Drilling into NetWitness Investigator from Web IP addresses and Hostnames

Document created by rob.davis on Apr 9, 2013
Version 1Show Document
  • View in full screen mode

This post is primarily for customers of RSA NetWitness (Security Analytics), although it may be interesting to security practitioners that conduct security investigations.  We describe how to use the the Threat Analytics Chrome Extension (http://www.criticalstart.com/2013/01/threat-analytics-search-extension-for-chrome/) to open a NetWitness Investigator drill from a Chrome browser.  This is similar to the SIEMLink tool but doesn't require any software to be installed.  This could also be used to create custom REST API queries.

alias-host.jpg

 

Many people use security tools that have a web interface in conjunction with NetWitness Investigator.

You will need:

  1. Chrome Browser with Threat Analytics Extension installed (available on Chrome Store at http://www.criticalstart.com/2013/01/threat-analytics-search-extension-for-chrome/)
  2. IP address and port of NetWitness concentrator/broker you will be using with Investigator
  3. Investigator collection name you want to use
  4. NetWitness Investigator must be installed on same machine as the Chrome browser

 

The easiest way to find the last two items is to “Copy URL” from Investigator and paste into a text editor.

copy-info.jpg

 

You will get something like:

nw://10.1.1.1:50003/collection=BROKER&name=%s&where=ip.dst%3D%s&time=Last+24+Hours+of+Collection+Time&
history=collection%3BROKER%26time%3DLast+24+Hours+of+Collection+Time

 

The IP address and port is highlighted in yellow.  The collection name is highlighted in green.  Your information should be different than the example shown.

 

We will manually add three different search providers to the Chrome Extensions (in Chrome use Tools > Extensions – Options).  You will need to modify the examples below in a text editor by replacing the IP address and collection information with your specific information obtained in the steps above.

 

NW DST IP < 24
nw://10.1.1.1:50003/?collection=BROKER&name=%s&where=ip.dst%3D%s&time=Last+24+Hours+of+Collection+Time
&history=collection%3DBROKER%26time%3DLast+24+Hours+of+Collection+Time

 

NW IP SRC < 24
nw://10.1.1.1:50003/?collection=BROKER&name=%s&where=ip.src%3D%s&time=Last+24+Hours+of+Collection+Time
&history=collection%3DBROKER%26time%3DLast+24+Hours+of+Collection+Time

 

NW Alias.Host < 24
nw://10.1.1.1:50003/?collection=BROKER&name=%22%s%22&where=alias.host%3D%22%s%22&time=Last+24+Hours+of+Collection+Time
&history=collection%3DBROKER%26time%3DLast+24+Hours+of+Collection+Time

 

Example of adding a search provider in the Chrome Extension:

enter-extension-info.jpg

Example of using extension to drill into destination IP address in Investigator.

dst-ip.jpg

Any feedback let me know.

Attachments

    Outcomes