.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
How to extract all the meta keys from the RAW Alerts and Incidents using Netwitness API
Issue
Below documents only fetches few default meta keys from the RAW Alert and Incident. However mostly customer's requirement is to fetch exactly the same meta keys as what they have in the respective event.https://community.netwitness.com/t5/netwitness-platform-online/api-guide-for-11-6/ta-p/627466 on page 24 (Get an Incident’s Alerts)
https://community.netwitness.com/t5/netwitness-knowledge-base/how-to-extract-netwitness-respond-incidents-and-alerts-using-api/ta-p/640766
Tasks
Resolution
Further to what is mentioned in the above documents, please use "fetch" commands to extract the required information.1. Fetches the RAW incidents based on the incident meta.
GET /rest/api/incident/fetch
"meta_name": the actual meta_name to be fetched
"meta_value": the value of the meta_name
"numberOfRecords": Total number of records to fetch.
"meta_name": the actual meta_name to be fetched
"meta_value": the value of the meta_name
"numberOfRecords": Total number of records to fetch.
Sample Request:
curl 'https://api.netwitness.local/rest/api/incident/fetch' -i -X GET \
-H 'Accept: application/json;charset=UTF-8' \
-H 'NetWitness-Token: eyJ...Rs-FA' \
-H 'Content-Type: application/json; charset=UTF-8' \
-d
'{"meta_name":"priority",
"meta_value":"MEDIUM",
"numberOfRecords":"2"}'
curl 'https://api.netwitness.local/rest/api/incident/fetch' -i -X GET \
-H 'Accept: application/json;charset=UTF-8' \
-H 'NetWitness-Token: eyJ...Rs-FA' \
-H 'Content-Type: application/json; charset=UTF-8' \
-d
'{"meta_name":"priority",
"meta_value":"MEDIUM",
"numberOfRecords":"2"}'
Sample Response:
HTTP/1.1 200
Server: nginx
Date: Tue, 29 Jun 2021 06:41:22 GMT
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
[
{
"id": "INC-26",
"name": "testEsa1 for test1",
"summary": null,
"priority": "MEDIUM",
"prioritySort": 1,
"riskScore": 30,
"status": "NEW",
"statusSort": 0,
"alertCount": 46,
"pinnedAlertCount": 0,
"containsPinnedAlerts": false,
"averageAlertRiskScore": 30,
"sealed": false,
"totalRemediationTaskCount": 0,
"openRemediationTaskCount": 0,
"hasRemediationTasks": false,
"created": "2021-06-29T06:27:36.889+00:00",
"lastUpdated": "2021-06-29T06:27:36.889+00:00",
"lastUpdatedByUser": null,
"assignee": null,
"sources": [
"Event Stream Analysis"
],
"ruleId": "60dabd2e299aa252deb219a4",
"firstAlertTime": "2021-06-29T06:27:33.049+00:00",
"timeWindowExpiration": "2021-06-29T07:27:33.049+00:00",
"groupByValues": [
"test1"
],
"categories": [],
"notes": null,
"createdBy": "testEsa1",
"dateIndicatorAggregationStart": "2021-06-19T06:27:33.049+00:00",
"breachExportStatus": "NONE",
"breachData": null,
"breachTag": null,
"hasDeletedAlerts": false,
"deletedAlertCount": 0,
"groupByDomain": null,
"enrichment": null,
"eventCount": 46,
"groupBySourceIp": [
"10.10.10.1",
"",
"10.10.2.3",
"10.10.10.4",
"10.10.1.5"
],
"groupByDestinationIp": [
""
],
"sentToArcher": false,
"createdFromRule": true
},
{
"id": "INC-27",
"name": "testEsa2 for test2",
"summary": null,
"priority": "MEDIUM",
"prioritySort": 1,
"riskScore": 30,
"status": "NEW",
"statusSort": 0,
"alertCount": 46,
"pinnedAlertCount": 0,
"containsPinnedAlerts": false,
"averageAlertRiskScore": 30,
"sealed": false,
"totalRemediationTaskCount": 0,
"openRemediationTaskCount": 0,
"hasRemediationTasks": false,
"created": "2021-06-29T06:27:36.927+00:00",
"lastUpdated": "2021-06-29T06:27:36.927+00:00",
"lastUpdatedByUser": null,
"assignee": null,
"sources": [
"Event Stream Analysis"
],
"ruleId": "60dabd2e299aa252deb219a5",
"firstAlertTime": "2021-06-29T06:27:36.026+00:00",
"timeWindowExpiration": "2021-06-29T07:27:36.026+00:00",
"groupByValues": [
"test2"
],
"categories": [],
"notes": null,
"createdBy": "testEsa2",
"dateIndicatorAggregationStart": "2021-06-19T06:27:36.026+00:00",
"breachExportStatus": "NONE",
"breachData": null,
"breachTag": null,
"hasDeletedAlerts": false,
"deletedAlertCount": 0,
"groupByDomain": null,
"enrichment": null,
"eventCount": 46,
"groupBySourceIp": [
"10.10.10.1",
"",
"10.10.2.3",
"10.10.10.4",
"10.10.1.5"
],
"groupByDestinationIp": [
""
],
"sentToArcher": false,
"createdFromRule": true
}
]
HTTP/1.1 200
Server: nginx
Date: Tue, 29 Jun 2021 06:41:22 GMT
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
[
{
"id": "INC-26",
"name": "testEsa1 for test1",
"summary": null,
"priority": "MEDIUM",
"prioritySort": 1,
"riskScore": 30,
"status": "NEW",
"statusSort": 0,
"alertCount": 46,
"pinnedAlertCount": 0,
"containsPinnedAlerts": false,
"averageAlertRiskScore": 30,
"sealed": false,
"totalRemediationTaskCount": 0,
"openRemediationTaskCount": 0,
"hasRemediationTasks": false,
"created": "2021-06-29T06:27:36.889+00:00",
"lastUpdated": "2021-06-29T06:27:36.889+00:00",
"lastUpdatedByUser": null,
"assignee": null,
"sources": [
"Event Stream Analysis"
],
"ruleId": "60dabd2e299aa252deb219a4",
"firstAlertTime": "2021-06-29T06:27:33.049+00:00",
"timeWindowExpiration": "2021-06-29T07:27:33.049+00:00",
"groupByValues": [
"test1"
],
"categories": [],
"notes": null,
"createdBy": "testEsa1",
"dateIndicatorAggregationStart": "2021-06-19T06:27:33.049+00:00",
"breachExportStatus": "NONE",
"breachData": null,
"breachTag": null,
"hasDeletedAlerts": false,
"deletedAlertCount": 0,
"groupByDomain": null,
"enrichment": null,
"eventCount": 46,
"groupBySourceIp": [
"10.10.10.1",
"",
"10.10.2.3",
"10.10.10.4",
"10.10.1.5"
],
"groupByDestinationIp": [
""
],
"sentToArcher": false,
"createdFromRule": true
},
{
"id": "INC-27",
"name": "testEsa2 for test2",
"summary": null,
"priority": "MEDIUM",
"prioritySort": 1,
"riskScore": 30,
"status": "NEW",
"statusSort": 0,
"alertCount": 46,
"pinnedAlertCount": 0,
"containsPinnedAlerts": false,
"averageAlertRiskScore": 30,
"sealed": false,
"totalRemediationTaskCount": 0,
"openRemediationTaskCount": 0,
"hasRemediationTasks": false,
"created": "2021-06-29T06:27:36.927+00:00",
"lastUpdated": "2021-06-29T06:27:36.927+00:00",
"lastUpdatedByUser": null,
"assignee": null,
"sources": [
"Event Stream Analysis"
],
"ruleId": "60dabd2e299aa252deb219a5",
"firstAlertTime": "2021-06-29T06:27:36.026+00:00",
"timeWindowExpiration": "2021-06-29T07:27:36.026+00:00",
"groupByValues": [
"test2"
],
"categories": [],
"notes": null,
"createdBy": "testEsa2",
"dateIndicatorAggregationStart": "2021-06-19T06:27:36.026+00:00",
"breachExportStatus": "NONE",
"breachData": null,
"breachTag": null,
"hasDeletedAlerts": false,
"deletedAlertCount": 0,
"groupByDomain": null,
"enrichment": null,
"eventCount": 46,
"groupBySourceIp": [
"10.10.10.1",
"",
"10.10.2.3",
"10.10.10.4",
"10.10.1.5"
],
"groupByDestinationIp": [
""
],
"sentToArcher": false,
"createdFromRule": true
}
]
2. Fetches the RAW alerts based on the alert meta.
GET /rest/api/alert/fetch
"meta_name": the actual alert meta_name to be fetched
"meta_value": the value of the meta_name
"numberOfRecords": Total number of records to fetch.
"includeFields" : The fields to be included as part of the returned respond.
"meta_name": the actual alert meta_name to be fetched
"meta_value": the value of the meta_name
"numberOfRecords": Total number of records to fetch.
"includeFields" : The fields to be included as part of the returned respond.
Sample Request:
curl 'https://api.netwitness.local/rest/api/alert/fetch' -i -X GET \
-H 'Accept: application/json;charset=UTF-8' \
-H 'NetWitness-Token: eyJ...Rs' \
-H 'Content-Type: application/json; charset=UTF-8' \
-d
'{
"meta_name":"alert.name",
"meta_value":"test2",
"numberOfRecords":"2",
"includeFields" : "null"
}'
curl 'https://api.netwitness.local/rest/api/alert/fetch' -i -X GET \
-H 'Accept: application/json;charset=UTF-8' \
-H 'NetWitness-Token: eyJ...Rs' \
-H 'Content-Type: application/json; charset=UTF-8' \
-d
'{
"meta_name":"alert.name",
"meta_value":"test2",
"numberOfRecords":"2",
"includeFields" : "null"
}'
Sample Response:
HTTP/1.1 200
Server: nginx
Date: Tue, 29 Jun 2021 06:50:40 GMT
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
[
{
"id": "60dabd58299aa252deb219bf",
"receivedTime": "2021-06-29T06:27:36.028+00:00",
"status": "GROUPED_IN_INCIDENT",
"errorMessage": null,
"originalHeaders": {
"name": "test2",
"description": null,
"version": 0,
"severity": 3,
"timestamp": 1624948056026,
"signatureId": "c4148f75e47204ca2e279a693d7514a9751ee1cb8e62bfbec5940fb2d76ff040",
"deviceVendor": "RSA Netwitness",
"deviceProduct": "Event Stream Analysis",
"deviceVersion": "11.6"
},
"originalRawAlert": null,
"originalAlert": {
"severity": 3,
"eventSourceId": "10.125.249.10:50005:2213",
"respondEnabled": true,
"moduleType": "ESA_BASIC",
"engineUri": "test-sa-managed",
"moduleName": "test2",
"suppressMessageBus": false,
"transientAlert": false,
"notificationReasons": [],
"actualEventsCount": 1,
"instanceId": "c4148f75e47204ca2e279a693d7514a9751ee1cb8e62bfbec5940fb2d76ff040",
"statement": "Module_60c9aef8e4b035381fea8fed_Alert",
"id": "0ee0787c-5210-4f5c-8ede-113fd90bc1f4",
"time": "Jun 29, 2021 06:27:36 AM UTC",
"moduleId": "60c9aef8e4b035381fea8fed",
"events": [
{
"ec_activity": "Logon",
"header_id": "0013",
"alias_host": [
"ibm132"
],
"event_cat_name": "User.Activity.Successful Logins",
"com_rsa_netwitness_streams_stream": "test-sa-managed-stream",
"ip_src": "10.10.10.1",
"device_type": "aix",
"sessionid": 2213,
"medium": 32,
"rid": 2213,
"forward_ip": "127.0.0.1",
"client": "ftpd",
"msg_id": "00002",
"device_disc": 50,
"ec_subject": "User",
"event_source_id": "10.125.249.10:50005:2213",
"com_rsa_netwitness_streams_arrival_timestamp": 1624948055024,
"esa_time": 1624948056026,
"ec_theme": "Authentication",
"device_disc_type": "aix",
"com_rsa_netwitness_streams_source_trail": [
"admin@10.125.249.10:50005"
],
"device_ip": "2.2.2.2",
"event_desc": "ftpd login",
"user_dst": "userA",
"size": 149,
"netname": [
"private src"
],
"device_class": "Unix",
"time": 1624948050000,
"ec_outcome": "Success",
"com_rsa_netwitness_streams_arrival_sequence": 25,
"did": "loghybrid"
}
],
"suppressNotification": false
},
"incidentId": "INC-27",
"partOfIncident": true,
"incidentCreated": "2021-06-29T06:27:36.927+00:00",
"pinnedEventIds": null,
"name": "test2",
"alert": {
"groupby_source_device_mac_address": "",
"user_summary": [
"userA"
],
"groupby_dst_device_geolocation_domain": "",
"source": "Event Stream Analysis",
"type": [
"Log"
],
"groupby_user_src": "",
"groupby_src_device_dns_domain": "",
"groupby_source_country": "",
"groupby_analysis_file": "",
"groupby_filename": "",
"groupby_source_username": "",
"groupby_detector_ip": "2.2.2.2",
"groupby_dst_usr_username": "userA",
"events": [
{
"agent_id": "",
"data": [
{
"filename": "",
"size": 149,
"hash": ""
}
],
HTTP/1.1 200
Server: nginx
Date: Tue, 29 Jun 2021 06:50:40 GMT
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
[
{
"id": "60dabd58299aa252deb219bf",
"receivedTime": "2021-06-29T06:27:36.028+00:00",
"status": "GROUPED_IN_INCIDENT",
"errorMessage": null,
"originalHeaders": {
"name": "test2",
"description": null,
"version": 0,
"severity": 3,
"timestamp": 1624948056026,
"signatureId": "c4148f75e47204ca2e279a693d7514a9751ee1cb8e62bfbec5940fb2d76ff040",
"deviceVendor": "RSA Netwitness",
"deviceProduct": "Event Stream Analysis",
"deviceVersion": "11.6"
},
"originalRawAlert": null,
"originalAlert": {
"severity": 3,
"eventSourceId": "10.125.249.10:50005:2213",
"respondEnabled": true,
"moduleType": "ESA_BASIC",
"engineUri": "test-sa-managed",
"moduleName": "test2",
"suppressMessageBus": false,
"transientAlert": false,
"notificationReasons": [],
"actualEventsCount": 1,
"instanceId": "c4148f75e47204ca2e279a693d7514a9751ee1cb8e62bfbec5940fb2d76ff040",
"statement": "Module_60c9aef8e4b035381fea8fed_Alert",
"id": "0ee0787c-5210-4f5c-8ede-113fd90bc1f4",
"time": "Jun 29, 2021 06:27:36 AM UTC",
"moduleId": "60c9aef8e4b035381fea8fed",
"events": [
{
"ec_activity": "Logon",
"header_id": "0013",
"alias_host": [
"ibm132"
],
"event_cat_name": "User.Activity.Successful Logins",
"com_rsa_netwitness_streams_stream": "test-sa-managed-stream",
"ip_src": "10.10.10.1",
"device_type": "aix",
"sessionid": 2213,
"medium": 32,
"rid": 2213,
"forward_ip": "127.0.0.1",
"client": "ftpd",
"msg_id": "00002",
"device_disc": 50,
"ec_subject": "User",
"event_source_id": "10.125.249.10:50005:2213",
"com_rsa_netwitness_streams_arrival_timestamp": 1624948055024,
"esa_time": 1624948056026,
"ec_theme": "Authentication",
"device_disc_type": "aix",
"com_rsa_netwitness_streams_source_trail": [
"admin@10.125.249.10:50005"
],
"device_ip": "2.2.2.2",
"event_desc": "ftpd login",
"user_dst": "userA",
"size": 149,
"netname": [
"private src"
],
"device_class": "Unix",
"time": 1624948050000,
"ec_outcome": "Success",
"com_rsa_netwitness_streams_arrival_sequence": 25,
"did": "loghybrid"
}
],
"suppressNotification": false
},
"incidentId": "INC-27",
"partOfIncident": true,
"incidentCreated": "2021-06-29T06:27:36.927+00:00",
"pinnedEventIds": null,
"name": "test2",
"alert": {
"groupby_source_device_mac_address": "",
"user_summary": [
"userA"
],
"groupby_dst_device_geolocation_domain": "",
"source": "Event Stream Analysis",
"type": [
"Log"
],
"groupby_user_src": "",
"groupby_src_device_dns_domain": "",
"groupby_source_country": "",
"groupby_analysis_file": "",
"groupby_filename": "",
"groupby_source_username": "",
"groupby_detector_ip": "2.2.2.2",
"groupby_dst_usr_username": "userA",
"events": [
{
"agent_id": "",
"data": [
{
"filename": "",
"size": 149,
"hash": ""
}
],
Product Details
NetWitness Product Set: NetWitness PlatformNetWitness Product/Service Type: Admin Server
NetWitness Version/Condition: 11.6.1 and above
Platform: CentOS 7 / Alma
Approval Reviewer Queue
Technical approval queue