Posted
ThreatConnect and Netwitness, an RSA business, have strengthened our partnership by releasing multiple Playbook and Service Apps for the NetWitness Platform. With these new apps, you can automate case management, search requests, enrichment, and hunting actions, as well as investigation and response actions. By automating these processes, you ensure that high fidelity intelligence is being sent between the two solutions and that you and your team have all the information needed to make fast and informed decisions.
The NetWitness Platform is an evolved SIEM and XDR solution that functions as a single, unified platform for all your security data. It features an advanced analyst workbench for triaging alerts and incidents, and it orchestrates security operations programs end to end.
NetWitness: Respond Playbook App/ Respond Service App**
With this Playbook or Service App, you can now ingest Incidents and Alerts from the NetWitness Platform as Cases in ThreatConnect. From there ThreatConnect Workflow can orchestrate a predefined Alert triage process and guide you through a combination of automated and manual tasks to resolve the Incident. Additionally, the original Incident in NetWitness can automatically be updated with a Journal entry containing the results of the investigation, and the status can be marked as closed or as a false positive.
The following actions are available:
- Get Incident
- Update Incident
- Get Incidents By Date Range
- Add Incident Journal Entry
- Get Incident Alerts
- Parse Alert
- Parse Event
*There is a Playbook App and Service App for RSA NetWitness – Respond. The Service App improves ease of use and performance.
NetWitness Platform: Events Playbook App
This app is a bit more technical than the others but provides a ton of value around events in the NetWitness Platform. With this app, you can enable the automation of search, enrichment, and hunting actions with RSA NetWitness raw events, PCAP, and metadata.
The following actions are available:
- SDK Query
- SDK Packets
- SDK Values
- SDK Content
NetWitness Endpoint allows you to monitor and respond to the endpoint continuously. NetWitness Endpoint leverages unique, continuous endpoint behavioral monitoring and rich response components to dive deeper and more accurately and rapidly identify new, targeted, unknown, and even file-less attacks that other endpoint security solutions miss entirely.
NetWitness Platform- Endpoint Playbook App
This app enables automated investigation and response actions on hosts with NetWitness Endpoint. As part of a Case or Investigation, you can use this app to get important data like host details, snapshots, files, alerts, and more. When combined with the above apps, ThreatConnect Workflow and Playbooks can drive comprehensive investigations across Network, Log, and Endpoint data in the NetWitness Platform.
The following actions are available:
- Get Host
- Get Host With Filter
- Create Snapshot
- List Snapshots For Host
- Get Snapshot Details
- Get File
- Get Alerts Per Host
- Get Alerts Per File
Together, ThreatConnect and NetWitness, an RSA business, provide an easy solution for automating many processes between the platforms. If you’re a ThreatConnect customer, please reach out to your dedicated Customer Success Team for more information on using the NetWitness Platform apps. If you’re not yet a customer and are interested in ThreatConnect and this integration, contact us at sales@threatconnect.com.