RSA NetWitness XDR

the rsa netwitness xdr connector enables seamless integration with swimlane turbine, allowing for automated threat detection and response workflows rsa netwitness xdr is a comprehensive threat detection and response solution that empowers security teams to quickly identify and remediate cyber threats this connector enables swimlane turbine users to integrate rsa netwitness xdr's capabilities directly into their security workflows users can fetch alerts and incidents based on specific criteria, retrieve all alerts for an incident, and update incident details, all within the swimlane platform this integration enhances incident response efficiency and ensures a proactive security posture by leveraging rsa netwitness xdr's rich telemetry and analytics limitations none to date supported versions this rsa netwitness xdr connector uses the latest version api configuration prerequisites to effectively utilize the rsa netwitness xdr connector with swimlane turbine, ensure you have the following prerequisites http basic authentication with these parameters url endpoint for rsa netwitness xdr api access username your rsa netwitness xdr account username password your rsa netwitness xdr account password http bearer token authentication with these parameters url endpoint for rsa netwitness xdr api access token a valid jwt token for authenticating api requests authentication methods http basic authentication url the endpoint url for the rsa netwitness xdr api username your rsa netwitness xdr account username password your rsa netwitness xdr account password http jwt authentication url the endpoint url for the rsa netwitness xdr api token a valid jwt token for authenticating api requests capabilities this rsa netwitness xdr connector provides the following capabilities fetch alerts based on the criteria fetch incidents based on fields of the incident get an incidents alerts get incident get incidents by date range update incident fetch alerts based on the criteria the alerts can be fetched based on the specific fields of the alert by providing the name of the field, value of the field, the number of records and the fields of the alert that needs to be included in response fetch incidents based on fields of the incident the incidents can be fetched based on the specific fields of the incident by providing the name of the field, value of the field and the number of records to be fetched as arguments get an incidents alerts retrieve all alerts linked to a specific incident in rsa netwitness xdr by providing the incident's unique id get incident retrieve detailed information for a specified incident in rsa netwitness xdr using the unique incident id get incidents by date range retrieve incidents within a specific date range from rsa netwitness xdr, supporting both bounded and unbounded queries update incident updates an existing incident in rsa netwitness xdr using a specified id and provided data body configurations http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional http jwt authentication authenticates using jwt configuration parameters parameter description type required url a url to the target host string required token the api key, token, etc string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions fetch alerts based on the criteria retrieve rsa netwitness xdr alerts filtered by field name, value, and record count, including specified alert details in the response endpoint url /rest/api/alert/fetch method get input argument name type required description meta name string required field of the alert document based on which the incident query to be made meta value string required value for the field of the alert document based on which the incident query to be made numberofrecords string required number of alert records to be fetched for the selected meta key and meta value pair includefields string optional the fields from the alert document to be included for the selected meta key and meta value pair in case if fetching the entire alert is not preferred by default, to fetch the entire alert, the includefields will be having the value "null" output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" \[] } ] fetch incidents based on fields of the incident retrieve incidents from rsa netwitness xdr by specifying field names, their values, and the desired number of records endpoint url /rest/api/incident/fetch method get input argument name type required description meta name string required field of the incident document based on which the incident query to be made meta value string required value for the field of the incident document based on which the incident query to be made numberofrecords string required number of incident records to be fetched for the selected meta key and meta value pair output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "date" "mon, 10 apr 2023 06 10 25 gmt", "keep alive" "timeout=60", "connection" "keep alive", "content length" "1523" }, "reason" "ok", "json body" \[ {} ] } ] get an incidents alerts retrieve all alerts associated with a specific incident in rsa netwitness xdr using the incident's unique id endpoint url /rest/api/incidents/{{id}}/alerts method get input argument name type required description id string required the unique identifier of the incident pagenumber number optional the requested page number pagesize number optional the maximum number of items to return in a single page output parameter type description status code number http status code of the response reason string response reason phrase items array output field items id string unique identifier title string output field title detail string output field detail created string output field created source string output field source riskscore number score value type string type of the resource events array output field events source object output field source device object output field device ipaddress string output field ipaddress port number output field port macaddress string output field macaddress dnshostname string name of the resource dnsdomain string output field dnsdomain user object output field user username string name of the resource emailaddress string output field emailaddress adusername string name of the resource addomain string output field addomain destination object output field destination device object output field device example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 12 mar 2025 20 37 23 gmt", "x content type options" "nosniff", "x xss protection" "0", "cache control" "no cache, no store, max age=0, must revalidate", "pragma" "no cache", "expires" "0", "x frame options" "deny", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "keep alive" "timeout=60", "connection" "keep alive", "content length" "1607" }, "reason" "ok", "json body" { "items" \[], "pagenumber" 0, "pagesize" 10, "totalpages" 1, "totalitems" 1, "hasnext" false, "hasprevious" false } } ] get incident retrieve detailed information for a specified incident in rsa netwitness xdr using the unique incident id endpoint url /rest/api/incidents/{{id}} method get input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier title string output field title summary string output field summary priority string output field priority riskscore number score value status string status value alertcount number count value averagealertriskscore number score value sealed boolean output field sealed totalremediationtaskcount number count value openremediationtaskcount number count value created string output field created lastupdated string output field lastupdated lastupdatedby string output field lastupdatedby assignee string output field assignee sources array output field sources ruleid string unique identifier firstalerttime string time value categories array output field categories id string unique identifier parent string output field parent name string name of the resource journalentries array output field journalentries example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "id" "inc 100", "title" "suspected c\&c with suspicious domain com", "summary" "security analytics detected communications with suspicious domain com that may b ", "priority" "critical", "riskscore" 100, "status" "inprogress", "alertcount" 1, "averagealertriskscore" 100, "sealed" true, "totalremediationtaskcount" 4, "openremediationtaskcount" 5, "created" "2018 01 01t04 49 27 870z", "lastupdated" "2023 05 31t12 00 35 289z", "lastupdatedby" "duke", "assignee" "ian" } } ] get incidents by date range retrieve incidents from rsa netwitness xdr within a specified date range, accommodating both bounded and open ended queries endpoint url /rest/api/incidents method get input argument name type required description pagenumber number optional the requested page number pagesize number optional the maximum number of items to return in a single page since string optional a timestamp in iso 8601 format (e g , 1018 01 01t14 00 00 000z) retrieve incidents created on and after this timestamp until string optional a timestamp in iso 8601 format (e g , 1018 01 01t14 00 00 000z) retrieve incidents created on and before this timestamp output parameter type description status code number http status code of the response reason string response reason phrase items array output field items id string unique identifier title string output field title summary string output field summary priority string output field priority riskscore number score value status string status value alertcount number count value averagealertriskscore number score value sealed boolean output field sealed totalremediationtaskcount number count value openremediationtaskcount number count value created string output field created lastupdated string output field lastupdated lastupdatedby string output field lastupdatedby assignee string output field assignee sources array output field sources ruleid string unique identifier firstalerttime string time value categories array output field categories id string unique identifier parent string output field parent name string name of the resource example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 12 mar 2025 20 37 23 gmt", "x content type options" "nosniff", "x xss protection" "0", "cache control" "no cache, no store, max age=0, must revalidate", "pragma" "no cache", "expires" "0", "x frame options" "deny", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "keep alive" "timeout=60", "connection" "keep alive", "content length" "1607" }, "reason" "ok", "json body" { "items" \[], "pagenumber" 0, "pagesize" 100, "totalpages" 1, "totalitems" 1, "hasnext" false, "hasprevious" false } } ] update incident updates an existing incident in rsa netwitness xdr using the provided id and data body endpoint url /rest/api/incidents/{{id}} method patch input argument name type required description id string required the unique identifier of the incident status string optional the status of the incident assignee string optional the netwitness user identifier of the user output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier title string output field title summary string output field summary priority string output field priority riskscore number score value status string status value alertcount number count value averagealertriskscore number score value sealed boolean output field sealed totalremediationtaskcount number count value openremediationtaskcount number count value created string output field created lastupdated string output field lastupdated lastupdatedby string output field lastupdatedby assignee string output field assignee sources array output field sources ruleid string unique identifier firstalerttime string time value categories array output field categories id string unique identifier parent string output field parent name string name of the resource journalentries array output field journalentries example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "id" "inc 100", "title" "suspected c\&c with suspicious domain com", "summary" "security analytics detected communications with suspicious domain com that may b ", "priority" "critical", "riskscore" 100, "status" "inprogress", "alertcount" 1, "averagealertriskscore" 100, "sealed" true, "totalremediationtaskcount" 4, "openremediationtaskcount" 5, "created" "2018 01 01t04 49 27 870z", "lastupdated" "2023 05 31t12 00 34 500z", "lastupdatedby" "duke", "assignee" "tony" } } ] response headers header description example cache control directives for caching mechanisms no cache, no store, max age=0, must revalidate connection http response header connection keep alive content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated mon, 10 apr 2023 06 10 25 gmt expires the date/time after which the response is considered stale 0 keep alive http response header keep alive timeout=60 pragma http response header pragma no cache transfer encoding http response header transfer encoding chunked x content type options http response header x content type options nosniff x frame options http response header x frame options deny x xss protection http response header x xss protection 0