Netwitness

Version: 2.0.0

NetWitness is an Evolved SIEM and Open XDR platform that accelerates threat detection and response.

Connect Netwitness with LogicHub

A connection needs to be saved to use Netwitness integration.

  1. Navigate to Automations > Integrations.
  2. Search for Netwitness.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • Username: Username to access Netwitness.
    • Password: Password to access Netwitness.
  4. After you've entered all the details, click Connect.

Actions for Netwitness

Execute SDK Command

Get result for SDK commands. For example: query, packet and session

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
ParamsJinja-templated text containing the params to pass in query. For example: '{"force-content-type":"text/plain","msg":"query","query":"select *","size": "1"}'Required

Output

JSON containing the following items:

{
  "data": {
    "lhub_file_id":"8as9ydfh9as8ydfghas9"
    "hash_md5":"f392puj293ufjwrehu9fh3p9"
    "hash_sha1":"oeirjg34i5htu345io345itj"
    "hash_sha256":"23jo4irtuj2394ru8hj3rf3rf"
  }
  "error": null,
  "has_error": false
}

Download PCAP File

Get PCAP File Downloaded

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
ParamsJinja-templated text containing the params to pass in query. For example: '{"sessions":"435636,5746,2347356"}'Required

Output

JSON containing the following items:

{
  "data": {
    "lhub_file_id":"8as9ydfh9as8ydfghas9"
    "hash_md5":"f392puj293ufjwrehu9fh3p9"
    "hash_sha1":"oeirjg34i5htu345io345itj"
    "hash_sha256":"23jo4irtuj2394ru8hj3rf3rf"
  }
  "error": null,
  "has_error": false
}

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem
  • v1.1.4 - Bug fix: support for non text file added.
  • v1.1.0 - Added 1 new action: Download PCAP File.
  • v1.0.1 - Added 1 new action: Execute SDK Command.

© Devo Technology Inc. All Rights Reserved.