This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Platform Online Documentation
Browse the official NetWitness Platform Online documentation for helpful tutorials, step-by-step instructions, and other valuable resources.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Versions
Collections
All Downloads

Product Resources

Integrate the Connector with NetWitness Platform

You must integrate the connector with NetWitness Platform before creating a Response Action. The meta and the additional parameters information can be forwarded to the connector through NetWitness Platform only when you integrate the connector with NetWitness Platform.

Support Connectors for NetWitness Platform

Version Connector Type Actions Type
12.4 and later ThreatConnect Custom Actions
12.5 and later ThreatConnect OOTB Actions to CrowdStrike
12.5 and later CrowdStrike OOTB Actions

ThreatConnect

You can perform the following actions using the ThreatConnect connector type.

ThreatConnect Custom Actions

The following section explains how to integrate a connector such as ThreatConnect with the NetWitness Platform.

To integrate ThreatConnect with NetWitness Platform

  1. Go to AdminIcon_20x16.png(Admin) > Services.

  2. Select the Response Actions Server service in the Services view and go to 124_settingsimg_0224.png > View > Explore.

    The Response Actions Server Explore view is displayed.

    125_ReponseActionServerCrStThrConn_0724.PNG
  3.  

  4. Select nw/response/connector/threatconnect in the left panel.

  5. Enter the following information:

    • client-id: This field can be left blank as it is unnecessary for this integration.

    • client-secret: This field can be left blank as it is unnecessary for this integration.

    • host: Provide the Host IP or domain name of ThreatConnect instance. In case of ThreatConnect, the Host IP is the IP displayed in the URL of ThreatConnect Playbook’s Webhook Trigger.

    • instance-id: If playbookWebHookPathByOrg is enabled in ThreatConnect, you must enter the Organization ID as the instance-id in the Response Actions Server Explore view. If playbookWebHookPathByOrg is not enabled, leave this field empty.

      For example: If you enter api/playbook/1/blockipaddress in the Path field in ThreatConnect Playbook’s Webhook Trigger, you should enter 1 in the instance-id field.

    • prefix-url: This is the prefix part of the Path field in ThreatConnect Playbook’s Webhook Trigger. You must enter the prefix part as the prefix-url in Response Actions Server Explore view.

      For example: If you enter api/playbook/blockipaddress in the Path field in ThreatConnect Playbook’s Webhook Trigger, you should enter api/playbook/ in the prefix-url field.

    • username: Enter the ThreatConnect Playbook’s Webhook Trigger username if authentication is enabled.

    • password: Enter the ThreatConnect Playbook’s Webhook Trigger password if authentication is enabled.

      Note: All the ThreatConnect Playbook’s Webhook Trigger must have the same username and password when used by NetWitness Platform.

    • port: Enter the ThreatConnect Playbooks port.

      Note: By default, ThreatConnect Playbook Webhook uses the port 443 to accept request.

    • use-ssl: Set this field to true to enable SSL.

    • verify-s-s-l: Set this field to true to enable SSL verification.

      Note: This will require a certificate that is issued and configured.

    • use-proxy: Set this field to true to enable proxy.

The following diagram explains the URL structure associated with ThreatConnect Playbook’s Webhook Trigger.

124_urlstructure_0224_1424x663.png

The following table explains the parts of the URL structure associated with ThreatConnect Playbook’s Webhook Trigger.

Sl.no Description

1

 This part provides information about the SSL or non-SSL connection established between NetWitness Platform and ThreatConnect instance. For example: If the SSL connection is established between NetWitness Platform and ThreatConnect, this part displays https.
2 This part provides information about the Host IP or domain name of ThreatConnect instance.
3 This part provides information about the prefix-url associated with ThreatConnect Playbook’s Webhook Trigger. For example: api/playbook/
4 This part of the URL provides information about the instance-id associated with ThreatConnect Playbook’s Webhook Trigger. For example: 1

5

 

 

 

This part of the URL provides information about the URL Path associated with ThreatConnect Playbook’s Webhook Trigger.

For example: In the above diagram, blockipaddress is the URL Path associated with ThreatConnect Playbook’s Webhook Trigger. The URL Path associated with ThreatConnect Playbook’s Webhook Trigger must be entered while creating and managing Response Actions.

ThreatConnect Out-Of-The-Box Actions

The following section explains how to integrate a connector such as CrowdStrike with the NetWitness Platform through ThreatConnect.

Create Netwitness Response Actions Proxy Service in ThreatConnect for Supported Connectors

  1. Register and Sign in to ThreatConnect.

  2. Generate the Client ID and Client Secret which shall be used for the configuration of Response Actions on the NetWitness Platform.

  3. In the Playbooks dropdown, click Services.

    125_Service_Click Playbook_0724.PNG

  4. Click +NEW to create a Service.

    125_ServicesNew_0724.PNG

  5. Enter any name in the Name field.

    Note: The name entered will reflect in front of the Create Service field at the top.

  6. From the Service Type drop-down, select Service API.

  7. From the Service dropdown, scroll and select NetWitness Response Action Proxy from the list of available services.

    125_Services-New-Step1_0724.PNG

  8. Click Next to fill the Configuration details.

  9. In the Configure tab, by default the Launch Server is set to tc-mon and the API Path is set to NetWitness_proxy.

    125_Services-NewConfigure_0724.PNG

  10. Click Next to enter the setup parameters.

  11. In the Parameters tab, enter the Crowdstrike Client ID and Crowdstrike Client Secret.

    125_Services-NewParameters_0724.PNG

  12. Click Save, a new Service is created.

    Note: After a new Service is created, the Rest API for the newly created Service will be in disabled mode. Click the toggle button to enable the Rest API.

    125_Services-RestAPIcropped_0724.PNG

    This API path is required in the Response Action’s Service API Path in the NetWitness Platform.

    The Service is now ready to accept the request from NetWitness and perform any action.

To integrate CrowdStrike with NetWitness Platform through ThreatConnect

  1. Go to AdminIcon_20x16.png(Admin) > Services.

  2. Select the Response Actions Server service in the Services view and go to 124_settingsimg_0224.png > View > Explore.

    The Response Actions Server Explore view is displayed.

    125_ReponseActionServerCrStThrConn_0724.PNG

  3. Select nw/response/connector/threatconnect in the left panel.

  4. Enter the following information:

    • client-id: Enter the client-id generated by ThreatConnect.

    • client-secret: Enter the client-secret generated by ThreatConnect.

    • host: Provide the Host IP or domain name of ThreatConnect instance.

    • instance-id: This field can be left blank as it is unnecessary for this integration.

    • password: This field can be left blank as it is unnecessary for this integration.

    • port: Enter the ThreatConnect instance port.

      Note: By default, ThreatConnect instance uses the port 443 to accept request.

    • prefix-url: This field can be left blank as it is unnecessary for this integration.

      use-proxy: Set this field to true to enable proxy.

    • use-ssl: Set this field to true to enable SSL.

    • username: This field can be left blank as it is unnecessary for this integration.

    • verify-s-s-l: Set this field to true to enable SSL verification.

      Note: This will require a certificate that is issued and configured.

CrowdStrike

The following section explains how to integrate a connector such as CrowdStrike with the NetWitness Platform.

To integrate CrowdStrike with NetWitness Platform

  1. Go to AdminIcon_20x16.png(Admin) > Services.

  2. Select the Response Actions Server service in the Services view and go to 124_settingsimg_0224.png > View > Explore.

    The Response Actions Server Explore view is displayed.

    125_ReponseActionServerCrowdStrike_0724.PNG

  3. Select nw/response/connector/crowdstrike in the left panel.

  4. Enter the following information:

    • client-id: Enter the client-id generated by CrowdStrike.

    • client-secret: Enter the client-secret generated by CrowdStrike.

    • host: Provide the Host IP or domain name of CrowdStrike instance.

    • use-proxy: Set this field to true to enable proxy.

    • use-ssl: Set this field to true to enable SSL.

    • verify-s-s-l: Set this field to true to enable SSL verification.

      Note: This will require a certificate that is issued and configured.

 

Labels (1)
Labels:
0 Likes
Was this article helpful? Yes No
No ratings

On this page

© 2022 RSA Security LLC or its affiliates. All rights reserved.