RSA NetWitness Endpoint
The RSA NetWitness Platform – Endpoint Playbook app enables automated investigation and response actions on hosts with the RSA NetWitness Endpoint API. As part of a Case or Investigation, use this app to get important host details, snapshots, files, alerts, and more. When combined with the existing apps for NetWitness Respond and Events, ThreatConnect Workflow and Playbooks can now drive comprehensive investigations across Network, Log, and Endpoint data in the RSA NetWitness Platform. The following actions are available from within the app:
- Get Host – Retrieves a list of host data, including the
Agent Idvalues required for some Endpoint API calls. Because the network interface data contains nested information, the special variable
#rsa.nw.hosts.network_interfaces.jsoncontains the JSON encoded data for each host which may be passed through an iterator to the
Parse Network Interfaceaction to decode a network interface.
- List Snapshots for Host – Lists the snapshots available to a specific
Agent Idfor a given
Service Id. The output
#rsa.nw.snapshot_listmay contain duplicate snapshot identifiers.
- Get Files – Retrieves a list of files for which alerts have been generated for. The result #rsa.nw.files.checksum_md5 is an array of checksum values that can be used to retrieve specific alerts with the Get Alerts By File API call. Because some of the file data may contain nested array values, the special array #rsa.nw.files.json can be used in conjunction with an iterator and the Parse File action to decode more details about a specific file.
- Get Alerts by Host – Retrieves a summary of alerts generated for a specific
Agent Idrunning on a host.
- Get Alerts by File – Retrieves a summary of alerts generated by a file with a given
- Parse File – Parses one record of file JSON encoded data, such as would be output by an iterator of
#rsa.nw.files.jsoninto file specific fields. No logon information is required for NetWitness to parse the record.
- Parse Network Interfaces – Parses one record of file JSON encoded data, such as would be output by an iterator of
#rsa.nw.hosts.network_interfaces.jsoninto file specific fields. No logon information is required for NetWitness to parse the record.
- Parse Snapshot – Parses one record of file JSON encoded data, such as would be output by an iterator of
#rsa.nw.snapshots.jsoninto file specific fields. No logon information is required for NetWitness to parse the record.
This listing can be found in the ThreatConnect App Catalog under the name RSA NetWitness Platform – Endpoint.