Configure REST API as a Data Source

You can configure REST API as a data source for Context Hub which allows analysts to use the Context Hub during an investigation to fetch contextual information from any accessible web service with an exposed REST API. Use the procedures in this topic to add REST API as a data source for Context Hub service and configure the settings (if required) for REST API. The maximum number of REST APIs supported by default is ten.

Prerequisites

Before you configure REST API data source, ensure that:

• Context Hub service is available in netwitness_adminicon_34x29.png (Admin) > Services view of NetWitness Platform.

• Third-party REST API web server is reachable.

To add REST API as a data source for Context Hub:

  1. Go to netwitness_adminicon_31x26.png(Admin) > Services.
    The Services view is displayed.

  2. Select the Context Hub service and click netwitness_actions_icon.png > View > Config.
    The Services Config view is displayed.

  3. In the Data Sources tab, click netwitness_add_icon.png > REST API.
    The Add Data Source dialog is displayed.

  4. Provide the following information:
    • By default, the Enable checkbox is selected. If this option is unchecked, the save button is disabled, you cannot add the data source, and cannot view the contextual information.

    • Enter the following fields.

      1. Name - Enter a name for the REST API data source.

      2. URL - Specify the REST API URL with the query parameters.
        The following table lists some examples of URL and associated parameters:

      URL Parameters
      https://www.virustotal.com/vtapi/v2/file/report?apikey=<API Key>&resource=$metaValue
      • API key – Specify your API key

      • $metaValue - You must specify the Test meta value in step 7 to test the REST API connection. For example, C5D0065B594A4775E26FA9875B21189F

      https://www.virustotal.com/vtapi/v2/url/report?apikey=

      1bfdf66f3b0f1875381830ec933f7151f5b48c1cbaa54ac625f2d5a74312e9a2&resource=$metaValue

      • API key – Specify your API key

      • $metaValue - You must specify the Test meta value in step 7 to test the REST API connection. For example, textspeier.de

      1. Description – Enter the description of the REST API data source.
      2. User name: Enter the username of the REST API if it needs to be authenticated.
      3. Password: Enter the password of the RSET API if it needs to be authenticated.
      4. Response Type: Select the REST API response type. Possible values are:
        • HTML
        • JSON
      5. Test Meta value: Enter the meta value to test the REST API connection.

      Note:
      - The meta value you specify will be replaced with $metavalue in the URL mentioned in step 2 for test connection.
      - During context lookup, the $metavalue variable is replaced with meta value in the REST API call.

      1. SSL - Enables SSL communication to REST API. By default, this option is selected.
      2. (Optional) Trust All Certificates: Select this checkbox if you want to trust all certificates and do not have a custom certificate. By default, this option is enabled.
      3. (Optional) Certificate File: Browse for the certificate file if you have not selected the Trust All certificates checkbox.
  5. Click Test Connection to test the connection between Context Hub and the REST API data source.

  6. Click Next.

  7. In the Response Preview section, you can view the live response for the REST API configured, using the test meta value as a placeholder.

  8. In the Meta Mapping section, select one or more meta type supported by the REST API to view context lookup (for meta values) in the Respond and Investigation views.

  9. In the Field Mapping section, you can add friendly display name for the response field for which you want to perform context lookup. Do the following:

    1. Click netwitness_add_icon.png.

    2. In the Field drop-down, enter the path for which you want to add a friendly name. As you type the path, the auto-suggest function looks for the matches in the JSON path returned in the response preview. You can also add the path that is not available in the response preview but available for other meta values.

    3. Value (from Preview) field is filled automatically when you select the path.

    4. In the Display Name field, enter the friendly name.

      Note: After configuration, only the fields that are mapped with friendly names are displayed during context lookup. If you do not map any fields, all fields in the JSON will be available during context lookup.

  10. Click Save to configure the data source.

Note: After you configure the data source settings, you can configure the Context Hub configuration parameters by navigating to netwitness_adminicon.png (ADMIN) > Services> View > Explore view.

Edit REST API Data SourceEdit REST API Data Source

To edit REST API data source for Context Hub:

  1. Go to netwitness_adminicon.png (Admin) > Services.

  2. Select the Context Hub service and click netwitness_actions_icon.png > View > Config.
  3. In the Data Sources tab, click netwitness_edit_icon.png > REST API.

  4. Edit the required fields.

  5. Click Test Connection to test the connection between Context Hub and the data source.

  6. In the Meta and Field Mapping and Cache settings, edit the required fields.
  7. Click Save to save the settings.

Delete REST API Data Source

To edit REST API data source for Context Hub:

  1. Go to netwitness_adminicon_23x19.png (Admin) > Services.

  2. Select the Context Hub service and click netwitness_actions_icon.png > View > Config.

  3. In the Data Sources tab, select the data source you want to delete.

  4. Click netwitness_delete.png.

Next steps

After completing the configuration, you can view the contextual data in the Context Summary Panel of the Respond view or Investigate view. For more information, see the NetWitness Respond User Guide and the NetWitness Investigate User Guide.