RSA NetWitness

The RSA NetWitness Platform - Endpoint Playbook app enables automated investigation and response actions on hosts with the RSA NetWitness Endpoint API. As part of a Case or Investigation, use this app to get important host details, snapshots, files, alerts, and more. When combined with the existing apps for NetWitness Respond and Events, ThreatConnect Workflow and Playbooks can now drive comprehensive investigations across Network, Log, and Endpoint data in the RSA NetWitness Platform. The following actions are available from within the app:

• Get Host - Retrieves a list of host data, including the Agent Id values required for some Endpoint API calls. Because the network interface data contains nested information, the special variable #rsa.nw.hosts.network_interfaces.json contains the JSON encoded data for each host which may be passed through an iterator to the Parse Network Interface action to decode a network interface.
• List Snapshots for Host - Lists the snapshots available to a specific Agent Id for a given Service Id. The output #rsa.nw.snapshot_list may contain duplicate snapshot identifiers.
• Get Files - Retrieves a list of files for which alerts have been generated for. The result #rsa.nw.files.checksum_md5 is an array of checksum values that can be used to retrieve specific alerts with the Get Alerts By File API call. Because some of the file data may contain nested array values, the special array #rsa.nw.files.json can be used in conjunction with an iterator and the Parse File action to decode more details about a specific file.
• Get Alerts by Host - Retrieves a summary of alerts generated for a specific Agent Id running on a host.
• Get Alerts by File - Retrieves a summary of alerts generated by a file with a given checksum value.
• Parse File - Parses one record of file JSON encoded data, such as would be output by an iterator of #rsa.nw.files.json into file specific fields. No logon information is required for NetWitness to parse the record.
• Parse Network Interfaces - Parses one record of file JSON encoded data, such as would be output by an iterator of #rsa.nw.hosts.network_interfaces.json into file specific fields. No logon information is required for NetWitness to parse the record.
• Parse Snapshot - Parses one record of file JSON encoded data, such as would be output by an iterator of #rsa.nw.snapshots.json into file specific fields. No logon information is required for NetWitness to parse the record.

This listing can be found in the ThreatConnect App Catalog under the name RSA NetWitness Platform - Endpoint.

ThreatConnect and RSA have partnered to enable users to detect and act on ThreatConnect intelligence in the RSA Netwitness Suite. With this integration, users can aggregate their internal logs and combine them with validated threat intelligence, so they can easily spot trends or patterns that are out of the ordinary and act on them efficiently. The integration helps ensure organizations are sending validated and actionable intelligence from ThreatConnect to the RSA Netwitness Suite First, it takes aggregated logs from the RSA Netwitness Suite and combines them with user's threat intelligence in ThreatConnect. ThreatConnect provides context with the indicators and enables a user’s security team to easily spot out-of-the-ordinary trends or patterns and act on them efficiently. Benefits and features include:

• Sends all available threat data from ThreatConnect into RSA Netwitness Suite for validated alerting
• Provides the necessary context to be able to take action on the indicators
• Enables real-time threat analysis and indicator correlation
• Automates the detection of advanced threats
• Ensures that you are sending validated threat intelligence to RSA

This listing consists of 4 apps.

The RSA NetWitness Logs & Packets Playbook app imports ThreatConnect intelligence data into RSA for analysis, threat identification, incident response, and more.

The RSA NetWitness Platform - Respond Playbook app allows users to ingest incidents and alerts from RSA Netwitness as Cases in ThreatConnect. From there ThreatConnect Workflow can orchestrate a predefined alert triage process and guide the analyst through a combination of automated and manual tasks to resolve the incident. Additionally, the original incident in Netwitness can automatically be updated with a Journal entry containing the results of investigation and the status can be marked closed or as a false positive. The following actions are available to Playbook designer from within the app:

• Get Incident
• Update Incident
• Get Incidents By Date Range
• Add Incident Journal Entry
• Get Incident Alerts
• Parse Alert
• Parse Event

The RSA NetWitness Platform - Respond Service app is used to pull NetWitness incidents on a schedule and trigger Playbooks when a new incident matches the criteria. The main use case for this app is to ingest RSA NetWitness incidents as Cases in ThreatConnect.

The RSA NetWitness Platform - Events Playbook app enables the automation of search, enrichment and hunting actions with the RSA NetWitness raw events, PCAP, and metadata. The app allows Playbook designers to query the SDK/Query, SDK/Content, SDK/Values, and SDK/Packets API endpoints as part of their security workflows and playbooks. This is a very technical but powerful app in what it enables.

These apps can be found in the ThreatConnect App Catalog under the following names:RSA NetWitness Packets and Logs, RSA NetWitness Platform - Events, RSA NetWitness Platform - Respond, and RSA NetWitness Platform - Respond Service. 

As a starting point for the Alert Triage and Prioritization use case, the Alert Processing - RSA NetWitness Platform playbook template enables the ingestion and processing of incidents and alerts from the RSA NetWitness Platform into ThreatConnect. The Playbook is triggered each time a new Incident is generated in RSA NetWitness. The Incident details and context are saved as a Case and the Alerts are parsed and saved as Artifacts. The RSA NetWitness Platform - Respond Service app is required to be installed and configured prior to activating this Playbook.

The Convert Signatures playbook creates a User Action trigger on Signature objects to convert a Sigma signature to an RSA NetWitness formatted rule. For more information on Sigma, please click here.

These Playbook templates can be found in the ThreatConnect App Catalog under the names: Alert Processing - RSA NetWitness Platform and Convert Sigma Signature To RSA NetWitness