Support Connectors for NetWitness Platform
12.4 and later |
ThreatConnect |
Custom Actions |
12.5 and later |
ThreatConnect |
OOTB Actions to CrowdStrike |
12.5 and later |
CrowdStrike |
OOTB Actions |
ThreatConnect
You can perform the following actions using the ThreatConnect connector type.
ThreatConnect Custom Actions
The following section explains how to integrate a connector such as ThreatConnect with the NetWitness Platform.
To integrate ThreatConnect with NetWitness Platform
-
Go to (Admin) > Services.
-
Select the Response Actions Server service in the Services view and go to > View > Explore.
The Response Actions Server Explore view is displayed.
-
-
Select nw/response/connector/threatconnect in the left panel.
-
Enter the following information:
- client-id: This field can be left blank as it is unnecessary for this integration.
-
instance-id: If playbookWebHookPathByOrg is enabled in ThreatConnect, you must enter the Organization ID as the instance-id in the Response Actions Server Explore view. If playbookWebHookPathByOrg is not enabled, leave this field empty.
For example: If you enter api/playbook/1/blockipaddress in the Path field in ThreatConnect Playbook’s Webhook Trigger, you should enter 1 in the instance-id field.
-
prefix-url: This is the prefix part of the Path field in ThreatConnect Playbook’s Webhook Trigger. You must enter the prefix part as the prefix-url in Response Actions Server Explore view.
For example: If you enter api/playbook/blockipaddress in the Path field in ThreatConnect Playbook’s Webhook Trigger, you should enter api/playbook/ in the prefix-url field.
-
username: Enter the ThreatConnect Playbook’s Webhook Trigger username if authentication is enabled.
-
password: Enter the ThreatConnect Playbook’s Webhook Trigger password if authentication is enabled.
Note: All the ThreatConnect Playbook’s Webhook Trigger must have the same username and password when used by NetWitness Platform.
-
port: Enter the ThreatConnect Playbooks port.
Note: By default, ThreatConnect Playbook Webhook uses the port 443 to accept request.
-
use-ssl: Set this field to true to enable SSL.
-
verify-s-s-l: Set this field to true to enable SSL verification.
Note: This will require a certificate that is issued and configured.
-
use-proxy: Set this field to true to enable proxy.
The following diagram explains the URL structure associated with ThreatConnect Playbook’s Webhook Trigger.
The following table explains the parts of the URL structure associated with ThreatConnect Playbook’s Webhook Trigger.
1
|
This part provides information about the SSL or non-SSL connection established between NetWitness Platform and ThreatConnect instance. For example: If the SSL connection is established between NetWitness Platform and ThreatConnect, this part displays https. |
2 |
This part provides information about the Host IP or domain name of ThreatConnect instance. |
3 |
This part provides information about the prefix-url associated with ThreatConnect Playbook’s Webhook Trigger. For example: api/playbook/ |
4 |
This part of the URL provides information about the instance-id associated with ThreatConnect Playbook’s Webhook Trigger. For example: 1 |
5
|
This part of the URL provides information about the URL Path associated with ThreatConnect Playbook’s Webhook Trigger.
For example: In the above diagram, blockipaddress is the URL Path associated with ThreatConnect Playbook’s Webhook Trigger. The URL Path associated with ThreatConnect Playbook’s Webhook Trigger must be entered while creating and managing Response Actions.
|
ThreatConnect Out-Of-The-Box Actions
The following section explains how to integrate a connector such as CrowdStrike with the NetWitness Platform through ThreatConnect.
Create Netwitness Response Actions Proxy Service in ThreatConnect for Supported Connectors
-
Register and Sign in to ThreatConnect.
-
Generate the Client ID and Client Secret which shall be used for the configuration of Response Actions on the NetWitness Platform.
-
In the Playbooks dropdown, click Services.
-
Click +NEW to create a Service.
-
Enter any name in the Name field.
Note: The name entered will reflect in front of the Create Service field at the top.
-
From the Service Type drop-down, select Service API.
-
From the Service dropdown, scroll and select NetWitness Response Action Proxy from the list of available services.
-
Click Next to fill the Configuration details.
-
In the Configure tab, by default the Launch Server is set to tc-mon and the API Path is set to NetWitness_proxy.
-
Click Next to enter the setup parameters.
-
In the Parameters tab, enter the Crowdstrike Client ID and Crowdstrike Client Secret.
-
Click Save, a new Service is created.
Note: After a new Service is created, the Rest API for the newly created Service will be in disabled mode. Click the toggle button to enable the Rest API.
This API path is required in the Response Action’s Service API Path in the NetWitness Platform.
The Service is now ready to accept the request from NetWitness and perform any action.
To integrate CrowdStrike with NetWitness Platform through ThreatConnect
-
Go to (Admin) > Services.
-
Select the Response Actions Server service in the Services view and go to > View > Explore.
The Response Actions Server Explore view is displayed.
-
Select nw/response/connector/threatconnect in the left panel.
-
Enter the following information:
-
host: Provide the Host IP or domain name of ThreatConnect instance.
-
instance-id: This field can be left blank as it is unnecessary for this integration.
-
password: This field can be left blank as it is unnecessary for this integration.
-
port: Enter the ThreatConnect instance port.
Note: By default, ThreatConnect instance uses the port 443 to accept request.
-
prefix-url: This field can be left blank as it is unnecessary for this integration.
use-proxy: Set this field to true to enable proxy.
-
use-ssl: Set this field to true to enable SSL.
CrowdStrike
The following section explains how to integrate a connector such as CrowdStrike with the NetWitness Platform.
To integrate CrowdStrike with NetWitness Platform
-
Go to (Admin) > Services.
-
Select the Response Actions Server service in the Services view and go to > View > Explore.
The Response Actions Server Explore view is displayed.
-
Select nw/response/connector/crowdstrike in the left panel.
-
Enter the following information:
-
host: Provide the Host IP or domain name of CrowdStrike instance.
-
use-proxy: Set this field to true to enable proxy.
-
use-ssl: Set this field to true to enable SSL.