RSA NetWitness

Details
Content
Dependencies
Version History

RSA NetWitness Platform provides systems Logs, Network, and endpoint visibility for real-time collection, detection, and automated response with the Demisto Enterprise platform. Providing full session analysis, customers can extract critical data and effectively operate security operations automated playbook.

RSA NetWitness provides your security team with the visibility it needs to detect sophisticated threats to your system. It collects and analyzes data across all capture points and computing platforms enriching data with threat intelligence and business context.

What does this pack do?

Isolate/unisolate infected endpoints.
Get alerts triggered for a given host.
Retrieve the alerts that are associated with an incident.
List, update, remove incidents.
Get snapshots for a given host.
List all related file information from a specific endpoint server and downloading files.
Scan a host.

Pack Contributors:

Pierre Soler
Sébastien Guisnet

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Layouts

Name	Description
RSA NetWitness Layout

Incident Fields

Name	Description
RSA Alerts
RSA Event Count
RSA Id
RSA Metas Events
RSA Raw Logs List
RSA Alert Count
RSA Rule Id

Automations

Name	Description
SetRSANetWitnessAlertsMD	This automation takes several alert fields from the RSA NetWitness alerts context and displays them as markdown in the layout.
RSA_DisplayMetasEvents	Use this script to display meta events inside the layout.
RSA_GetRawLog	Use this script to get RAW log.

Incident Types

Name	Description
NetWitness Incident

Classifiers

Name	Description
RSA NetWitness v11.5 - incoming mapper

Integrations

Name	Description
RSA NetWitness v11.1 (Deprecated)	Deprecated. Use RSA NetWitness v11.5 instead
RSANetWitness v11.5	The RSA NetWitness integration provides system log, network, and endpoint visibility for real-time collection, detection, and automated response with the Cortex XSOAR Enterprise platform. Using full session analysis, customers can extract critical data and effectively run security operations automated playbooks.

Incident Fields

Name	Description
RSA Alerts
RSA Event Count
RSA Id
RSA Metas Events
RSA Raw Logs List
RSA Alert Count
RSA Rule Id

Automations

Name	Description
SetRSANetWitnessAlertsMD	This automation takes several alert fields from the RSA NetWitness alerts context and displays them as markdown in the layout.
RSA_DisplayMetasEvents	Use this script to display meta events inside the layout.
RSA_GetRawLog	Use this script to get RAW log.

Incident Types

Name	Description
NetWitness Incident

Classifiers

Name	Description
RSA NetWitness v11.5 - incoming mapper

Integrations

Name	Description
RSA NetWitness v11.1 (Deprecated)	Deprecated. Use RSA NetWitness v11.5 instead
RSANetWitness v11.5	The RSA NetWitness integration provides system log, network, and endpoint visibility for real-time collection, detection, and automated response with the Cortex XSIAM Enterprise platform. Using full session analysis, customers can extract critical data and effectively run security operations automated playbooks.

Required Content Packs (1)

Pack Name	Pack By
Base	By: Cortex XSOAR

Optional Content Packs (3)

Pack Name	Pack By
RSA NetWitness Packets and Logs	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Phishing	By: Cortex XSOAR

All level dependencies (1)

Pack Name	Pack By
Base	By: Cortex XSOAR

3.2.0 - R6592021 (October 13, 2023)

Incident Fields

RSA Raw Logs List
RSA Metas Events
RSA Alerts

Incident Types

NetWitness Incident
Updated the option "Run playbook automatically" to be enabled by default.

Integrations

RSANetWitness v11.5

Added the incident mirroring functionality with the Incident Mirroring Direction and Mirror closure parameters.
Updated the Docker image to: demisto/python3:3.10.13.73190.

RSA NetWitness v11.1 (Deprecated)

Removed non-standard ' in the yml file.

Layouts

RSA NetWitness Layout
Renamed the Alerts tab to SIEM with multiple sections to better manage and investigate the incident in Cortex XSOAR.

Mappers

RSA NetWitness v11.5 - incoming mapper

Added the following mirroring mandatory fields:

mirror_instance
mirror_direction
incident_id

Scripts

SetRSANetWitnessAlertsMD

Removed the header of the markdown for better UI consistency.
Updated the Docker image to: demisto/python3:3.10.13.73190.

RSA_GetRawLog

Gets the raw log and metas of events using RSA NetWitness Packets & Logs.

RSA_DisplayMetasEvents

Displays alert event metas at the origin of the incident.

Related pull requests:
- 29220
- 29713

Download

3.1.0 - 5876761 (July 26, 2023)

Incident Fields

RSA Alerts

Integrations

RSANetWitness v11.5

Added the On 'Fetch incidents' import all alerts related to the incident parameter.
Added the path argument to the rsa-nw-mft-download-request command. this parameter is required when using API version 11.5 onwards.
Updated the Docker image to: demisto/python3:3.10.12.66339.

Layouts

RSA NetWitness Layout
Added the Alerts tab, for viewing alerts related to the fetched incidents.

Mappers

RSA NetWitness v11.5 - incoming mapper

Updated the mapper to use the RSA Alerts incident type.

Scripts

New: SetRSANetWitnessAlertsMD

Takes several alerts fields from the RSA NetWitness alerts context and displays them using markdown in the layout.

Related pull requests:
- 27312

Download

3.0.3 - R5866730 (July 25, 2023)

Integrations

RSANetWitness v11.5

Documentation and metadata improvements.

Related pull requests:
- 28008

Download

3.0.2 - 5702009 (July 6, 2023)

Integrations

RSANetWitness v11.5

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27954

Download

3.0.1 - R5692327 (July 5, 2023)

Layouts

RSA NetWitness Layout
This item is no longer supported in XSIAM.

Related pull requests:
- 24223

Download

PUBLISHER

Cortex

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	January 27, 2021
Last Release	October 13, 2023

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.