Skip to content
  • There are no suggestions because the search field is empty.

How to Extract Incident and Alert Data using the NetWitness Respond API

Issue

A user would like a way to retrieve Respond Incident and Alert data via the API so it may be stored or manipulated outside of the NetWitness Platform.


Resolution

Manual Method (step by step):
  • Obtaining the accessToken using Administrator credentials:
    • Using the CURL command and existing Admin credentials, run the following command to obtain an access token:
    •  curl 'https://192.168.5.168/rest/api/auth/userpass'  -k -X POST -H 'Accept: application/json;charset=UTF-8' -H 'Content-Type: application/x-www-form-urlencoded; charset=ISO-8859-1' -d  'username=admin&password=netwitness' 2>&1 | awk '/accessToken/' | cut -d ',' -f 3 | cut -d '"' -f 4
    • Items in BOLD need to be defined as follows using my example:
      • Admin Server IP Address (this can also be a FQDN that is resolvable) = 192.168.5.168
      • username = admin
      • password = netwitness
    • Example Output:
[root@NEW-NW11-NW-NODE-ZERO ~]# curl 'https://192.168.5.168/rest/api/auth/userpass' -k -X POST -H 'Accept: application/json;charset=UTF-8' -H 'Content-Type: application/x-www-form-urlencoded; charset=ISO-8859-1' -d 'username=admin&password=netwitness' 2>&1 | awk '/accessToken/' | cut -d ',' -f 3 | cut -d '"' -f 4
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MjQzOTMxODc3NjAsImlzcyI6InNlY3VyaXR5LXNlcnZlci05MzUwZWZjZi02MmE0LTQzZmQtYjlmOC1lNGVlMDkwODQ4NDkiLCJpYXQiOjE3MjQzNTcxODc3NjAsImF1dGhvcml0aWVzIjpbIkFkbWluaXN0cmF0b3JzIl0sInVzZXJfbmFtZSI6ImFkbWluIn0.lm189BJvdMX-nG4NXJ_crea8ze81N7StfJ1--7jE1BnE2izu_rqGt4vPe9GMkGOqMYquLHlhFeMNYz73_CmoHRq65GE_ggNYGd-8xs0UKAw5BXWLT4HxVaK0v0suALkTnaghGHqMggMaEPDWYYdZPIapAhhb6DDMIMtjKijltemne_u55jCeYtjZ89iS11CgR5lIoUohsXz8Am-anmK0w5b5aXLTr7dPT3rq6OrHp_czax8OWCWUoNSYwKQnRk-OzyGDleCHyJ4InbTtP6rnmRxpi4XT0y5awb6BQaxmnQ2oWKPfbJc9aiCYTqf9kWLlH6stG7_F8dbdkIVWET8vWg

In the above Example, my accesToken in Bold is as follows:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MjQzOTMxODc3NjAsImlzcyI6InNlY3VyaXR5LXNlcnZlci05MzUwZWZjZi02MmE0LTQzZmQtYjlmOC1lNGVlMDkwODQ4NDkiLCJpYXQiOjE3MjQzNTcxODc3NjAsImF1dGhvcml0aWVzIjpbIkFkbWluaXN0cmF0b3JzIl0sInVzZXJfbmFtZSI6ImFkbWluIn0.lm189BJvdMX-nG4NXJ_crea8ze81N7StfJ1--7jE1BnE2izu_rqGt4vPe9GMkGOqMYquLHlhFeMNYz73_CmoHRq65GE_ggNYGd-8xs0UKAw5BXWLT4HxVaK0v0suALkTnaghGHqMggMaEPDWYYdZPIapAhhb6DDMIMtjKijltemne_u55jCeYtjZ89iS11CgR5lIoUohsXz8Am-anmK0w5b5aXLTr7dPT3rq6OrHp_czax8OWCWUoNSYwKQnRk-OzyGDleCHyJ4InbTtP6rnmRxpi4XT0y5awb6BQaxmnQ2oWKPfbJc9aiCYTqf9kWLlH6stG7_F8dbdkIVWET8vWg
  • Using that accessToken, plug it into the following URL and adjust the Bolded items:
    • curl https://192.168.5.168/rest/api/incidents/INC-29932 -k -X GET -H 'Accept: application/json;charset=UTF-8' -H NetWitness-Token:
    • Example:
curl https:// 192.168.5.168/rest/api/incidents/ INC-299362 -k -X GET -H 'Accept: application/json;charset=UTF-8' -H NetWitness-Token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MjQzOTMxODc3NjAsImlzcyI6InNlY3VyaXR5LXNlcnZlci05MzUwZWZjZi02MmE0LTQzZmQtYjlmOC1lNGVlMDkwODQ4NDkiLCJpYXQiOjE3MjQzNTcxODc3NjAsImF1dGhvcml0aWVzIjpbIkFkbWluaXN0cmF0b3JzIl0sInVzZXJfbmFtZSI6ImFkbWluIn0.lm189BJvdMX-nG4NXJ_crea8ze81N7StfJ1--7jE1BnE2izu_rqGt4vPe9GMkGOqMYquLHlhFeMNYz73_CmoHRq65GE_ggNYGd-8xs0UKAw5BXWLT4HxVaK0v0suALkTnaghGHqMggMaEPDWYYdZPIapAhhb6DDMIMtjKijltemne_u55jCeYtjZ89iS11CgR5lIoUohsXz8Am-anmK0w5b5aXLTr7dPT3rq6OrHp_czax8OWCWUoNSYwKQnRk-OzyGDleCHyJ4InbTtP6rnmRxpi4XT0y5awb6BQaxmnQ2oWKPfbJc9aiCYTqf9kWLlH6stG7_F8dbdkIVWET8vWg
  • Items in BOLD need to be defined as follows using my example:
    • Admin Server IP Address (this can also be a FQDN that is resolvable) = 192.168.5.168
    • Incident ID = INC-29932
    • accessToken = (bolded portion from above)
 Example Output (returned incident details also in BOLD)
[root@NEW-NW11-NW-NODE-ZERO ~]# curl https:// 192.168.5.168/rest/api/incidents/ INC-29932 -k -X GET -H 'Accept: application/json;charset=UTF-8' -H NetWitness-Token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MjQzOTMxODc3NjAsImlzcyI6InNlY3VyaXR5LXNlcnZlci05MzUwZWZjZi02MmE0LTQzZmQtYjlmOC1lNGVlMDkwODQ4NDkiLCJpYXQiOjE3MjQzNTcxODc3NjAsImF1dGhvcml0aWVzIjpbIkFkbWluaXN0cmF0b3JzIl0sInVzZXJfbmFtZSI6ImFkbWluIn0.lm189BJvdMX-nG4NXJ_crea8ze81N7StfJ1--7jE1BnE2izu_rqGt4vPe9GMkGOqMYquLHlhFeMNYz73_CmoHRq65GE_ggNYGd-8xs0UKAw5BXWLT4HxVaK0v0suALkTnaghGHqMggMaEPDWYYdZPIapAhhb6DDMIMtjKijltemne_u55jCeYtjZ89iS11CgR5lIoUohsXz8Am-anmK0w5b5aXLTr7dPT3rq6OrHp_czax8OWCWUoNSYwKQnRk-OzyGDleCHyJ4InbTtP6rnmRxpi4XT0y5awb6BQaxmnQ2oWKPfbJc9aiCYTqf9kWLlH6stG7_F8dbdkIVWET8vWg

{"id":"INC-29932","title":"Interactive Users for interactive_users","summary":null,"priority":"Medium","riskScore":30,"status":"New","alertCount":1000,"averageAlertRiskScore":30,"sealed":true,"totalRemediationTaskCount":0,"openRemediationTaskCount":0,"created":"2024-07-29T21:55:58.734Z","lastUpdated":"2024-07-29T21:55:58.734Z","lastUpdatedBy":null,"assignee":null,"sources":["Event Stream Analysis"],"ruleId":"60c0e4f909aad51015030a28","firstAlertTime":"2024-07-19T18:27:50.073Z","categories":[],"journalEntries":null,"createdBy":"Interactive Users","deletedAlertCount":0,"eventCount":1000,"alertMeta":{"SourceIp":[""],"DestinationIp":["","73.216.234.102"]}}[
 
  • To retrieve constituent alert details for the same incident, you can use this example and adjust the items in BOLD:
    •  curl 'https://192.168.5.168/rest/api/incidents/INC-29932/alerts?pageSize=5&pageNumber=0'  -k -X GET -H 'Accept: application/json;charset=UTF-8' -H NetWitness-Token:
    • Example:
curl 'https:// 192.168.5.168/rest/api/incidents/ INC-29932/alerts?pageSize= 5&pageNumber=0' -k -X GET -H 'Accept: application/json;charset=UTF-8' -H NetWitness-Token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MjQzOTMxODc3NjAsImlzcyI6InNlY3VyaXR5LXNlcnZlci05MzUwZWZjZi02MmE0LTQzZmQtYjlmOC1lNGVlMDkwODQ4NDkiLCJpYXQiOjE3MjQzNTcxODc3NjAsImF1dGhvcml0aWVzIjpbIkFkbWluaXN0cmF0b3JzIl0sInVzZXJfbmFtZSI6ImFkbWluIn0.lm189BJvdMX-nG4NXJ_crea8ze81N7StfJ1--7jE1BnE2izu_rqGt4vPe9GMkGOqMYquLHlhFeMNYz73_CmoHRq65GE_ggNYGd-8xs0UKAw5BXWLT4HxVaK0v0suALkTnaghGHqMggMaEPDWYYdZPIapAhhb6DDMIMtjKijltemne_u55jCeYtjZ89iS11CgR5lIoUohsXz8Am-anmK0w5b5aXLTr7dPT3rq6OrHp_czax8OWCWUoNSYwKQnRk-OzyGDleCHyJ4InbTtP6rnmRxpi4XT0y5awb6BQaxmnQ2oWKPfbJc9aiCYTqf9kWLlH6stG7_F8dbdkIVWET8vWg
  • Items in BOLD need to be defined as follows using my example:
    • Admin Server IP Address (this can also be a FQDN that is resolvable) = 192.168.5.168
    • Incident ID = INC-29932
    • Number of Alerts to retrieve = 5
    • accessToken = (bolded portion from above)
 Example Output (returned incident details also in BOLD):
[root@NEW-NW11-NW-NODE-ZERO ~]# curl 'https:// 192.168.5.168/rest/api/incidents/ INC-29932/alerts?pageSize= 5&pageNumber=0' -k -X GET -H 'Accept: application/json;charset=UTF-8' -H NetWitness-Token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MjQzOTMxODc3NjAsImlzcyI6InNlY3VyaXR5LXNlcnZlci05MzUwZWZjZi02MmE0LTQzZmQtYjlmOC1lNGVlMDkwODQ4NDkiLCJpYXQiOjE3MjQzNTcxODc3NjAsImF1dGhvcml0aWVzIjpbIkFkbWluaXN0cmF0b3JzIl0sInVzZXJfbmFtZSI6ImFkbWluIn0.lm189BJvdMX-nG4NXJ_crea8ze81N7StfJ1--7jE1BnE2izu_rqGt4vPe9GMkGOqMYquLHlhFeMNYz73_CmoHRq65GE_ggNYGd-8xs0UKAw5BXWLT4HxVaK0v0suALkTnaghGHqMggMaEPDWYYdZPIapAhhb6DDMIMtjKijltemne_u55jCeYtjZ89iS11CgR5lIoUohsXz8Am-anmK0w5b5aXLTr7dPT3rq6OrHp_czax8OWCWUoNSYwKQnRk-OzyGDleCHyJ4InbTtP6rnmRxpi4XT0y5awb6BQaxmnQ2oWKPfbJc9aiCYTqf9kWLlH6stG7_F8dbdkIVWET8vWg


{"items":[{"id":"66a7f750a6043e114fb0e892","title":"interactive_users","detail":null,"created":"2024-07-19T18:28:12.298Z","source":"Event Stream Analysis","riskScore":null,"type":"Log","events":[{"source":{"device":{"ipAddress":null,"port":null,"macAddress":null,"dnsHostname":null,"dnsDomain":null},"user":{"username":null,"emailAddress":null,"adUsername":null,"adDomain":null}},"destination":{"device":{"ipAddress":"73.216.234.102","port":null,"macAddress":null,"dnsHostname":null,"dnsDomain":null},"user":{"username":"apols_vpn","emailAddress":null,"adUsername":null,"adDomain":null}},"domain":"NEW-NW11-NW-NODE-ZERO","eventSource":"7ccc3524-5e03-48ad-9229-e6bbaa84dd37:50005","eventSourceId":"790821777"}]},{"id":"66a7f750a6043e114fb0e894","title":"interactive_users","detail":null,"created":"2024-07-19T18:28:21.303Z","source":"Event Stream Analysis","riskScore":null,"type":"Log","events":[{"source":{"device":{"ipAddress":null,"port":null,"macAddress":null,"dnsHostname":null,"dnsDomain":null},"user":{"username":"shop","emailAddress":"evanemail_src@email.com","adUsername":null,"adDomain":null}},"destination":{"device":{"ipAddress":null,"port":null,"macAddress":null,"dnsHostname":null,"dnsDomain":null},"user":{"username":null,"emailAddress":null,"adUsername":null,"adDomain":null}},"domain":"NEW-NW11-NW-NODE-ZERO","eventSource":"7ccc3524-5e03-48ad-9229-e6bbaa84dd37:50005","eventSourceId":"790821934"}]},{"id":"66a7f750a6043e114fb0e893","title":"interactive_users","detail":null,"created":"2024-07-19T18:28:09.298Z","source":"Event Stream Analysis","riskScore":null,"type":"Log","events":[{"source":{"device":{"ipAddress":null,"port":null,"macAddress":null,"dnsHostname":null,"dnsDomain":null},"user":{"username":null,"emailAddress":null,"adUsername":null,"adDomain":null}},"destination":{"device":{"ipAddress":"73.216.234.102","port":null,"macAddress":null,"dnsHostname":null,"dnsDomain":null},"user":{"username":"apols_vpn","emailAddress":null,"adUsername":null,"adDomain":null}},"domain":"NEW-NW11-NW-NODE-ZERO","eventSource":"d778b114-80f2-44bf-a75c-e59d035f4077:50002","eventSourceId":"671120527"}]},{"id":"66a7f750a6043e114fb0e895","title":"interactive_users","detail":null,"created":"2024-07-19T18:28:08.120Z","source":"Event Stream Analysis","riskScore":null,"type":"Log","events":[{"source":{"device":{"ipAddress":null,"port":null,"macAddress":null,"dnsHostname":null,"dnsDomain":null},"user":{"username":null,"emailAddress":null,"adUsername":null,"adDomain":null}},"destination":{"device":{"ipAddress":"73.216.234.102","port":null,"macAddress":null,"dnsHostname":null,"dnsDomain":null},"user":{"username":"apols_vpn","emailAddress":null,"adUsername":null,"adDomain":null}},"domain":"NEW-NW11-NW-NODE-ZERO","eventSource":"d778b114-80f2-44bf-a75c-e59d035f4077:50002","eventSourceId":"671120466"}]},{"id":"66a7f750a6043e114fb0e896","title":"interactive_users","detail":null,"created":"2024-07-19T18:28:26.302Z","source":"Event Stream Analysis","riskScore":null,"type":"Log","events":[{"source":{"device":{"ipAddress":null,"port":null,"macAddress":null,"dnsHostname":null,"dnsDomain":null},"user":{"username":null,"emailAddress":null,"adUsername":null,"adDomain":null}},"destination":{"device":{"ipAddress":"73.216.234.102","port":null,"macAddress":null,"dnsHostname":null,"dnsDomain":null},"user":{"username":"apols_vpn","emailAddress":null,"adUsername":null,"adDomain":null}},"domain":"NEW-NW11-NW-NODE-ZERO","eventSource":"d778b114-80f2-44bf-a75c-e59d035f4077:50002","eventSourceId":"671120733"}]}],"pageNumber":0,"pageSize":5,"totalPages":200,"totalItems":1000,"hasNext":true,"hasPrevious":false}

Scripted Method
  1. Download the attached script and copy it to a Linux host that has HTTPS/SSL/443 access to the Admin Server/NW-NODE-ZERO:   nw_respond_inc-alert_call.sh
  2. Make the script executable with by running:
    1. chmod +x /root/nw_respond_inc-alert_call.sh
  3. Execute the script with the following variables (defined in BOLD below)
    1. /root/nw_respond_inc-alert_call.sh  192.168.5.168 admin netwitness INC-29932 5
      1. Admin Server/Node Zero IP: 192.168.5.168
      2. Username : admin
      3. Password: netwitness
      4. Incident ID: INC-29932
      5. Number of Alerts to retrieve: 5
  4. Once executed, the output will retrieve and print:
    1. The variables passed
    2. The accessToken
    3. The Incident by itself
    4. The alerts related to that incident (maxing out at the number of alerts you defined, so the actual number of alerts may exceed your definition)
Output:
[root@NEW-NW11-NW-NODE-ZERO ~]# /root/nw_respond_inc-alert_call.sh 192.168.5.168 admin netwitness INC-29932 5

Variable Inputs :


Admin Server IP = 192.168.5.168
Username = admin
Password = netwitness
Incident ID = INC-29932
Number of Alerts to Return = 5

Transient Access Token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MjQzOTU1MTM0MDUsImlzcyI6InNlY3VyaXR5LXNlcnZlci05MzUwZWZjZi02MmE0LTQzZmQtYjlmOC1lNGVlMDkwODQ4NDkiLCJpYXQiOjE3MjQzNTk1MTM0MDUsImF1dGhvcml0aWVzIjpbIkFkbWluaXN0cmF0b3JzIl0sInVzZXJfbmFtZSI6ImFkbWluIn0.hfu1ms355J7Gt4PmMxl1x8pmRStRvI_FCAq-haYMatY71xRytFbm8sw4bm2y8XzyVPw96f6dqA7i_77bv0N4YtUD0Lf1ug3IyKtQZ9rCdmPsYV8SwLLjfmgvEIW50wJqErsyMhLjCOxg48fhOnATLbP7_1LAAHVRSXUwYyee1VMzHabgsefOl7NbFBAoPrCqbuAAvLdW1LXFKMy-5I0V4bc5hwcs6BlC8CI2p7UjTSIlDSzgWCCNGg7Rmu319t_VV1RZVWkzhMDFNSqu57NFlfAYUSOkmU0Far6YuGx_EvQ4m6O7B7ypR4TL1PFE9yNUx8dA1dEX9MhOZInk1sxpQg


Retrieving incident details for INC-29932 :


{"id":"INC-29932","title":"Interactive Users for interactive_users","summary":null,"priority":"Medium","riskScore":30,"status":"New","alertCount":1000,"averageAlertRiskScore":30,"sealed":true,"totalRemediationTaskCount":0,"openRemediationTaskCount":0,"created":"2024-07-29T21:55:58.734Z","lastUpdated":"2024-07-29T21:55:58.734Z","lastUpdatedBy":null,"assignee":null,"sources":["Event Stream Analysis"],"ruleId":"60c0e4f909aad51015030a28","firstAlertTime":"2024-07-19T18:27:50.073Z","categories":[],"journalEntries":null,"createdBy":"Interactive Users","deletedAlertCount":0,"eventCount":1000,"alertMeta":{"SourceIp":[""],"DestinationIp":["","73.216.234.102"]}}

Retrieving 5 Alerts details for INC-29932 :


{"items":[{"id":"66a7f750a6043e114fb0e892","title":"interactive_users","detail":null,"created":"2024-07-19T18:28:12.298Z","source":"Event Stream Analysis","riskScore":null,"type":"Log","events":[{"source":{"device":{"ipAddress":null,"port":null,"macAddress":null,"dnsHostname":null,"dnsDomain":null},"user":{"username":null,"emailAddress":null,"adUsername":null,"adDomain":null}},"destination":{"device":{"ipAddress":"73.216.234.102","port":null,"macAddress":null,"dnsHostname":null,"dnsDomain":null},"user":{"username":"apols_vpn","emailAddress":null,"adUsername":null,"adDomain":null}},"domain":"NEW-NW11-NW-NODE-ZERO","eventSource":"7ccc3524-5e03-48ad-9229-e6bbaa84dd37:50005","eventSourceId":"790821777"}]},{"id":"66a7f750a6043e114fb0e894","title":"interactive_users","detail":null,"created":"2024-07-19T18:28:21.303Z","source":"Event Stream Analysis","riskScore":null,"type":"Log","events":[{"source":{"device":{"ipAddress":null,"port":null,"macAddress":null,"dnsHostname":null,"dnsDomain":null},"user":{"username":"shop","emailAddress":"evanemail_src@email.com","adUsername":null,"adDomain":null}},"destination":{"device":{"ipAddress":null,"port":null,"macAddress":null,"dnsHostname":null,"dnsDomain":null},"user":{"username":null,"emailAddress":null,"adUsername":null,"adDomain":null}},"domain":"NEW-NW11-NW-NODE-ZERO","eventSource":"7ccc3524-5e03-48ad-9229-e6bbaa84dd37:50005","eventSourceId":"790821934"}]},{"id":"66a7f750a6043e114fb0e893","title":"interactive_users","detail":null,"created":"2024-07-19T18:28:09.298Z","source":"Event Stream Analysis","riskScore":null,"type":"Log","events":[{"source":{"device":{"ipAddress":null,"port":null,"macAddress":null,"dnsHostname":null,"dnsDomain":null},"user":{"username":null,"emailAddress":null,"adUsername":null,"adDomain":null}},"destination":{"device":{"ipAddress":"73.216.234.102","port":null,"macAddress":null,"dnsHostname":null,"dnsDomain":null},"user":{"username":"apols_vpn","emailAddress":null,"adUsername":null,"adDomain":null}},"domain":"NEW-NW11-NW-NODE-ZERO","eventSource":"d778b114-80f2-44bf-a75c-e59d035f4077:50002","eventSourceId":"671120527"}]},{"id":"66a7f750a6043e114fb0e895","title":"interactive_users","detail":null,"created":"2024-07-19T18:28:08.120Z","source":"Event Stream Analysis","riskScore":null,"type":"Log","events":[{"source":{"device":{"ipAddress":null,"port":null,"macAddress":null,"dnsHostname":null,"dnsDomain":null},"user":{"username":null,"emailAddress":null,"adUsername":null,"adDomain":null}},"destination":{"device":{"ipAddress":"73.216.234.102","port":null,"macAddress":null,"dnsHostname":null,"dnsDomain":null},"user":{"username":"apols_vpn","emailAddress":null,"adUsername":null,"adDomain":null}},"domain":"NEW-NW11-NW-NODE-ZERO","eventSource":"d778b114-80f2-44bf-a75c-e59d035f4077:50002","eventSourceId":"671120466"}]},{"id":"66a7f750a6043e114fb0e896","title":"interactive_users","detail":null,"created":"2024-07-19T18:28:26.302Z","source":"Event Stream Analysis","riskScore":null,"type":"Log","events":[{"source":{"device":{"ipAddress":null,"port":null,"macAddress":null,"dnsHostname":null,"dnsDomain":null},"user":{"username":null,"emailAddress":null,"adUsername":null,"adDomain":null}},"destination":{"device":{"ipAddress":"73.216.234.102","port":null,"macAddress":null,"dnsHostname":null,"dnsDomain":null},"user":{"username":"apols_vpn","emailAddress":null,"adUsername":null,"adDomain":null}},"domain":"NEW-NW11-NW-NODE-ZERO","eventSource":"d778b114-80f2-44bf-a75c-e59d035f4077:50002","eventSourceId":"671120733"}]}],"pageNumber":0,"pageSize":5,"totalPages":200,"totalItems":1000,"hasNext":true,"hasPrevious":false}

Notes

For additional information on using the NetWitness API, please refer to the NetWitness API Guide.

Product Details

NetWitness Product Set: NetWitness Logs and Packets
NetWitness Product/Service Type: Admin Server, Respond, ESA Primary
NetWitness Version/Condition: 12.3+
Platform: CentOS, AlmaLinux

Approval Reviewer Queue

Technical approval queue




Attachments:
nw_respond_inc-alert_call.sh