RSA NetWitness XDR

the rsa netwitness xdr connector enables seamless integration with swimlane turbine, allowing for automated threat detection and response workflows rsa netwitness xdr is a comprehensive threat detection and response solution that empowers security teams to quickly identify and remediate cyber threats this connector enables swimlane turbine users to integrate rsa netwitness xdr's capabilities directly into their security workflows users can fetch alerts and incidents based on specific criteria, retrieve all alerts for an incident, and update incident details, all within the swimlane platform this integration enhances incident response efficiency and ensures a proactive security posture by leveraging rsa netwitness xdr's rich telemetry and analytics limitations none to date supported versions this rsa netwitness xdr connector uses the latest version api configuration prerequisites to effectively utilize the rsa netwitness xdr connector with swimlane turbine, ensure you have the following prerequisites http basic authentication with these parameters url endpoint for rsa netwitness xdr api access username your rsa netwitness xdr account username password your rsa netwitness xdr account password http bearer token authentication with these parameters url endpoint for rsa netwitness xdr api access token a valid jwt token for authenticating api requests authentication methods http basic authentication url the endpoint url for the rsa netwitness xdr api username your rsa netwitness xdr account username password your rsa netwitness xdr account password http jwt authentication url the endpoint url for the rsa netwitness xdr api token a valid jwt token for authenticating api requests capabilities this rsa netwitness xdr connector provides the following capabilities fetch alerts based on the criteria fetch incidents based on fields of the incident get an incidents alerts get incident get incidents by date range update incident fetch alerts based on the criteria the alerts can be fetched based on the specific fields of the alert by providing the name of the field, value of the field, the number of records and the fields of the alert that needs to be included in response fetch incidents based on fields of the incident the incidents can be fetched based on the specific fields of the incident by providing the name of the field, value of the field and the number of records to be fetched as arguments get an incidents alerts retrieve all alerts linked to a specific incident in rsa netwitness xdr by providing the incident's unique id get incident retrieve detailed information for a specified incident in rsa netwitness xdr using the unique incident id get incidents by date range retrieve incidents within a specific date range from rsa netwitness xdr, supporting both bounded and unbounded queries update incident updates an existing incident in rsa netwitness xdr using a specified id and provided data body configurations http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional http jwt authentication authenticates using jwt configuration parameters parameter description type required url a url to the target host string required token the api key, token, etc string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions fetch alerts based on the criteria retrieve rsa netwitness xdr alerts filtered by field name, value, and record count, including specified alert details in the response endpoint url /rest/api/alert/fetch method get input argument name type required description meta name string optional field of the alert document based on which the incident query to be made meta value string optional value for the field of the alert document based on which the incident query to be made numberofrecords string optional number of alert records to be fetched for the selected meta key and meta value pair includefields string optional the fields from the alert document to be included for the selected meta key and meta value pair in case if fetching the entire alert is not preferred by default, to fetch the entire alert, the includefields will be having the value "null" input example {"json body" {"meta name" "alert source","meta value" "event stream analysis","numberofrecords" "1","includefields" "null"}} output parameter type description status code number http status code of the response reason string response reason phrase output example \[] fetch incidents based on fields of the incident retrieve incidents from rsa netwitness xdr by specifying field names, their values, and the desired number of records endpoint url /rest/api/incident/fetch method get input argument name type required description meta name string optional field of the incident document based on which the incident query to be made meta value string optional value for the field of the incident document based on which the incident query to be made numberofrecords string optional number of incident records to be fetched for the selected meta key and meta value pair input example {"json body" {"meta name" "priority","meta value" "medium","numberofrecords" "1"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content type" "application/json;charset=utf 8","transfer encoding" "chunked","date" "mon, 10 apr 2023 06 10 25 gmt","keep alive" "timeout=60","connection" "keep alive","content length" "1523"},"reason" "ok","json body" \[{"id" "inc 75831","name" "high risk alerts esa packet for 30 0","summary" "","priority" "medium","prioritysort" 1,"riskscore" 30,"status" "assigned","statussort" 1,"alertcount" 7,"pinnedalertcount" 0,"containspinnedalerts"\ false,"averageal get an incidents alerts retrieve all alerts associated with a specific incident in rsa netwitness xdr using the incident's unique id endpoint url /rest/api/incidents/{{id}}/alerts method get input argument name type required description path parameters id string required the unique identifier of the incident parameters pagenumber number optional the requested page number parameters pagesize number optional the maximum number of items to return in a single page input example {"parameters" {"pagenumber" 0,"pagesize" 10},"path parameters" {"id" "nc 100"}} output parameter type description status code number http status code of the response reason string response reason phrase items array output field items items id string unique identifier items title string output field items title items detail string output field items detail items created string output field items created items source string output field items source items riskscore number score value items type string type of the resource items events array output field items events items events source object output field items events source items events source device object output field items events source device items events source device ipaddress string output field items events source device ipaddress items events source device port number output field items events source device port items events source device macaddress string output field items events source device macaddress items events source device dnshostname string name of the resource items events source device dnsdomain string output field items events source device dnsdomain items events source user object output field items events source user items events source user username string name of the resource items events source user emailaddress string output field items events source user emailaddress items events source user adusername string name of the resource items events source user addomain string output field items events source user addomain items events destination object output field items events destination items events destination device object output field items events destination device output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 12 mar 2025 20 37 23 gmt","x content type options" "nosniff","x xss protection" "0","cache control" "no cache, no store, max age=0, must revalidate","pragma" "no cache","expires" "0","x frame options" "deny","content type" "application/json;charset=utf 8","transfer encoding" "chunked","keep alive" "timeout=60","connection" "keep alive","content length" "1607"},"reason" "ok","json body" {" get incident retrieve detailed information for a specified incident in rsa netwitness xdr using the unique incident id endpoint url /rest/api/incidents/{{id}} method get input argument name type required description path parameters id string required parameters for the get incident action input example {"path parameters" {"id" "inc 100"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier title string output field title summary string output field summary priority string output field priority riskscore number score value status string status value alertcount number count value averagealertriskscore number score value sealed boolean output field sealed totalremediationtaskcount number count value openremediationtaskcount number count value created string output field created lastupdated string output field lastupdated lastupdatedby string output field lastupdatedby assignee string output field assignee sources array output field sources ruleid string unique identifier firstalerttime string time value categories array output field categories categories id string unique identifier categories parent string output field categories parent categories name string name of the resource journalentries array output field journalentries output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "inc 100","title" "suspected c\&c with suspicious domain com","summary" "security analytics detected communications with suspicious domain com that may b ","priority" "critical","riskscore" 100,"status" "inprogress","alertcount" 1,"averagealertriskscore" 100,"sealed"\ true,"totalremediationtaskcount" 4,"openremediationtaskcount" 5,"created" "2018 01 01t04 49 27 870z","lastupdated" "2023 05 31t12 00 35 289z","lastupdatedby" get incidents by date range retrieve incidents from rsa netwitness xdr within a specified date range, accommodating both bounded and open ended queries endpoint url /rest/api/incidents method get input argument name type required description parameters pagenumber number optional the requested page number parameters pagesize number optional the maximum number of items to return in a single page parameters since string optional a timestamp in iso 8601 format (e g , 1018 01 01t14 00 00 000z) retrieve incidents created on and after this timestamp parameters until string optional a timestamp in iso 8601 format (e g , 1018 01 01t14 00 00 000z) retrieve incidents created on and before this timestamp input example {"parameters" {"pagenumber" 0,"pagesize" 100,"since" "1018 01 01t14 00 00 000z","until" "1018 01 01t14 00 00 000z"}} output parameter type description status code number http status code of the response reason string response reason phrase items array output field items items id string unique identifier items title string output field items title items summary string output field items summary items priority string output field items priority items riskscore number score value items status string status value items alertcount number count value items averagealertriskscore number score value items sealed boolean output field items sealed items totalremediationtaskcount number count value items openremediationtaskcount number count value items created string output field items created items lastupdated string output field items lastupdated items lastupdatedby string output field items lastupdatedby items assignee string output field items assignee items sources array output field items sources items ruleid string unique identifier items firstalerttime string time value items categories array output field items categories items categories id string unique identifier items categories parent string output field items categories parent items categories name string name of the resource output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 12 mar 2025 20 37 23 gmt","x content type options" "nosniff","x xss protection" "0","cache control" "no cache, no store, max age=0, must revalidate","pragma" "no cache","expires" "0","x frame options" "deny","content type" "application/json;charset=utf 8","transfer encoding" "chunked","keep alive" "timeout=60","connection" "keep alive","content length" "1607"},"reason" "ok","json body" {" update incident updates an existing incident in rsa netwitness xdr using the provided id and data body endpoint url /rest/api/incidents/{{id}} method patch input argument name type required description path parameters id string required the unique identifier of the incident status string optional the status of the incident assignee string optional the netwitness user identifier of the user input example {"json body" {"status" "inprogress","assignee" "user"},"path parameters" {"id" "inc 100"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier title string output field title summary string output field summary priority string output field priority riskscore number score value status string status value alertcount number count value averagealertriskscore number score value sealed boolean output field sealed totalremediationtaskcount number count value openremediationtaskcount number count value created string output field created lastupdated string output field lastupdated lastupdatedby string output field lastupdatedby assignee string output field assignee sources array output field sources ruleid string unique identifier firstalerttime string time value categories array output field categories categories id string unique identifier categories parent string output field categories parent categories name string name of the resource journalentries array output field journalentries output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "inc 100","title" "suspected c\&c with suspicious domain com","summary" "security analytics detected communications with suspicious domain com that may b ","priority" "critical","riskscore" 100,"status" "inprogress","alertcount" 1,"averagealertriskscore" 100,"sealed"\ true,"totalremediationtaskcount" 4,"openremediationtaskcount" 5,"created" "2018 01 01t04 49 27 870z","lastupdated" "2023 05 31t12 00 34 500z","lastupdatedby" response headers header description example cache control directives for caching mechanisms no cache, no store, max age=0, must revalidate connection http response header connection keep alive content length the length of the response body in bytes 1523 content type the media type of the resource application/json;charset=utf 8 date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt expires the date/time after which the response is considered stale 0 keep alive http response header keep alive timeout=60 pragma http response header pragma no cache transfer encoding http response header transfer encoding chunked x content type options http response header x content type options nosniff x frame options http response header x frame options deny x xss protection http response header x xss protection 0