Using this plugin you can simulate RSA NetWitness Orchestrator web calls or anything that is calling the API to validate what to expect and test.
The first thing to do is follow general security best practice and create a role and user in RSA NetWitness to reduce the required permissions to just what is required. Currently I am still testing to see if i can reduce the roles further but the current permissions are much less than the default 'admin' account.
This will get you a nw-getauth, nw-get-incident, nw-get-alert
Use nw-getauth to request a security token from the RSA NetWitness API (update for your RSA NetWitness interface)
Hit send and you should get back a 200 OK result with the security tokens to use in the next submissions.
Now you have the accessToken value to use to authenticate your next commands (copy the accessToken value)
Use the nw-get-incident request to get the details for a specific incident (INC-XXX)
Insert the value for the accessToken into the RSA NetWitness-Token field and hit send.
If everything works well you should get back another 200 OK with the json dump of the values on that specific incident
You can click download to grab a json export of this incident to use to work offline, investigate, upload to a demo RSA NetWitness Orchestrator system ... A sample one is included in the github link.
To grab the alert details from this incident use the 3rd 'request' nw-get-alert
Again you should get a 200 OK with the details of the Alerts for the incident requested
Again you can download the json file to get the full details of the alert to know what you can work with in RSA NetWitness Orchestrator/Crystal Reports.
This is the equivalent output from the Respond Incident window (alerts are the same missing items), the area in the red box don't appear to be available in the API. An internal Jira has been opened on this to enhance or resolve this (I can't figure out if this is a bug or feature request).