Current ThreatQ Version Filter

RSA NetWitness Incidents CDF

The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.

Integration Details

ThreatQuotient provides the following details for this integration:

Current Integration Version

1.1.1

Compatible with ThreatQ Versions

>= 4.35.0

Support Tier

ThreatQ Supported

Introduction

The RSA NetWitness Incidents CDF for ThreatQuotient enables ThreatQ to automatically ingest incidents and their related indicators from RSA NetWitness.

The integration ingests threat intelligence data from the following endpoints:

RSA NetWitness Incidents (Feed) - fetches all incidents from RSA NetWitness, within a given timeframe. Each incident will be parsed for metadata and related indicators, and the intelligence will be uploaded to ThreatQ.
Get API Token (Supplemental) - authenticates using user credentials to get back an access token used for each subsequent request.

The integration ingests the following system object types:

Incidents
- Incident Attributes
Indicators
- Indicator Attributes

Installation

This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

Navigate to your integrations management page in ThreatQ.
Select the Commercial option from the Category dropdown (optional).
If you are installing the integration for the first time, it will be located under the Disabled tab.
Click on the integration entry to open its details page.

Enter the following parameters under the Configuration tab:

Parameter	Description
RSA NetWitness Hostname/IP (and port)	Your RSA NetWitness Hostname/IP, along with the port (if applicable).
RSA NetWitness Login	Your RSA NetWitness Login (username) to authenticate with the API.
RSA NetWitness Password	Your RSA NetWitness Login (password) to authenticate with the API.
Alert Rules	An optional comma-delimited list of alert rules. This will limit the ingested incidents only to ones created by these rules.
Priority Filter	The incident priorities to be ingested. Options include: Low Medium (default) High (default) Critical (default)
Minimum Risk Score Threshold	The minimum risk score threshold for incidents to be ingested. The default setting is 50.
Skip Closed Incidents	Checkbox to control whether to ingest close incidents. The default setting is false.
Skip Remediated Incidents	Checkbox to control whether to ingest remediated incidents. The default setting is false.
Verify SSL Certificate	Checkbox to enable or disable SSL certificate verification.

Review any additional settings, make any changes if needed, and click on Save.
Click on the toggle switch, located above the Additional Information section, to enable it.

ThreatQ Mapping

RSA NetWitness Incidents (Feed)

This endpoint will fetch all incidents from RSA NetWitness, within a given timeframe. Each incident will be parsed for metadata and related indicators, and the intelligence will be uploaded to ThreatQ.

GET https://{{host}}/rest/api/incidents

Sample Response:

{
    "items": [
        {
            "id": "INC-708",
            "title": "High Risk Alerts: ESA for 119.45.42.241",
            "summary": "",
            "priority": "High",
            "riskScore": 50,
            "status": "New",
            "alertCount": 1,
            "averageAlertRiskScore": 50,
            "sealed": false,
            "totalRemediationTaskCount": 0,
            "openRemediationTaskCount": 0,
            "created": "2021-07-08T15:16:00.696Z",
            "lastUpdated": "2021-07-08T15:16:00.696Z",
            "lastUpdatedBy": null,
            "assignee": null,
            "sources": [
                "Event Stream Analysis"
            ],
            "ruleId": "5ffdec73cf797e197669c5f0",
            "firstAlertTime": "2021-07-08T15:15:46.290Z",
            "categories": [],
            "journalEntries": null,
            "createdBy": "High Risk Alerts: ESA",
            "deletedAlertCount": 0,
            "eventCount": 1,
            "alertMeta": {
                "SourceIp": [
                    "119.45.42.241"
                ],
                "DestinationIp": [
                    "172.24.131.192"
                ]
            }
        },
        {
            "id": "INC-707",
            "title": "High Risk Alerts: ESA for 81.68.246.68",
            "summary": "",
            "priority": "High",
            "riskScore": 50,
            "status": "New",
            "alertCount": 2,
            "averageAlertRiskScore": 50,
            "sealed": false,
            "totalRemediationTaskCount": 0,
            "openRemediationTaskCount": 0,
            "created": "2021-07-08T15:16:00.677Z",
            "lastUpdated": "2021-07-08T15:16:00.677Z",
            "lastUpdatedBy": null,
            "assignee": null,
            "sources": [
                "Event Stream Analysis"
            ],
            "ruleId": "5ffdec73cf797e197669c5f0",
            "firstAlertTime": "2021-07-08T15:15:46.265Z",
            "categories": [],
            "journalEntries": null,
            "createdBy": "High Risk Alerts: ESA",
            "deletedAlertCount": 0,
            "eventCount": 2,
            "alertMeta": {
                "SourceIp": [
                    "81.68.246.68"
                ],
                "DestinationIp": [
                    "172.21.225.14",
                    "172.18.205.42"
                ]
            }
        }
    ]
}

ThreatQuotient provides the following default mapping for this feed:

Feed Data Path	ThreatQ Entity	ThreatQ Object Type or Attribute Key	Published Date	Examples	Notes
`.id\|title\|riskScore\|priority`	Value	Incident	Concatenated together to form a title	`.firstAlertTime`	INC-435 - High Risk Alerts: ESA for 40.73.79.203 - Score: 50 - Priority: High	N/A
`.summary`	Description	Incident	N/A	N/A	N/A	These are empty by default
`.id`	Attribute	Incident ID	N/A	`.created`	INC-123	N/A
`.id`	Attribute	Incident Link	Concatenated with an incident URL	`.created`	https://{{host}}/respond /incident/{{id}}	N/A
`.priority`	Attribute	Priority	N/A	`.created`	High	N/A
`.status`	Attribute	Status	N/A	`.created`	New	N/A
`.averageAlertRiskScore`	Attribute	Average Alert Risk Score	N/A	`.created`	50	N/A
`.sealed`	Attribute	Is Sealed	bool -> True/False	`.created`	False	N/A
`.totalRemediationTaskCount`	Attribute	Total Remediation Task Count	N/A	`.created`	0	N/A
`.openRemediationTaskCount`	Attribute	Open RemediationTaskCount	N/A	`.created`	0	N/A
`.sources[]`	Attribute	Incident ID	N/A	`.created`	Event Stream Analysis	N/A
`.ruleId`	Attribute	Triggered Rule ID	N/A	`.created`	5ffdec73cf797e197669c5f0	N/A
`.alertCount`	Attribute	Alert Count	N/A	`.created`	INC-123	N/A
`.eventCount`	Attribute	Event Count	N/A	`.created`	INC-123	N/A
`.riskScore`	Attribute	Risk Score	N/A	`.created`	INC-123	N/A
`.categories[].parent\|name`	Attribute	Category	Keys, `parent` & `name` are concatenated	`.created`	Hacking - path traversal	N/A
`.createdBy`	Attribute	Triggered Rule Name	N/A	`.created`	High Risk Alerts: ESA	N/A
`.journalEntries[].notes`	Attribute	Note	N/A	`.created`	Updated status	N/A
`.journalEntries[].milestone`	Attribute	Milestone	N/A	`.created`	Reconnaisance	N/A
`.alertMeta.SourceIp \|DestinationIp[]`	Value	Indicator	N/A	`.created`	N/A	Lists merged and filtered by internal vs. external IPs. External IPs are added as indicators
`.alertMeta.SourceIp \|DestinationIp[]`	Attribute	Internal Device ID	N/A	`.created`	N/A	Lists merged and filtered by internal vs. external IPs. Internal IPs are added as attributes

Get API Token (Supplemental)

This endpoint will authenticate using user credentials to get back an access token used for each subsequent request.

POST https://{{host}}/rest/api/auth/userpass

Sample Response:

{
  "id": "admin",
  "roles": [
    "Administrators"
  ],
  "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9....",
  "refreshToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MjgzNTA3NDc1NjUsImlzcyI6InNlY3VyaXR5LXNlcnZlci00NzdjNzgzZS0wNzlhLTRjNWYtODdkNC03NDBhNTc5MmUyM2UiLCJpYXQiOjE2MjU3NTg3NDc1NjUsInJlZnJlc2giOnRydWUsInVzZXJfbmFtZSI6ImFkbWluIn0....."
}

Average Feed Run

Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.

Metric	Result
Run Time	1 minute
Incidents	274
Incident Attributes	4,003
Indicators	217
Indicator Attributes	217

Change Log

Version 1.1.1
- Fixed an issue where the items.categories attributes were set to null in the response data.
- Fixed an issue that occurred when Alert Rules are not specified.
Version 1.1.0
- Added an optional configuration parameter: Alert Rules.
Version 1.0.0
- Initial Release

PDF Guides

Document	ThreatQ Version
RSA NetWitness Incidents CDF Guide v1.1.1	4.35.0 or Greater
RSA NetWitness Incidents CDF Guide v1.1.0	4.35.0 or Greater
RSA NetWitness Incidents CDF Guide v1.0.0	4.35.0 or Greater