Netwitness
Version: 2.0.0
NetWitness is an Evolved SIEM and Open XDR platform that accelerates threat detection and response.
Connect Netwitness with LogicHub
A connection needs to be saved to use Netwitness integration.
- Navigate to Automations > Integrations.
- Search for Netwitness.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- Username: Username to access Netwitness.
- Password: Password to access Netwitness.
- After you've entered all the details, click Connect.
Actions for Netwitness
Execute SDK Command
Get result for SDK commands. For example: query, packet and session
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Params | Jinja-templated text containing the params to pass in query. For example: '{"force-content-type":"text/plain","msg":"query","query":"select *","size": "1"}' | Required |
Output
JSON containing the following items:
{
"data": {
"lhub_file_id":"8as9ydfh9as8ydfghas9"
"hash_md5":"f392puj293ufjwrehu9fh3p9"
"hash_sha1":"oeirjg34i5htu345io345itj"
"hash_sha256":"23jo4irtuj2394ru8hj3rf3rf"
}
"error": null,
"has_error": false
}
Download PCAP File
Get PCAP File Downloaded
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Params | Jinja-templated text containing the params to pass in query. For example: '{"sessions":"435636,5746,2347356"}' | Required |
Output
JSON containing the following items:
{
"data": {
"lhub_file_id":"8as9ydfh9as8ydfghas9"
"hash_md5":"f392puj293ufjwrehu9fh3p9"
"hash_sha1":"oeirjg34i5htu345io345itj"
"hash_sha256":"23jo4irtuj2394ru8hj3rf3rf"
}
"error": null,
"has_error": false
}
Release Notes
v2.0.0- Updated architecture to support IO via filesystemv1.1.4- Bug fix: support for non text file added.v1.1.0- Added 1 new action:Download PCAP File.v1.0.1- Added 1 new action:Execute SDK Command.
Updated about 1 year ago