You must integrate the connector with NetWitness Platform before creating a Response Action. The meta and the additional parameters information can be forwarded to the connector through NetWitness Platform only when you integrate the connector with NetWitness Platform.
Note: In 12.4 version, the integration of only ThreatConnect with NetWitness Platform is supported.
The following section explains how to integrate a connector such as ThreatConnect with NetWitness Platform.
To integrate ThreatConnect with NetWitness Platform
-
Go to
(Admin) > Services.
-
Select the Response Actions Server service in the Services view and go to
> View > Explore.
The Response Actions Server Explore view is displayed.
-
Select nw/response/connector/threatconnect in the left panel.
-
Enter the following information:
-
host: Provide the Host IP or domain name of ThreatConnect instance. In case of ThreatConnect, the Host IP is the IP displayed in the URL of ThreatConnect Playbook’s Webhook Trigger.
-
instance-id: If playbookWebHookPathByOrg is enabled in ThreatConnect, you must enter the Organization ID as the instance-id in the Response Actions Server Explore view. If playbookWebHookPathByOrg is not enabled, leave this field empty.
For example: If you enter api/playbook/1/blockipaddress in the Path field in ThreatConnect Playbook’s Webhook Trigger, you should enter 1 in the instance-id field.
-
prefix-url: This is the prefix part of the Path field in ThreatConnect Playbook’s Webhook Trigger. You must enter the prefix part as the prefix-url in Response Actions Server Explore view.
For example: If you enter api/playbook/blockipaddress in the Path field in ThreatConnect Playbook’s Webhook Trigger, you should enter api/playbook/ in the prefix-url field.
-
username: Enter the ThreatConnect Playbook’s Webhook Trigger username if authentication is enabled.
-
password: Enter the ThreatConnect Playbook’s Webhook Trigger password if authentication is enabled.
Note: All the ThreatConnect Playbook’s Webhook Trigger must have the same username and password when used by NetWitness Platform.
-
port: Enter the ThreatConnect Playbooks port.
Note: By default, ThreatConnect Playbook Webhook uses the port 443 to accept request.
-
use-ssl: Set this field to true to enable SSL.
-
verify-s-s-l: Set this field to true to enable SSL verification.
Note: This will require a certificate that is issued and configured.
-
use-proxy: Set this field to true to enable proxy.
-
The following diagram explains the URL structure associated with ThreatConnect Playbook’s Webhook Trigger.
The following table explains the parts of the URL structure associated with ThreatConnect Playbook’s Webhook Trigger.
| Sl.no | Description |
|---|---|
|
1 |
This part provides information about the SSL or non-SSL connection established between NetWitness Platform and ThreatConnect instance. For example: If the SSL connection is established between NetWitness Platform and ThreatConnect, this part displays https. |
| 2 | This part provides information about the Host IP or domain name of ThreatConnect instance. |
| 3 | This part provides information about the prefix-url associated with ThreatConnect Playbook’s Webhook Trigger. For example: api/playbook/ |
| 4 | This part of the URL provides information about the instance-id associated with ThreatConnect Playbook’s Webhook Trigger. For example: 1 |
|
5
|
This part of the URL provides information about the URL Path associated with ThreatConnect Playbook’s Webhook Trigger. For example: In the above diagram, blockipaddress is the URL Path associated with ThreatConnect Playbook’s Webhook Trigger. The URL Path associated with ThreatConnect Playbook’s Webhook Trigger must be entered while creating and managing Response Actions. |
