RSA NetWitness

Details
Content
Dependencies
Version History

RSA NetWitness Platform provides systems Logs, Network, and endpoint visibility for real-time collection, detection, and automated response with the Demisto Enterprise platform. Providing full session analysis, customers can extract critical data and effectively operate security operations automated playbook.

RSA NetWitness provides your security team with the visibility it needs to detect sophisticated threats to your system. It collects and analyzes data across all capture points and computing platforms enriching data with threat intelligence and business context.

What does this pack do?

Isolate/unisolate infected endpoints.
Get alerts triggered for a given host.
Retrieve the alerts that are associated with an incident.
List, update, remove incidents.
Get snapshots for a given host.
List all related file information from a specific endpoint server and downloading files.
Scan a host.

Note: Support for this Pack will be moved to the Partner on APRIL, 17, 2024.

Pack Contributors:

Pierre Soler
Sébastien Guisnet

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

What does this pack do?

Isolate/unisolate infected endpoints.
Get alerts triggered for a given host.
Retrieve the alerts that are associated with an incident.
List, update, remove incidents.
Get snapshots for a given host.
List all related file information from a specific endpoint server and downloading files.
Scan a host.

Note: Support for this Pack will be moved to the Partner on APRIL, 17, 2024.

Pack Contributors:

Pierre Soler
Sébastien Guisnet

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Automations

Name	Description
RSA_GetRawLog	Use this script to get RAW log.
SetRSANetWitnessAlertsMD	This automation takes several alert fields from the RSA NetWitness alerts context and displays them as markdown in the layout.
RSA_DisplayMetasEvents	Use this script to display meta events inside the layout.

Classifiers

Name	Description
RSA NetWitness v11.5 - incoming mapper

Incident Fields

Name	Description
RSA Id
RSA Metas Events
RSA Event Count
RSA Alert Count
RSA Rule Id
RSA Alerts
RSA Raw Logs List

Incident Types

Name	Description
NetWitness Incident

Integrations

Name	Description
RSANetWitness v11.5	The RSA NetWitness integration provides system log, network, and endpoint visibility for real-time collection, detection, and automated response with the Cortex XSOAR Enterprise platform. Using full session analysis, customers can extract critical data and effectively run security operations automated playbooks.
RSA NetWitness v11.1 (Deprecated)	Deprecated. Use RSA NetWitness v11.5 instead

Layouts

Name	Description
RSA NetWitness Layout

Automations

Name	Description
RSA_GetRawLog	Use this script to get RAW log.
RSA_DisplayMetasEvents	Use this script to display meta events inside the layout.
SetRSANetWitnessAlertsMD	This automation takes several alert fields from the RSA NetWitness alerts context and displays them as markdown in the layout.

Classifiers

Name	Description
RSA NetWitness v11.5 - incoming mapper

Incident Fields

Name	Description
RSA Event Count
RSA Alerts
RSA Rule Id
RSA Raw Logs List
RSA Alert Count
RSA Id
RSA Metas Events

Incident Types

Name	Description
NetWitness Incident

Integrations

Name	Description
RSANetWitness v11.5	The RSA NetWitness integration provides system log, network, and endpoint visibility for real-time collection, detection, and automated response with the Cortex XSIAM Enterprise platform. Using full session analysis, customers can extract critical data and effectively run security operations automated playbooks.
RSA NetWitness v11.1 (Deprecated)	Deprecated. Use RSA NetWitness v11.5 instead

Required Content Packs (1)

Pack Name	Pack By
Base	By: Cortex XSOAR

Optional Content Packs (3)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
RSA NetWitness Packets and Logs	By: Cortex XSOAR

All level dependencies (1)

Pack Name	Pack By
Base	By: Cortex XSOAR

3.2.3 - 778086 (January 22, 2024)

Started adoption process.

Related pull requests:
- 32341
- 32285

Download

3.2.2 - 767481 (January 17, 2024)

Integrations

RSANetWitness v11.5

Updated the Docker image to: demisto/python3:3.10.13.84405.

Related pull requests:
- 32259

Download

3.2.1 - 743135 (January 4, 2024)

Integrations

RSANetWitness v11.5

Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31967

Download

3.2.0 - R6592021 (October 13, 2023)

Incident Fields

RSA Raw Logs List
RSA Metas Events
RSA Alerts

Incident Types

NetWitness Incident
Updated the option "Run playbook automatically" to be enabled by default.

Integrations

RSANetWitness v11.5

Added the incident mirroring functionality with the Incident Mirroring Direction and Mirror closure parameters.
Updated the Docker image to: demisto/python3:3.10.13.73190.

RSA NetWitness v11.1 (Deprecated)

Removed non-standard ' in the yml file.

Layouts

RSA NetWitness Layout
Renamed the Alerts tab to SIEM with multiple sections to better manage and investigate the incident in Cortex XSOAR.

Mappers

RSA NetWitness v11.5 - incoming mapper

Added the following mirroring mandatory fields:

mirror_instance
mirror_direction
incident_id

Scripts

SetRSANetWitnessAlertsMD

Removed the header of the markdown for better UI consistency.
Updated the Docker image to: demisto/python3:3.10.13.73190.

RSA_GetRawLog

Gets the raw log and metas of events using RSA NetWitness Packets & Logs.

RSA_DisplayMetasEvents

Displays alert event metas at the origin of the incident.

Related pull requests:
- 29220
- 29713

Download

3.1.0 - 5876761 (July 26, 2023)

Incident Fields

RSA Alerts

Integrations

RSANetWitness v11.5

Added the On 'Fetch incidents' import all alerts related to the incident parameter.
Added the path argument to the rsa-nw-mft-download-request command. this parameter is required when using API version 11.5 onwards.
Updated the Docker image to: demisto/python3:3.10.12.66339.

Layouts

RSA NetWitness Layout
Added the Alerts tab, for viewing alerts related to the fetched incidents.

Mappers

RSA NetWitness v11.5 - incoming mapper

Updated the mapper to use the RSA Alerts incident type.

Scripts

New: SetRSANetWitnessAlertsMD

Takes several alerts fields from the RSA NetWitness alerts context and displays them using markdown in the layout.

Related pull requests:
- 27312

Download

3.0.3 - R5866730 (July 25, 2023)

Integrations

RSANetWitness v11.5

Documentation and metadata improvements.

Related pull requests:
- 28008

Download

3.0.2 - 5702009 (July 6, 2023)

Integrations

RSANetWitness v11.5

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27954

Download

3.0.1 - R5692327 (July 5, 2023)

Layouts

RSA NetWitness Layout
This item is no longer supported in XSIAM.

Related pull requests:
- 24223

Download

PUBLISHER

Cortex

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	January 27, 2021
Last Release	January 22, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.