Eric Partington

NetWitness Orchestrator - Working with the NetWitness Respond API

Blog Post created by Eric Partington Employee on Jul 16, 2018

One of the useful features that was released with RSA NetWitness 11.1 was the NetWitness API which provides access to the Incidents and Alerts from the Respond Engine.

 

Documentation is located at the link below which is very useful from a schema perspective.

 

NetWitness Suite API User Guide for Version 11.1 

 

Using that Guide and a helpful internal training video, I found a very useful Google Chrome plugin to help test integrations with the API.

 

Restlet Client - REST API Testing - Chrome Web Store 

 

Using this plugin you can simulate RSA NetWitness Orchestrator web calls or anything that is calling the API to validate what to expect and test.

 

The first thing to do is follow general security best practice and create a role and user in RSA NetWitness to reduce the required permissions to just what is required.  Currently I am still testing to see if i can reduce the roles further but the current permissions are much less than the default 'admin' account.

 

Create a new Role (I called it Orchestration)

  • Admin > Security > Roles
  • Add the following rights
  • Alerting - access alerting module view alerts, view rules
  • Incidents - Access incident module, delete alerts and incidents, manage alert handling rules, view and manage incidents
  • Integration server - integration-server.api.access (this is the required criteria according to the api doc)
  • Respond Server - respond-server.alert.delete,respond-server.alert.manage,respond-server.alert.read,respond-server.incident.delete,respond-server.incident.manage,respond-server.incident.read,respond-server.journal.manage,respond-server.journal.read,respond-server.notifications.manage,respond-server.notifications.read, respond-server.process.manage,respond-server.remediation.manage, respond-server.remediation.read,respond-server.security.manage, respond-server.security.read

 

create a new User (I called it Orchestrator)

  • Add it to the Role: Orchestration

 

Now there is an account to use for testing with the API and integrating with RSA NetWitnessOrchestrator.

 

Using Restlet-client import the three 'requests' from the github link below:

GitHub - epartington/rsa_nw_netwitnessapi 

 

This will get you a nw-getauth, nw-get-incident, nw-get-alert

 

Use nw-getauth to request a security token from the RSA NetWitness API (update for your RSA NetWitness interface)

 

 

Hit send and you should get back a 200 OK result with the security tokens to use in the next submissions.

 

Now you have the accessToken value to use to authenticate your next commands (copy the accessToken value)

Use the nw-get-incident request to get the details for a specific incident (INC-XXX)

 

Insert the value for the accessToken into the RSA NetWitness-Token field and hit send.

 

If everything works well you should get back another 200 OK with the json dump of the values on that specific incident

 

 

You can click download to grab a json export of this incident to use to work offline, investigate, upload to a demo RSA NetWitness Orchestrator system ... A sample one is included in the github link.

 

To grab the alert details from this incident use the 3rd 'request' nw-get-alert

 

Again you should get a 200 OK with the details of the Alerts for the incident requested

 

 

 

Again you can download the json file to get the full details of the alert to know what you can work with in RSA NetWitness Orchestrator/Crystal Reports.

 

This is the equivalent output from the Respond Incident window (alerts are the same missing items), the area in the red box don't appear to be available in the API.  An internal Jira has been opened on this to enhance or resolve this (I can't figure out if this is a bug or feature request).

 

Outcomes