBTdLRvM448vQvDcJDQ5skhjOhKTgL1z6bKQaJ4wnA8UFJ0w-p8GNahcurePHngaToUib15hg352cMDhJHB_vY3VR0KH8fAjhXvKtqA","refreshToken":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MzE4NjM4NzMzMDgsImlzcyI6InNlY3VyaXR5LXNlcnZlci1lOWFmMzdhZC0yNWRmLTQzMjYtODVkMy1hYTA5N2FjZGVjZjUiLCJpYXQiOjE2MjkyNzE4NzMzMDgsInJlZnJlc2giOnRydWUsInVzZXJfbmFtZSI6ImFkbWluIn0.atCmVeV8wYUo-QVIF4Ro7GFGEJjixnKodaU4Ydn-x8kGIcOdCOxuSosV1ij3l3tkoYoOpQnFf68v-cwNDo3SbY4qWBemCSwRPSu_44U986i-yrpV3LZxSrtoOiKrqPT2IWob5qXATTh-tqtPHmcSTuHum4HyVW9StGEXpqMW0MfKlOQLXQfhy0uLb_jS3YAMlTFJgVg4O1S3Ruy1z6MU6rpeMunnYrX-81amTT13_u7r5TZb22fJJSm3sBpn1qCl7oy-SquIJiD5SVL5PASDcIa3C4d2lA4xvaC43FwXU6wuVjgntWa51STTHMFPRb1my0xiqpvghb58iOlPnK_WTQ"}
  2. Please run the below command using the access token extracted in Step1 Output to extract Netwitness Respond Incident INC-36.
    #curl 'https://<NODE_ZEROIP>/rest/api/incidents/INC-36' -i -k -X GET -H 'Accept: application/json;charset=UTF-8' -H 'NetWitness-Token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MjkzMDA2NzMzMjksImlzcyI6InNlY3VyaXR5LXNlcnZlci1lOWFmMzdhZC0yNWRmLTQzMjYtODVkMy1hYTA5N2FjZGVjZjUiLCJpYXQiOjE2MjkyNzE4NzMzMjksImF1dGhvcml0aWVzIjpbIkFkbWluaXN0cmF0b3JzIl0sInVzZXJfbmFtZSI6ImFkbWluIn0.drqzIDyf2YSwQX4o1VEP5VNnsXUjtQ-WZGFRO0l5cjZXK63xs4dBLrQTs9J6Odn0YctWEMBB2IOi0TGwhYneizboqnob3rfRgUkpYqaCK42R2FWU4UP2qAgH44XpIjsCpNZf997uFyqsuRAUMt1rF4jENZQpE2IB6WOiomRWS10Cmn--7b-Ll61tuce5nv-MFQUz6Y3mbnXlAMDTsapuDaubxS93xIcHaOORNlk0ekysN6tpBTdLRvM448vQvDcJDQ5skhjOhKTgL1z6bKQaJ4wnA8UFJ0w-p8GNahcurePHngaToUib15hg352cMDhJHB_vY3VR0KH8fAjhXvKtqA'

    Sample output: 
    
HTTP/1.1 200
Server: nginx
Date: Wed, 18 Aug 2021 07:33:09 GMT
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-NW-UI-PRIMARY: true
X-NW-CBA-ENABLED: false

{"id":"INC-36","title":"High Risk User for jsheppard","summary":null,"priority":"High","riskScore":70,"status":"New","alertCount":1,"averageAlertRiskScore":70,"sealed":true,"totalRemediationTaskCount":0,"openRemediationTaskCount":0,"created":"2021-08-09T03:05:27.565Z","lastUpdated":"2021-08-09T03:05:27.565Z","lastUpdatedBy":null,"assignee":null,"sources":["Reporting Engine"],"ruleId":"5f509ffb8d167917599c7129","firstAlertTime":"2021-08-09T03:05:24Z","categories":[],"journalEntries":null,"createdBy":"High Risk User","deletedAlertCount":0,"eventCount":2,"alertMeta":{"SourceIp":["1.1.0.7"],"DestinationIp":[""]}}
  3. Please run the below command using the access token extracted in Step1 Output to extract Netwitness Respond INC-36 alerts.
    #curl 'https://<NODE_ZEROIP>/rest/api/incidents/INC-36/alerts?pageSize=10&pageNumber=0' -i -k -X GET -H 'Accept: application/json;charset=UTF-8' -H 'NetWitness-Token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MjkzMDA2NzMzMjksImlzcyI6InNlY3VyaXR5LXNlcnZlci1lOWFmMzdhZC0yNWRmLTQzMjYtODVkMy1hYTA5N2FjZGVjZjUiLCJpYXQiOjE2MjkyNzE4NzMzMjksImF1dGhvcml0aWVzIjpbIkFkbWluaXN0cmF0b3JzIl0sInVzZXJfbmFtZSI6ImFkbWluIn0.drqzIDyf2YSwQX4o1VEP5VNnsXUjtQ-WZGFRO0l5cjZXK63xs4dBLrQTs9J6Odn0YctWEMBB2IOi0TGwhYneizboqnob3rfRgUkpYqaCK42R2FWU4UP2qAgH44XpIjsCpNZf997uFyqsuRAUMt1rF4jENZQpE2IB6WOiomRWS10Cmn--7b-Ll61tuce5nv-MFQUz6Y3mbnXlAMDTsapuDaubxS93xIcHaOORNlk0ekysN6tpBTdLRvM448vQvDcJDQ5skhjOhKTgL1z6bKQaJ4wnA8UFJ0w-p8GNahcurePHngaToUib15hg352cMDhJHB_vY3VR0KH8fAjhXvKtqA'

    Sample output: 
    
HTTP/1.1 200
Server: nginx
Date: Wed, 18 Aug 2021 07:35:39 GMT
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-NW-UI-PRIMARY: true
X-NW-CBA-ENABLED: false

{"items":[{"id":"61109b75be89bb34907df698","title":"High Risk User","detail":null,"created":"2021-08-09T03:05:24Z","source":"Reporting Engine","riskScore":null,"type":"Log","events":[{"source":{"device":{"ipAddress":"1.1.0.7","port":null,"macAddress":null,"dnsHostname":null,"dnsDomain":null},"user":{"username":null,"emailAddress":null,"adUsername":null,"adDomain":null}},"destination":{"device":{"ipAddress":null,"port":null,"macAddress":null,"dnsHostname":null,"dnsDomain":null},"user":{"username":"jsheppard","emailAddress":null,"adUsername":"jsheppard","adDomain":null}},"domain":"lt-us-jsheppard.prymida.com,LT-US-JSHEPPARD","eventSource":"5.5.5.5:56005","eventSourceId":"3107765"},{"source":{"device":{"ipAddress":"1.1.0.7","port":null,"macAddress":null,"dnsHostname":null,"dnsDomain":null},"user":{"username":null,"emailAddress":null,"adUsername":null,"adDomain":null}},"destination":{"device":{"ipAddress":null,"port":null,"macAddress":null,"dnsHostname":null,"dnsDomain":null},"user":{"username":"jsheppard","emailAddress":null,"adUsername":"jsheppard","adDomain":null}},"domain":"lt-us-jsheppard.prymida.com,LT-US-JSHEPPARD","eventSource":"5.5.5.5:56005","eventSourceId":"3107772"}]}],"pageNumber":0,"pageSize":10,"totalPages":1,"totalItems":1,"hasNext":false,"hasPrevious":false}

Notes

Please refer API Guide for more details on these API.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-08-26 01:04 PM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.