RSA Netwitness SIEM

the rsa netwitness siem connector enables automated interaction with the rsa netwitness siem platform, facilitating incident management and alert handling rsa netwitness siem is a powerful security information and event management platform that provides real time visibility into your security posture this connector enables swimlane turbine users to automate incident response and management, fetch detailed alert and incident data, and maintain a comprehensive security event history by integrating with rsa netwitness siem, users can streamline their security operations, enhance incident tracking, and improve overall threat detection and response times within the swimlane ecosystem limitations none to date prerequisites to effectively utilize the rsa netwitness siem connector with swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url endpoint for rsa netwitness siem api access username your rsa netwitness siem account username password your rsa netwitness siem account password capabilities this rsa netwitness siem connector provides the following capabilities add a journal entry fetch alerts based on the criteria fetch incidents based on fields of incident get alerts by date range get incident stats get incident history get incident user stats get incidents by date range get a single incident get an incident's alerts persisting events in an alert persisting events in an incident remove an incident suspending persist of events in an alert suspending persist of events in an incident and so on add a journal entry a journal entry, or note, can be added to an existing incident fetch alerts based on the criteria the alerts can be fetched based on the specific fields of the alert by providing the name of the field,value of the field, the number of records and the fields of the alert that needs to be included in response fetch incidents based on fields of incident the incidents can be fetched based on the specific fields of the incident by providing the name ofthe field, value of the field and the number of records to be fetched as arguments get alerts by date range alerts can be retrieved by the date and time they were created get incident history fetch the entire history details of the incident using the incident's unique identifier get incident stats incidentstats can be retrieved by the date and time they were created it contains day wise detailsof the overall mtta, mttd and mttr as well as the count associated with each metric for that day get incident user stats incident user stats can be retrieved by user and date range it computes the mttd values for therange of dates mentioned and responds with a consolidated list get incidents by date range incidents can be retrieved by the date and time they were created get a single incident a single incident can be retrieved using an incident's unique identifier get an incident's alerts all the alerts that are associated with an incident can be retrieved using the incident's uniqueidentifier persisting events in an alert persist all the events present in the alert using the alert's unique identifier persisting events in an incident persist all the events present in the incident using the incident's unique identifier remove an incident a single incident can be removed using the incident's unique identifier suspending persist of events in an alert suspend all the events present in persist alert using the alert's unique identifier suspending persist of events in an incident suspend all the events present in persist incident using the incident's unique identifier update an incident currently an incident's status and assignee can be modified using the incidents endpoint configurations http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add a journal entry add a journal entry or note to an existing incident in rsa netwitness siem using the incident's id endpoint url /rest/api/incidents/{{id}}/journal method post input argument name type required description id string required the id of the incident to which the journal entry will be added author string optional the netwitness user id of the user creating the journal entry notes string optional notes and observations about the incident milestone string optional the incident milestone classifier output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 201, "response headers" {}, "reason" "created", "json body" {} } ] fetch alerts based on the criteria retrieve rsa netwitness siem alerts filtered by field names, values, record count, and specified response fields endpoint url /rest/api/alert/fetch method get input argument name type required description meta name string optional field of the alert document based on which the incident query to be made meta value string optional value for the field of the alert document based on which the incident query to be made numberofrecords string optional number of alert records to be fetched for the selected meta key and meta value pair max 1000 includefields string optional the fields from the alert mongo document to be included in the output, if fetching the entire alert is not preferred (comma separated list of fields) output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" \[] } ] fetch incidents based on fields of incident retrieve rsa netwitness siem incidents filtered by specific field values and control the number of records fetched endpoint url /rest/api/incident/fetch method post input argument name type required description meta name string optional the name of the field to filter incidents meta value string optional the value of the field to filter incidents numberofrecords string optional the number of records to fetch output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" \[ {} ] } ] get a single incident retrieve a specific incident from rsa netwitness siem using the unique incident identifier endpoint url /rest/api/incidents/{{id}} method get input argument name type required description id string required the unique identifier of the incident output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier title string output field title summary string output field summary priority string output field priority riskscore number score value status string status value alertcount number count value averagealertriskscore number score value sealed boolean output field sealed totalremediationtaskcount number count value openremediationtaskcount number count value created string output field created lastupdated string output field lastupdated lastupdatedby string output field lastupdatedby assignee string output field assignee sources array output field sources ruleid string unique identifier firstalerttime string time value categories array output field categories id string unique identifier parent string output field parent name string name of the resource journalentries array output field journalentries example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "id" "inc 100", "title" "suspected c\&c with suspicious domain com", "summary" "security analytics detected communications with suspicious domain com that may b ", "priority" "critical", "riskscore" 100, "status" "inprogress", "alertcount" 1, "averagealertriskscore" 100, "sealed" true, "totalremediationtaskcount" 4, "openremediationtaskcount" 5, "created" "2018 01 01t04 49 27 870z", "lastupdated" "2024 02 06t12 44 34 722z", "lastupdatedby" "duke", "assignee" "ian" } } ] get alerts by date range retrieve alerts from rsa netwitness siem based on a specified date and time range endpoint url /rest/api/alerts method get input argument name type required description pagenumber number optional the page number for pagination pagesize number optional the number of items per page for pagination since string optional a date format (e g , 2022 01 01) retrieve incidents stats created on and after this date until string optional a date format (e g , 2022 01 31) retrieve incident stats created on and before this date output parameter type description status code number http status code of the response reason string response reason phrase items array output field items id string unique identifier receivedtime string time value status string status value errormessage object response message originalheaders object http headers for the request name string name of the resource description string output field description version number output field version severity number output field severity timestamp number output field timestamp signatureid string unique identifier devicevendor string output field devicevendor deviceproduct string output field deviceproduct originalrawalert object output field originalrawalert originalalert object output field originalalert severity number output field severity datasourcehost string response data user summary string output field user summary events array output field events ip proto number output field ip proto ip src string output field ip src lifetime number time value example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "items" \[], "pagenumber" 0, "pagesize" 100, "totalpages" 1, "totalitems" 1, "hasnext" false, "hasprevious" false } } ] get an incident's alerts retrieve all alerts associated with a specific incident in rsa netwitness siem using the incident's unique identifier endpoint url /rest/api/incidents/{{id}}/alerts method get input argument name type required description pagenumber number optional the page number to retrieve pagesize number optional the number of items to retrieve per page id string required the id of the incident for which alerts are being retrieved output parameter type description status code number http status code of the response reason string response reason phrase items array output field items id string unique identifier title string output field title detail string output field detail created string output field created source string output field source riskscore number score value type string type of the resource events array output field events source object output field source device object output field device ipaddress string output field ipaddress port number output field port macaddress string output field macaddress dnshostname object name of the resource dnsdomain object output field dnsdomain user object output field user username string name of the resource emailaddress object output field emailaddress adusername object name of the resource addomain object output field addomain destination object output field destination device object output field device example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "items" \[], "pagenumber" 0, "pagesize" 10, "totalpages" 1, "totalitems" 1, "hasnext" false, "hasprevious" false } } ] get incident history retrieve the complete history of an incident in rsa netwitness siem using the unique incident identifier endpoint url /rest/api/incidents/history/{{id}} method post input argument name type required description id string required the id of the incident to fetch history for output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" \[ { "type" "status", "date" "2022 05 11t09 24 43 025+00 00", "changedby" "admin", "changedfrom" "in progress", "changedto" "remediation requested" }, { "type" "priority", "date" "2022 05 11t09 25 18 767+00 00", "changedby" "admin", "changedfrom" "high", "changedto" "medium" }, { "type" "assignee", "date" "2022 05 11t09 25 31 157+00 00", "changedby" "admin", "changedfrom" "rolden", "changedto" "admin" } ] } ] get incident stats retrieve day wise incident statistics from rsa netwitness siem, including mtta, mttd, mttr, and associated counts endpoint url /rest/api/incidents/stats method get input argument name type required description pagenumber number optional the requested page number pagesize number optional the maximum number of items to return in a single page since string optional a timestamp in iso 8601 format (e g , 2018 01 01t14 00 00 000z) retrieve incidents created on and after this timestamp until string optional a timestamp in iso 8601 format (e g , 2018 01 01t14 00 00 000z) retrieve incidents created on and before this timestamp output parameter type description status code number http status code of the response reason string response reason phrase items array output field items date string date value mtta number output field mtta mttacount number count value mttd number output field mttd mttdcount number count value mttr number output field mttr mttrcount number count value pagenumber number output field pagenumber pagesize number output field pagesize totalpages number output field totalpages totalitems number output field totalitems hasnext boolean output field hasnext hasprevious boolean output field hasprevious example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "items" \[], "pagenumber" 0, "pagesize" 100, "totalpages" 1, "totalitems" 1, "hasnext" false, "hasprevious" false } } ] get incident user stats retrieve user specific incident statistics and mean time to detect (mttd) values for a specified date range in rsa netwitness siem endpoint url /rest/api/incidents/user stats method get input argument name type required description username string optional the netwitness user id of the user for whom the stats are being requested since string optional a date format (e g , 2022 01 01) retrieve incidents stats created on and after this date until string optional a date format (e g , 2022 01 31) retrieve incidents stats created on and before this date output parameter type description status code number http status code of the response reason string response reason phrase username string name of the resource overallclosedcount number count value mttd number output field mttd mttdcount number count value incidentids array unique identifier example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "username" "admin", "overallclosedcount" 2, "mttd" 12, "mttdcount" 2, "incidentids" \[] } } ] get incidents by date range retrieve incidents from rsa netwitness siem based on the specified creation date and time range endpoint url /rest/api/incidents method get input argument name type required description pagenumber number optional the requested page number pagesize number optional the maximum number of items to return in a single page since string optional a timestamp in iso 8601 format (e g , 2018 01 01t14 00 00 000z) retrieve incidents created on and after this timestamp until string optional a timestamp in iso 8601 format (e g , 2018 01 01t14 00 00 000z) retrieve incidents created on and before this timestamp output parameter type description status code number http status code of the response reason string response reason phrase items array output field items id string unique identifier title string output field title summary string output field summary priority string output field priority riskscore number score value status string status value alertcount number count value averagealertriskscore number score value sealed boolean output field sealed totalremediationtaskcount number count value openremediationtaskcount number count value created string output field created lastupdated string output field lastupdated lastupdatedby string output field lastupdatedby assignee string output field assignee sources array output field sources ruleid string unique identifier firstalerttime string time value categories array output field categories id string unique identifier parent string output field parent name string name of the resource example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "items" \[], "pagenumber" 0, "pagesize" 100, "totalpages" 1, "totalitems" 1, "hasnext" false, "hasprevious" false } } ] persisting events in an alert persist all events in an alert identified by a unique id within rsa netwitness siem endpoint url /rest/api/alerts/persist/{{id}} method post input argument name type required description id string required the id of the alert to persist events in output parameter type description status code number http status code of the response reason string response reason phrase status string status value message string response message example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "status" "success", "message" "persisted alert id 59440ad7e4b0ff674d2cd85e" } } ] persisting events in an incident permanently store all events associated with a specific incident in rsa netwitness siem using the incident's unique id endpoint url /rest/api/incidents/persist/{{id}} method post input argument name type required description id string required the id of the incident to persist events in output parameter type description status code number http status code of the response reason string response reason phrase status string status value message string response message example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "status" "success", "message" "task successfully submitted to persist incident id inc 75287" } } ] remove an incident removes a specified incident from rsa netwitness siem using the unique incident identifier endpoint url /rest/api/incidents/{{id}} method delete input argument name type required description id string required the id of the incident to remove output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text example \[ { "status code" 204, "response headers" {}, "reason" "no content", "response text" "" } ] suspending persist of events in an alert suspend all events within a persistent alert on rsa netwitness siem using the alert's unique id endpoint url /rest/api/alerts/suspend persist/{{id}} method post input argument name type required description id string required the id of the alert to suspend persist events in output parameter type description status code number http status code of the response reason string response reason phrase status string status value message string response message example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "status" "success", "message" "suspended persist for alert id 59440ad7e4b0ff674d2cd85e" } } ] suspending persist of events in an incident suspend all events within a persistent incident in rsa netwitness siem using the incident's unique id endpoint url /rest/api/incidents/suspend persist/{{id}} method post input argument name type required description id string required the unique identifier for the incident output parameter type description status code number http status code of the response reason string response reason phrase status string status value message string response message example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "status" "success", "message" "suspended persist for incident id inc 75287" } } ] update an incident modify an incident's status in rsa netwitness siem using the incident id and status provided in the json body endpoint url /rest/api/incidents/{{id}} method patch input argument name type required description id string required the id of the incident to update status string required the new status of the incident assignee string optional the new assignee for the incident output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier title string output field title summary string output field summary priority string output field priority riskscore number score value status string status value alertcount number count value averagealertriskscore number score value sealed boolean output field sealed totalremediationtaskcount number count value openremediationtaskcount number count value created string output field created lastupdated string output field lastupdated lastupdatedby string output field lastupdatedby assignee string output field assignee sources array output field sources ruleid string unique identifier firstalerttime string time value categories array output field categories id string unique identifier parent string output field parent name string name of the resource journalentries array output field journalentries example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "id" "inc 100", "title" "suspected c\&c with suspicious domain com", "summary" "security analytics detected communications with suspicious domain com that may b ", "priority" "critical", "riskscore" 100, "status" "inprogress", "alertcount" 1, "averagealertriskscore" 100, "sealed" true, "totalremediationtaskcount" 4, "openremediationtaskcount" 5, "created" "2018 01 01t04 49 27 870z", "lastupdated" "2024 02 06t12 44 34 020z", "lastupdatedby" "duke", "assignee" "tony" } } ] response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt