ThreatConnect is a software platform that unites your entire security team, your partners, and your industry peers together behind a cohesive, intelligence-driven defense. Working together in ThreatConnect, everyone benefits from the collective talents and knowledge of the group. By making ThreatConnect intelligence data available in RSA Security Analytics, you’re able to build processes to identify the most relevant threats, proactively protect your network, and quickly respond to incidents in a measurable way.
RSA NetWitness Endpoint
- Get Host - Retrieves a list of host data, including the
Agent Idvalues required for some Endpoint API calls. Because the network interface data contains nested information, the special variable
#rsa.nw.hosts.network_interfaces.jsoncontains the JSON encoded data for each host which may be passed through an iterator to the
Parse Network Interfaceaction to decode a network interface.
- List Snapshots for Host - Lists the snapshots available to a specific
Agent Idfor a given
Service Id. The output
#rsa.nw.snapshot_listmay contain duplicate snapshot identifiers.
- Get Files - Retrieves a list of files for which alerts have been generated for. The result #rsa.nw.files.checksum_md5 is an array of checksum values that can be used to retrieve specific alerts with the Get Alerts By File API call. Because some of the file data may contain nested array values, the special array #rsa.nw.files.json can be used in conjunction with an iterator and the Parse File action to decode more details about a specific file.
- Get Alerts by Host - Retrieves a summary of alerts generated for a specific
Agent Idrunning on a host.
- Get Alerts by File - Retrieves a summary of alerts generated by a file with a given
- Parse File - Parses one record of file JSON encoded data, such as would be output by an iterator of
#rsa.nw.files.jsoninto file specific fields. No logon information is required for NetWitness to parse the record.
- Parse Network Interfaces - Parses one record of file JSON encoded data, such as would be output by an iterator of
#rsa.nw.hosts.network_interfaces.jsoninto file specific fields. No logon information is required for NetWitness to parse the record.
- Parse Snapshot - Parses one record of file JSON encoded data, such as would be output by an iterator of
#rsa.nw.snapshots.jsoninto file specific fields. No logon information is required for NetWitness to parse the record.
Built By ThreatConnect
RSA NetWitness Platform
ThreatConnect and RSA have partnered to enable users to detect and act on ThreatConnect intelligence in the RSA Netwitness Suite. With this integration, users can aggregate their internal logs and combine them with validated threat intelligence, so they can easily spot trends or patterns that are out of the ordinary and act on them efficiently. The integration helps ensure organizations are sending validated and actionable intelligence from ThreatConnect to the RSA Netwitness Suite First, it takes aggregated logs from the RSA Netwitness Suite and combines them with user's threat intelligence in ThreatConnect. ThreatConnect provides context with the indicators and enables a user’s security team to easily spot out-of-the-ordinary trends or patterns and act on them efficiently. Benefits and features include:
- Sends all available threat data from ThreatConnect into RSA Netwitness Suite for validated alerting
- Provides the necessary context to be able to take action on the indicators
- Enables real-time threat analysis and indicator correlation
- Automates the detection of advanced threats
- Ensures that you are sending validated threat intelligence to RSA
This listing consists of 4 apps.
The RSA NetWitness Logs & Packets Playbook app imports ThreatConnect intelligence data into RSA for analysis, threat identification, incident response, and more.
The RSA NetWitness Platform - Respond Playbook app allows users to ingest incidents and alerts from RSA Netwitness as Cases in ThreatConnect. From there ThreatConnect Workflow can orchestrate a predefined alert triage process and guide the analyst through a combination of automated and manual tasks to resolve the incident. Additionally, the original incident in Netwitness can automatically be updated with a Journal entry containing the results of investigation and the status can be marked closed or as a false positive. The following actions are available to Playbook designer from within the app:
- Get Incident
- Update Incident
- Get Incidents By Date Range
- Add Incident Journal Entry
- Get Incident Alerts
- Parse Alert
- Parse Event
The RSA NetWitness Platform - Respond Service app is used to pull NetWitness incidents on a schedule and trigger Playbooks when a new incident matches the criteria. The main use case for this app is to ingest RSA NetWitness incidents as Cases in ThreatConnect.
The RSA NetWitness Platform - Events Playbook app enables the automation of search, enrichment and hunting actions with the RSA NetWitness raw events, PCAP, and metadata. The app allows Playbook designers to query the SDK/Query, SDK/Content, SDK/Values, and SDK/Packets API endpoints as part of their security workflows and playbooks. This is a very technical but powerful app in what it enables.
These apps can be found in the ThreatConnect App Catalog under the following names:RSA NetWitness Packets and Logs, RSA NetWitness Platform - Events, RSA NetWitness Platform - Respond, and RSA NetWitness Platform - Respond Service.
Built By ThreatConnect
RSA Netwitness Playbooks
As a starting point for the Alert Triage and Prioritization use case, the Alert Processing - RSA NetWitness Platform playbook template enables the ingestion and processing of incidents and alerts from the RSA NetWitness Platform into ThreatConnect. The Playbook is triggered each time a new Incident is generated in RSA NetWitness. The Incident details and context are saved as a Case and the Alerts are parsed and saved as Artifacts. The RSA NetWitness Platform - Respond Service app is required to be installed and configured prior to activating this Playbook.
The Convert Signatures playbook creates a User Action trigger on Signature objects to convert a Sigma signature to an RSA NetWitness formatted rule. For more information on Sigma, please click here.
These Playbook templates can be found in the ThreatConnect App Catalog under the names: Alert Processing - RSA NetWitness Platform and Convert Sigma Signature To RSA NetWitness
Built By ThreatConnect