RSA Netwitness SIEM

the rsa netwitness siem connector enables automated interaction with the rsa netwitness siem platform, facilitating incident management and alert handling rsa netwitness siem is a powerful security information and event management platform that provides real time visibility into your security posture this connector enables swimlane turbine users to automate incident response and management, fetch detailed alert and incident data, and maintain a comprehensive security event history by integrating with rsa netwitness siem, users can streamline their security operations, enhance incident tracking, and improve overall threat detection and response times within the swimlane ecosystem limitations none to date prerequisites to effectively utilize the rsa netwitness siem connector with swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url endpoint for rsa netwitness siem api access username your rsa netwitness siem account username password your rsa netwitness siem account password capabilities this rsa netwitness siem connector provides the following capabilities add a journal entry fetch alerts based on the criteria fetch incidents based on fields of incident get alerts by date range get incident stats get incident history get incident user stats get incidents by date range get a single incident get an incident's alerts persisting events in an alert persisting events in an incident remove an incident suspending persist of events in an alert suspending persist of events in an incident and so on add a journal entry a journal entry, or note, can be added to an existing incident fetch alerts based on the criteria the alerts can be fetched based on the specific fields of the alert by providing the name of the field,value of the field, the number of records and the fields of the alert that needs to be included in response fetch incidents based on fields of incident the incidents can be fetched based on the specific fields of the incident by providing the name ofthe field, value of the field and the number of records to be fetched as arguments get alerts by date range alerts can be retrieved by the date and time they were created get incident history fetch the entire history details of the incident using the incident's unique identifier get incident stats incidentstats can be retrieved by the date and time they were created it contains day wise detailsof the overall mtta, mttd and mttr as well as the count associated with each metric for that day get incident user stats incident user stats can be retrieved by user and date range it computes the mttd values for therange of dates mentioned and responds with a consolidated list get incidents by date range incidents can be retrieved by the date and time they were created get a single incident a single incident can be retrieved using an incident's unique identifier get an incident's alerts all the alerts that are associated with an incident can be retrieved using the incident's uniqueidentifier persisting events in an alert persist all the events present in the alert using the alert's unique identifier persisting events in an incident persist all the events present in the incident using the incident's unique identifier remove an incident a single incident can be removed using the incident's unique identifier suspending persist of events in an alert suspend all the events present in persist alert using the alert's unique identifier suspending persist of events in an incident suspend all the events present in persist incident using the incident's unique identifier update an incident currently an incident's status and assignee can be modified using the incidents endpoint configurations http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add a journal entry add a journal entry or note to an existing incident in rsa netwitness siem using the incident's id endpoint url /rest/api/incidents/{{id}}/journal method post input argument name type required description path parameters id string required the id of the incident to which the journal entry will be added author string optional the netwitness user id of the user creating the journal entry notes string optional notes and observations about the incident milestone string optional the incident milestone classifier input example {"json body" {"author" "duke","notes" "this incident is contained ","milestone" "containment"},"path parameters" {"id" "inc 100"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 201,"response headers" {},"reason" "created","json body" {}} fetch alerts based on the criteria retrieve rsa netwitness siem alerts filtered by field names, values, record count, and specified response fields endpoint url /rest/api/alert/fetch method get input argument name type required description meta name string optional field of the alert document based on which the incident query to be made meta value string optional value for the field of the alert document based on which the incident query to be made numberofrecords string optional number of alert records to be fetched for the selected meta key and meta value pair max 1000 includefields string optional the fields from the alert mongo document to be included in the output, if fetching the entire alert is not preferred (comma separated list of fields) input example {"json body" {"meta name" "alert source","meta value" "event stream analysis","numberofrecords" "1","includefields" "null"}} output parameter type description status code number http status code of the response reason string response reason phrase output example \[] fetch incidents based on fields of incident retrieve rsa netwitness siem incidents filtered by specific field values and control the number of records fetched endpoint url /rest/api/incident/fetch method post input argument name type required description meta name string optional the name of the field to filter incidents meta value string optional the value of the field to filter incidents numberofrecords string optional the number of records to fetch input example {"json body" {"meta name" "priority","meta value" "medium","numberofrecords" "1"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" \[{"id" "inc 75831","name" "high risk alerts esa packet for 30 0","summary" "","priority" "medium","prioritysort" 1,"riskscore" 30,"status" "assigned","statussort" 1,"alertcount" 7,"pinnedalertcount" 0,"containspinnedalerts"\ false,"averagealertriskscore" 30,"sealed"\ true,"totalremediationtaskcount" 0,"openremediationtaskcount" 0}]} get a single incident retrieve a specific incident from rsa netwitness siem using the unique incident identifier endpoint url /rest/api/incidents/{{id}} method get input argument name type required description path parameters id string required the unique identifier of the incident input example {"path parameters" {"id" "inc 100"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier title string output field title summary string output field summary priority string output field priority riskscore number score value status string status value alertcount number count value averagealertriskscore number score value sealed boolean output field sealed totalremediationtaskcount number count value openremediationtaskcount number count value created string output field created lastupdated string output field lastupdated lastupdatedby string output field lastupdatedby assignee string output field assignee sources array output field sources ruleid string unique identifier firstalerttime string time value categories array output field categories categories id string unique identifier categories parent string output field categories parent categories name string name of the resource journalentries array output field journalentries output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "inc 100","title" "suspected c\&c with suspicious domain com","summary" "security analytics detected communications with suspicious domain com that may b ","priority" "critical","riskscore" 100,"status" "inprogress","alertcount" 1,"averagealertriskscore" 100,"sealed"\ true,"totalremediationtaskcount" 4,"openremediationtaskcount" 5,"created" "2018 01 01t04 49 27 870z","lastupdated" "2024 02 06t12 44 34 722z","lastupdatedby" get alerts by date range retrieve alerts from rsa netwitness siem based on a specified date and time range endpoint url /rest/api/alerts method get input argument name type required description parameters pagenumber number optional the page number for pagination parameters pagesize number optional the number of items per page for pagination parameters since string optional a date format (e g , 2022 01 01) retrieve incidents stats created on and after this date parameters until string optional a date format (e g , 2022 01 31) retrieve incident stats created on and before this date input example {"parameters" {"pagenumber" 0,"pagesize" 100,"since" "2022 01 01","until" "2022 01 31"}} output parameter type description status code number http status code of the response reason string response reason phrase items array output field items items id string unique identifier items receivedtime string time value items status string status value items errormessage object response message items originalheaders object http headers for the request items originalheaders name string http headers for the request items originalheaders description string http headers for the request items originalheaders version number http headers for the request items originalheaders severity number http headers for the request items originalheaders timestamp number http headers for the request items originalheaders signatureid string http headers for the request items originalheaders devicevendor string http headers for the request items originalheaders deviceproduct string http headers for the request items originalrawalert object output field items originalrawalert items originalalert object output field items originalalert items originalalert severity number output field items originalalert severity items originalalert datasourcehost string response data items originalalert user summary string output field items originalalert user summary items originalalert events array output field items originalalert events items originalalert events ip proto number output field items originalalert events ip proto items originalalert events ip src string output field items originalalert events ip src items originalalert events lifetime number time value output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"items" \[{}],"pagenumber" 0,"pagesize" 100,"totalpages" 1,"totalitems" 1,"hasnext"\ false,"hasprevious"\ false}} get an incident's alerts retrieve all alerts associated with a specific incident in rsa netwitness siem using the incident's unique identifier endpoint url /rest/api/incidents/{{id}}/alerts method get input argument name type required description parameters pagenumber number optional the page number to retrieve parameters pagesize number optional the number of items to retrieve per page path parameters id string required the id of the incident for which alerts are being retrieved input example {"parameters" {"pagenumber" 0,"pagesize" 100},"path parameters" {"id" "inc 100"}} output parameter type description status code number http status code of the response reason string response reason phrase items array output field items items id string unique identifier items title string output field items title items detail string output field items detail items created string output field items created items source string output field items source items riskscore number score value items type string type of the resource items events array output field items events items events source object output field items events source items events source device object output field items events source device items events source device ipaddress string output field items events source device ipaddress items events source device port number output field items events source device port items events source device macaddress string output field items events source device macaddress items events source device dnshostname object name of the resource items events source device dnsdomain object output field items events source device dnsdomain items events source user object output field items events source user items events source user username string name of the resource items events source user emailaddress object output field items events source user emailaddress items events source user adusername object name of the resource items events source user addomain object output field items events source user addomain items events destination object output field items events destination items events destination device object output field items events destination device output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"items" \[{}],"pagenumber" 0,"pagesize" 10,"totalpages" 1,"totalitems" 1,"hasnext"\ false,"hasprevious"\ false}} get incident history retrieve the complete history of an incident in rsa netwitness siem using the unique incident identifier endpoint url /rest/api/incidents/history/{{id}} method post input argument name type required description path parameters id string required the id of the incident to fetch history for input example {"path parameters" {"id" "inc 100"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" \[{"type" "status","date" "2022 05 11t09 24 43 025+00 00","changedby" "admin","changedfrom" "in progress","changedto" "remediation requested"},{"type" "priority","date" "2022 05 11t09 25 18 767+00 00","changedby" "admin","changedfrom" "high","changedto" "medium"},{"type" "assignee","date" "2022 05 11t09 25 31 157+00 00","changedby" "admin","changedfrom" "rolden","changedto" "admin"}]} get incident stats retrieve day wise incident statistics from rsa netwitness siem, including mtta, mttd, mttr, and associated counts endpoint url /rest/api/incidents/stats method get input argument name type required description parameters pagenumber number optional the requested page number parameters pagesize number optional the maximum number of items to return in a single page parameters since string optional a timestamp in iso 8601 format (e g , 2018 01 01t14 00 00 000z) retrieve incidents created on and after this timestamp parameters until string optional a timestamp in iso 8601 format (e g , 2018 01 01t14 00 00 000z) retrieve incidents created on and before this timestamp input example {"parameters" {"pagenumber" 0,"pagesize" 100,"since" "2018 01 01t14 00 00 000z","until" "2018 01 01t14 00 00 000z"}} output parameter type description status code number http status code of the response reason string response reason phrase items array output field items items date string date value items mtta number output field items mtta items mttacount number count value items mttd number output field items mttd items mttdcount number count value items mttr number output field items mttr items mttrcount number count value pagenumber number output field pagenumber pagesize number output field pagesize totalpages number output field totalpages totalitems number output field totalitems hasnext boolean output field hasnext hasprevious boolean output field hasprevious output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"items" \[{}],"pagenumber" 0,"pagesize" 100,"totalpages" 1,"totalitems" 1,"hasnext"\ false,"hasprevious"\ false}} get incident user stats retrieve user specific incident statistics and mean time to detect (mttd) values for a specified date range in rsa netwitness siem endpoint url /rest/api/incidents/user stats method get input argument name type required description parameters username string optional the netwitness user id of the user for whom the stats are being requested parameters since string optional a date format (e g , 2022 01 01) retrieve incidents stats created on and after this date parameters until string optional a date format (e g , 2022 01 31) retrieve incidents stats created on and before this date input example {"parameters" {"username" "admin","since" "2022 01 01","until" "2022 01 31"}} output parameter type description status code number http status code of the response reason string response reason phrase username string name of the resource overallclosedcount number count value mttd number output field mttd mttdcount number count value incidentids array unique identifier output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"username" "admin","overallclosedcount" 2,"mttd" 12,"mttdcount" 2,"incidentids" \["inc 1","inc 2"]}} get incidents by date range retrieve incidents from rsa netwitness siem based on the specified creation date and time range endpoint url /rest/api/incidents method get input argument name type required description parameters pagenumber number optional the requested page number parameters pagesize number optional the maximum number of items to return in a single page parameters since string optional a timestamp in iso 8601 format (e g , 2018 01 01t14 00 00 000z) retrieve incidents created on and after this timestamp parameters until string optional a timestamp in iso 8601 format (e g , 2018 01 01t14 00 00 000z) retrieve incidents created on and before this timestamp input example {"parameters" {"pagenumber" 0,"pagesize" 100,"since" "2018 01 01t14 00 00 000z","until" "2018 01 01t14 00 00 000z"}} output parameter type description status code number http status code of the response reason string response reason phrase items array output field items items id string unique identifier items title string output field items title items summary string output field items summary items priority string output field items priority items riskscore number score value items status string status value items alertcount number count value items averagealertriskscore number score value items sealed boolean output field items sealed items totalremediationtaskcount number count value items openremediationtaskcount number count value items created string output field items created items lastupdated string output field items lastupdated items lastupdatedby string output field items lastupdatedby items assignee string output field items assignee items sources array output field items sources items ruleid string unique identifier items firstalerttime string time value items categories array output field items categories items categories id string unique identifier items categories parent string output field items categories parent items categories name string name of the resource output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"items" \[{}],"pagenumber" 0,"pagesize" 100,"totalpages" 1,"totalitems" 1,"hasnext"\ false,"hasprevious"\ false}} persisting events in an alert persist all events in an alert identified by a unique id within rsa netwitness siem endpoint url /rest/api/alerts/persist/{{id}} method post input argument name type required description path parameters id string required the id of the alert to persist events in input example {"json body" {},"path parameters" {"id" "59440ad7e4b0ff674d2cd85e"}} output parameter type description status code number http status code of the response reason string response reason phrase status string status value message string response message output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"status" "success","message" "persisted alert id 59440ad7e4b0ff674d2cd85e"}} persisting events in an incident permanently store all events associated with a specific incident in rsa netwitness siem using the incident's unique id endpoint url /rest/api/incidents/persist/{{id}} method post input argument name type required description path parameters id string required the id of the incident to persist events in input example {"path parameters" {"id" "inc 100"}} output parameter type description status code number http status code of the response reason string response reason phrase status string status value message string response message output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"status" "success","message" "task successfully submitted to persist incident id inc 75287"}} remove an incident removes a specified incident from rsa netwitness siem using the unique incident identifier endpoint url /rest/api/incidents/{{id}} method delete input argument name type required description path parameters id string required the id of the incident to remove input example {"path parameters" {"id" "inc 100"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 204,"response headers" {},"reason" "no content","response text" ""} suspending persist of events in an alert suspend all events within a persistent alert on rsa netwitness siem using the alert's unique id endpoint url /rest/api/alerts/suspend persist/{{id}} method post input argument name type required description path parameters id string required the id of the alert to suspend persist events in input example {"path parameters" {"id" "59440ad7e4b0ff674d2cd85e"}} output parameter type description status code number http status code of the response reason string response reason phrase status string status value message string response message output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"status" "success","message" "suspended persist for alert id 59440ad7e4b0ff674d2cd85e"}} suspending persist of events in an incident suspend all events within a persistent incident in rsa netwitness siem using the incident's unique id endpoint url /rest/api/incidents/suspend persist/{{id}} method post input argument name type required description path parameters id string required the unique identifier for the incident input example {"path parameters" {"id" "inc 75287"}} output parameter type description status code number http status code of the response reason string response reason phrase status string status value message string response message output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"status" "success","message" "suspended persist for incident id inc 75287"}} update an incident modify an incident's status in rsa netwitness siem using the incident id and status provided in the json body endpoint url /rest/api/incidents/{{id}} method patch input argument name type required description path parameters id string required the id of the incident to update status string optional the new status of the incident assignee string optional the new assignee for the incident input example {"json body" {"status" "inprogress","assignee" "tony"},"path parameters" {"id" "inc 100"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier title string output field title summary string output field summary priority string output field priority riskscore number score value status string status value alertcount number count value averagealertriskscore number score value sealed boolean output field sealed totalremediationtaskcount number count value openremediationtaskcount number count value created string output field created lastupdated string output field lastupdated lastupdatedby string output field lastupdatedby assignee string output field assignee sources array output field sources ruleid string unique identifier firstalerttime string time value categories array output field categories categories id string unique identifier categories parent string output field categories parent categories name string name of the resource journalentries array output field journalentries output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "inc 100","title" "suspected c\&c with suspicious domain com","summary" "security analytics detected communications with suspicious domain com that may b ","priority" "critical","riskscore" 100,"status" "inprogress","alertcount" 1,"averagealertriskscore" 100,"sealed"\ true,"totalremediationtaskcount" 4,"openremediationtaskcount" 5,"created" "2018 01 01t04 49 27 870z","lastupdated" "2024 02 06t12 44 34 020z","lastupdatedby" response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt