NetWitness has a comprehensive set of methods to send incidents and alerts to other security tools, enhancing an organization's security posture and incident response capabilities. By employing these integration techniques, security teams can ensure that their security tools are continuously fed with the latest information from NetWitness, enabling a more robust defence against evolving cyber threats.
-
Export Incident Data
-
Syslog Notifications Setting for Respond Incidents
-
ESA Syslog Notifications for Alerts
-
Integration Server APIs
Export Incident Data
NetWitness Platform enables the analysts to export and store the Incidents with Alerts and Events in JSON format for offline investigation. The Export drop-down allows you to export and download the data (such as fields or attributes) associated with Alerts and Events of the selected Incidents. The data can only be downloaded in JSON format. Users can pivot back to NetWitness with the URL attribute available by default in the exported JSON.
Schema Files for Incident Export
NetWitness Platform provides Schema files (Default and Custom) located at /var/netwitness/respond-server/export-schema to allow you to export only a subset of attributes among the many lists of attributes available in Mongo DB for Incidents and Alerts. Default schema files cannot be modified, but the Custom schema files can be modified to add the attributes as required. For more information, see Schema Files for Incidents and Schema Files for Alerts topics in Respond User Guide.
Syslog Notifications Setting for Respond Incidents
Administrators can configure syslog notification settings in the Configure > INCIDENT NOTIFICATIONS > Syslog Notification Settings view to receive syslog notifications when:
-
An Incident is updated.
-
An incident is created.
To configure syslog notification settings:
1. Go to Configure > INCIDENT NOTIFICATIONS > Syslog Notification Settings view.
2. Select the Syslog Server Name from the SERVER NAME drop-down.
3. Select the Syslog template from the TEMPLATE drop-down list.
4. Select one of the following checkboxes:
Updated: Select this check box to receive Syslog notifications when an Incident is updated.
Created: Select this check box to receive Syslog notifications when an Incident is created.
Select both checkboxes to receive Syslog notifications when an Incident is updated or created.
5. Click Save.
Note: Save button is enabled only when you select both Syslog Server and Syslog Template. Refer to the following figure.
Note: Click the Global Notifications link in the Syslog Notification Settings view (Configure > INCIDENT NOTIFICATIONS > Syslog Notification Settings) to create or modify the Syslog notification server and template.
- For information regarding the Syslog notification server and template configuration in the Global Notifications panel, refer to Configure a Syslog Notification Server and Configure Templates for Notifications.
- If you delete or disable the selected Syslog server or delete the Syslog template, the Syslog Notification Settings are reset. You must re-configure the Syslog notification server and template.
The Default Respond Syslog Template that can be used for syslog notifications of Respond already contains certain default attributes like incident ID, name, assignee, etc. This list can be expanded based on the data in the incident document in mongo by duplicating this template to a custom template and adding any new details. A URL attribute can also be added to construct the URL statically, along with its incident ID. For example: URL=https://netwitness/respond/incident/${incident.id}. This can be used to pivot back to Netwitness from any other security tool.
ESA Syslog Notifications for ESA Alerts
Event Stream Analysis can send events and consolidate logs in Syslog format to a Syslog server.
To configure these Syslog notifications, you need to:
-
Configure Syslog server settings as an output provider. For instructions, see "Configure the Syslog Settings as Notification Server" in the System Configuration Guide.
-
Configure Syslog message format as an output action. For instructions, see "Configure Syslog as a Notification" in the System Configuration Guide.
-
Configure a template for Syslog. For instructions, see "Configure a Template" in the System Configuration Guide.
Integration Server APIs
The NetWitness Platform API can be accessed using the same host and port as the NetWitness user interface. For more information, refer to the API Guide.
Get a Single Incident
A single incident can be retrieved using an incident’s unique identifier.
GET /rest/api/incidents/{id}
Path Parameters
| Parameter | Description |
| id | The unique identifier of the incident. |
Get Incidents by Date Range
Incidents can be retrieved by the date and time they were created.
GET /rest/api/incidents
The requested date range can be unbounded by only supplying the since or until parameter or bounded by providing both parameters.
Request Parameters
| Parameter | Description |
| pageNumber | The requested page number. |
| pageSize | The maximum number of items to return in a single page. |
| since |
A timestamp in ISO 8601 format (e.g., 1018-01-01T14:00:00.000Z). Retrieve incidents created on and after this timestamp. |
| Until | A timestamp in ISO 8601 format (e.g., 1018-01-01T14:00:00.000Z). Retrieve incidents created on and before this timestamp. |
Get an Incident’s Alerts
All the alerts associated with an incident can be retrieved using the incident’s unique identifier.
GET /rest/api/incidents/{id}/alerts
Path Parameters
| Parameter | Description |
| id | The unique identifier of the incident. |
Fetch incidents based on fields of the incident
The incidents can be fetched based on the specific fields of the incident by providing the name of the field, the value of the field, and the number of records to be fetched as arguments.
GET /rest/api/incident/fetch
Request Body Parameters
| Parameter | Type | Description |
| meta_name | String | Field of the incident document based on which the incident query is to be made. |
| meta_value | String | Value for the field of the incident document based on which the incident query is to be made. |
| NumberofRecords | String | Number of incident records to be fetched for the selected meta_key and meta_value pair. |
Fetch alerts based on the criteria
The alerts can be fetched based on the specific fields of the alert by providing the name of the field, the value of the field, the number of records, and the fields of the alert that need to be included in the response.
GET /rest/api/alert/fetch
Request Body Parameters
| Parameter | Type | Description |
| meta_name | String | Field of the alert document based on which the incident query is to be made. |
| meta_value | String | Value for the field of the alert document based on which the incident query will be made. |
| number_of_records | String | Number of alert records to be fetched for the selected meta_key and meta_value pair. |
| includeFields | String | The fields from the alert document are to be included for the selected meta_key and meta_value pair in case fetching the entire alert is not preferred. By default, to fetch the entire alert, the included fields will have the value "null." |
