RSA NetWitness Endpoint

The RSA NetWitness Platform – Endpoint Playbook app enables automated investigation and response actions on hosts with the RSA NetWitness Endpoint API. As part of a Case or Investigation, use this app to get important host details, snapshots, files, alerts, and more. When combined with the existing apps for NetWitness Respond and Events, ThreatConnect Workflow and Playbooks can now drive comprehensive investigations across Network, Log, and Endpoint data in the RSA NetWitness Platform. The following actions are available from within the app:

• Get Host – Retrieves a list of host data, including the Agent Id values required for some Endpoint API calls. Because the network interface data contains nested information, the special variable #rsa.nw.hosts.network_interfaces.json contains the JSON encoded data for each host which may be passed through an iterator to the Parse Network Interface action to decode a network interface.
• List Snapshots for Host – Lists the snapshots available to a specific Agent Id for a given Service Id. The output #rsa.nw.snapshot_list may contain duplicate snapshot identifiers.
• Get Files – Retrieves a list of files for which alerts have been generated for. The result #rsa.nw.files.checksum_md5 is an array of checksum values that can be used to retrieve specific alerts with the Get Alerts By File API call. Because some of the file data may contain nested array values, the special array #rsa.nw.files.json can be used in conjunction with an iterator and the Parse File action to decode more details about a specific file.
• Get Alerts by Host – Retrieves a summary of alerts generated for a specific Agent Id running on a host.
• Get Alerts by File – Retrieves a summary of alerts generated by a file with a given checksum value.
• Parse File – Parses one record of file JSON encoded data, such as would be output by an iterator of #rsa.nw.files.json into file specific fields. No logon information is required for NetWitness to parse the record.
• Parse Network Interfaces – Parses one record of file JSON encoded data, such as would be output by an iterator of #rsa.nw.hosts.network_interfaces.json into file specific fields. No logon information is required for NetWitness to parse the record.
• Parse Snapshot – Parses one record of file JSON encoded data, such as would be output by an iterator of #rsa.nw.snapshots.json into file specific fields. No logon information is required for NetWitness to parse the record.

This listing can be found in the ThreatConnect App Catalog under the name RSA NetWitness Platform – Endpoint.