RSA NetWitness v11.1

Use the RSA NetWitness integration for systems Logs, Network, and endpoint visibility for real-time collection, detection, and automated response on Demisto.

Providing full session analysis, customers can extract critical data and effectively operate security operations automated playbook.

Use Cases


  • Monitor NetWitness incidents.
  • Update existing incident.
  • Query incidents in a specific time frame.

Prerequisites


You need the server URL and a valid NetWitness account before configuring a new instance.

Required Permissions


The following permission is required for all commands.

  • integration-server.api.access

Configure RSA Netwitness on Demisto


  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for RSA netwitness.
  3. Click Add instance to create and configure a new integration instance.
    • Name : A textual name for the integration instance.
    • Server URL : Exchange server URL.
    • Credentials : Your personal account username.
    • Password : Your personal account password.
    • Fetched incidents data : The integration imports NetWitness incident, and all alerts related, as Demisto incident. All incidents created 24 hours prior to the configuration of ‘Fetch-incidents’  and up to current time will be imported.
    • On Fetch incidents, import all alerts related to the incident .
    • Fetch time: First fetch timestamp.
  4. Click Test to validate the URLs and token.

Fetched Incidents Data


To use Fetch incidents, select the Fetch Incidents checkbox when configuring a new integration instance.

By default, the integration will import NetWitness incidents data as Demisto incidents.

To import related alerts data in addition to the incidents data, select the relevant checkbox in the instance settings.

All incidents created 24 hours prior to the configuration of Fetch Incidents and up to current time will be imported.

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Get details for a specific incident: netwitness-get-incident
  2. Get a list of incidents: netwitness-get-incidents
  3. Update an incident: netwitness-update-incident
  4. Delete an incident: netwitness-delete-incident
  5. Get all alerts for an incident: netwitness-get-alerts

1. Get details for a specific incident


Get details of a specific incident, including all alerts related with the incident.

Base Command

netwitness-get-incident

Input
Argument Name Description Required
incidentId The incident ID Required

Context Output
Path Description
NetWitness.Incidents.id The unique identifier of the incident.
NetWitness.Incidents.title Title of the incident.
NetWitness.Incidents.summary Summary of the incident.
NetWitness.Incidents.priority The incident priority.
NetWitness.Incidents.riskScore Incident risk score calculated based on associated alert’s risk score. Risk score ranges from 0 (no risk) to 100 (highest risk).
NetWitness.Incidents.status The current status.
NetWitness.Incidents.alertCount Number of alerts associated with the Incident.
NetWitness.Incidents.averageAlertRiskScore Average risk score of the alerts associated with the incident.
NetWitness.Incidents.sealed Indicates if additional alerts can be associated with an incident.
NetWitness.Incidents.totalRemediationTaskCount The number of total remediation tasks for the incident.
NetWitness.Incidents.openRemediationTaskCount The number of open remediation tasks for the incident.
NetWitness.Incidents.created The timestamp of when the incident is created.
NetWitness.Incidents.lastUpdated The timestamp of when the incident was last updated.
NetWitness.Incidents.lastUpdatedBy The NetWitness user identifier of the user who last updated the incident.
NetWitness.Incidents.assignee The NetWitness user identifier of the user currently working on the incident.
NetWitness.Incidents.sources Unique set of sources for all of the Alerts in the incident.
NetWitness.Incidents.ruleId The unique identifier of the rule that created the incident.
NetWitness.Incidents.firstAlertTime The timestamp of the earliest occurring Alert in this incident.
NetWitness.Incidents.categories.id The unique category identifier.
NetWitness.Incidents.categories.parent Parent name of the category.
NetWitness.Incidents.categories.name Friendly name of the category.
NetWitness.Incidents.journalEntries.id The unique journal entry identifier.
NetWitness.Incidents.journalEntries.author The author of this entry.
NetWitness.Incidents.journalEntries.notes Notes and observations about the incident.
NetWitness.Incidents.journalEntries.created The timestamp of the journal entry created date.
NetWitness.Incidents.journalEntries.lastUpdated The timestamp of the journal entry last updated date.
NetWitness.Incidents.journalEntries.milestone Incident milestone classifier.
NetWitness.Incidents.createdBy The NetWitness user id or name of the rule that created the incident.
NetWitness.Incidents.deletedAlertCount The number of alerts that are deleted from theincident.
NetWitness.Incidents.eventCount Number of events associated with incident.
NetWitness.Incidents.alertMeta.SourceIp Unique source IP addresses.
NetWitness.Incidents.alertMeta.DestinationIp Unique destination IP addresses.
NetWitness.Alerts.id The unique alert identifier.
NetWitness.Alerts.incidentId The incident id associated with the alert.
NetWitness.Alerts.title The title or name of the rule that created the alert.
NetWitness.Alerts.detail The details of the alert. This can be the module name or meta that the module included.
NetWitness.Alerts.created The timestamp of the alert created date.
NetWitness.Alerts.source The source of this alert. For example, "Event Stream Analysis", "Malware Analysis", etc.
NetWitness.Alerts.riskScore The risk score of this alert, usually in the range 0 - 100.
NetWitness.Alerts.type Type of alert, "Network", "Log", etc.
NetWitness.Alerts.events.source.device.ipAddress The IP address.
NetWitness.Alerts.events.source.device.port The port.
NetWitness.Alerts.events.source.device.macAddress The ethernet MAC address.
NetWitness.Alerts.events.source.device.dnsHostname The DNS resolved hostname.
NetWitness.Alerts.events.source.device.dnsDomain The top-level domain from the DNS resolved hostname
NetWitness.Alerts.events.source.user.username The unique username.
NetWitness.Alerts.events.source.user.emailAddress An email address.
NetWitness.Alerts.events.source.user.adUsername An Active Directory (AD) username.
NetWitness.Alerts.events.source.user.adDomain An Active Directory (AD) domain
NetWitness.Alerts.events.destination.device.ipAddress The IP address.
NetWitness.Alerts.events.destination.device.port The port.
NetWitness.Alerts.events.destination.device.macAddress The ethernet MAC address.
NetWitness.Alerts.events.destination.device.dnsHostname The DNS resolved hostname.
NetWitness.Alerts.events.destination.device.dnsDomain The top-level domain from the DNS resolved hostname
NetWitness.Alerts.events.destination.user.username The unique username.
NetWitness.Alerts.events.destination.user.emailAddress An email address.
NetWitness.Alerts.events.destination.user.adUsername An Active Directory (AD) username.
NetWitness.Alerts.events.destination.user.adDomain An Active Directory (AD) domain

Command Example
!NetWitness -get-incident incidentId="INC-1"
Context Example
{
    "NetWitness": {
        "Alerts": {
            "created": "2018-03-15T16:39:18.777Z",
            "detail": null,
            "events": [
                {
                    "destination": {
                        "device": {
                            "dnsDomain": null,
                            "dnsHostname": null,
                            "ipAddress": "192.168.5.###",
                            "macAddress": "00:0C:29:62:29:##",
                            "port": 23
                        },
                        "user": {
                            "adDomain": null,
                            "adUsername": null,
                            "emailAddress": null,
                            "username": "administrator"
                        }
                    },
                    "domain": null,
                    "eventSource": null,
                    "eventSourceId": "7",
                    "source": {
                        "device": {
                            "dnsDomain": null,
                            "dnsHostname": null,
                            "ipAddress": "192.168.5.###",
                            "macAddress": "00:0C:29:D1:39:##",
                            "port": 1045
                        },
                        "user": {
                            "adDomain": null,
                            "adUsername": null,
                            "emailAddress": null,
                            "username": "administrator"
                        }
                    }
                }
            ],
            "id": "5aaaa1b69a95133336911c93",
            "incidentId": "INC-12",
            "riskScore": 50,
            "source": "NetWitness Investigate",
            "title": "Network Alert1",
            "type": "Network"
        },
        "Incidents": {
            "alertCount": 1,
            "alertMeta": {
                "DestinationIp": [
                    "192.168.5.###"
                ],
                "SourceIp": [
                    "192.168.5.###"
                ]
            },
            "assignee": null,
            "averageAlertRiskScore": 50,
            "categories": [],
            "created": "2018-03-15T16:39:18.802Z",
            "createdBy": "admin",
            "deletedAlertCount": 0,
            "eventCount": 1,
            "firstAlertTime": null,
            "id": "INC-12",
            "journalEntries": null,
            "lastUpdated": "2018-03-16T05:51:03.233Z",
            "lastUpdatedBy": "admin",
            "openRemediationTaskCount": 0,
            "priority": "Medium",
            "riskScore": 50,
            "ruleId": null,
            "sealed": false,
            "sources": [
                "NetWitness Investigate"
            ],
            "status": "New",
            "summary": "",
            "title": "Network Alert1",
            "totalRemediationTaskCount": 0
        }
    }
}
Human Readable Output

Incident INC-12 Alerts

Alert Details

ID Title Detail Created Source Risk score Type Total events
5aaaa1b69a95133336911c93 Network Alert1 2018-03-15T16:39:18.777Z NetWitness Investigate 50 Network 1

Event Details

Domain: None
Source: None
ID: 7

Source

Device IP Device Port Device MAC User UserName
192.168.5.189 1045 00:0C:29:D1:39:5D administrator

Destination

Device IP Device Port Device MAC User UserName
192.168.5.172 23 00:0C:29:62:29:43 administrator

2. Get a list of incidents


Get a list of incidents in a specific time frame. All arguments are optional, but you need to specify at least one argument for the command to execute successfully.

Base Command

netwitness-get-incidents

Input
Argument Name Description Required
since Timestamp in ISO 8601 format (2018-01-01T14:00:00.000Z). Use to retrieve incidents created on and after this timestamp. Optional
until Timestamp in ISO 8601 format (2018-01-01T14:00:00.000Z). Use to retrieve incidents created on and before this timestamp. Optional
limit Maximum number of incidents to retrieve. Default is 200. Optional
lastDays Use this to retrieve incidents from the previous number of days. Optional

Context Output
Path Description
NetWitness.Incidents.id Unique identifier of the incident
NetWitness.Incidents.title Title of the incident
NetWitness.Incidents.summary Summary of the incident
NetWitness.Incidents.priority The incident priority
NetWitness.Incidents.riskScore Incident risk score calculated based on associated alert’s risk score. Risk score ranges from 0 (no risk) to 100 (highest risk).
NetWitness.Incidents.status The current status of the incident
NetWitness.Incidents.alertCount Number of alerts associated with the incident
NetWitness.Incidents.averageAlertRiskScore Average risk score of the alerts associated with the incident
NetWitness.Incidents.sealed Indicates if additional alerts can be associated with an incident
NetWitness.Incidents.totalRemediationTaskCount The number of total remediation tasks for the incident
NetWitness.Incidents.openRemediationTaskCount The number of open remediation tasks for the incident
NetWitness.Incidents.created The timestamp of when the incident is created
NetWitness.Incidents.lastUpdated The timestamp of when the incident was last updated
NetWitness.Incidents.lastUpdatedBy The NetWitness user identifier of the user who last updated the incident
NetWitness.Incidents.assignee The NetWitness user identifier of the user currently working on the incident
NetWitness.Incidents.sources Unique set of sources for all alerts in the incident
NetWitness.Incidents.ruleId The unique identifier of the rule that created the incident
NetWitness.Incidents.firstAlertTime The timestamp of the earliest occurring alert in this incident
NetWitness.Incidents.categories.id The unique category identifier
NetWitness.Incidents.categories.parent Parent name of the category
NetWitness.Incidents.categories.name Friendly name of the category
NetWitness.Incidents.journalEntries.id The unique journal entry identifier
NetWitness.Incidents.journalEntries.author The author of this entry
NetWitness.Incidents.journalEntries.notes Notes and observations about the incident
NetWitness.Incidents.journalEntries.created The timestamp of the journal entry created date
NetWitness.Incidents.journalEntries.lastUpdated The timestamp of the journal entry last updated date
NetWitness.Incidents.journalEntries.milestone Incident milestone classifier
NetWitness.Incidents.createdBy The NetWitness user ID or username of the rule that created the incident
NetWitness.Incidents.deletedAlertCount The number of alerts that are deleted from the incident
NetWitness.Incidents.eventCount Number of events associated with incident
NetWitness.Incidents.alertMeta.SourceIp Unique source IP addresses
NetWitness.Incidents.alertMeta.DestinationIp Unique destination IP addresses

Command Examples
!NetWitness -get-incidents since=2018-01-01T14:00:00.000Z limit=200

!NetWitness -get-incidents lastDays=4
Context Example
{
    "NetWitness": {
        "Incidents": [
            {
                "alertCount": 1,
                "alertMeta": {
                    "DestinationIp": [
                        ""
                    ],
                    "SourceIp": [
                        ""
                    ]
                },
                "assignee": null,
                "averageAlertRiskScore": 50,
                "categories": [],
                "created": "2018-03-29T13:55:55.644Z",
                "createdBy": "admin",
                "deletedAlertCount": 0,
                "eventCount": 2,
                "firstAlertTime": null,
                "id": "INC-23",
                "journalEntries": null,
                "lastUpdated": "2018-03-29T13:55:55.644Z",
                "lastUpdatedBy": "admin",
                "openRemediationTaskCount": 0,
                "priority": "Critical",
                "riskScore": 50,
                "ruleId": null,
                "sealed": false,
                "sources": [
                    "NetWitness Investigate"
                ],
                "status": "New",
                "summary": "summary test ",
                "title": "test incident",
                "totalRemediationTaskCount": 0
            },
            {
                "alertCount": 1,
                "alertMeta": {
                    "DestinationIp": [
                        "75.98.175.###"
                    ],
                    "SourceIp": [
                        "192.168.11.###"
                    ]
                },
                "assignee": null,
                "averageAlertRiskScore": 50,
                "categories": [],
                "created": "2018-03-27T16:07:19.521Z",
                "createdBy": "admin",
                "deletedAlertCount": 0,
                "eventCount": 1,
                "firstAlertTime": null,
                "id": "INC-14",
                "journalEntries": null,
                "lastUpdated": "2018-03-27T16:07:19.521Z",
                "lastUpdatedBy": "admin",
                "openRemediationTaskCount": 0,
                "priority": "Critical",
                "riskScore": 50,
                "ruleId": null,
                "sealed": false,
                "sources": [
                    "NetWitness Investigate"
                ],
                "status": "New",
                "summary": "",
                "title": "log",
                "totalRemediationTaskCount": 0
            }
        ]
    }
}
Human Readable Output

NetWitness Get Incidents

Incident Details

ID Title Summary Risk score Status Alert count Created Last updated Assignee Sources Categories
INC-23 test incident summary test 50 New 1 2018-03-29T13:55:55.644Z 2018-03-29T13:55:55.644Z NetWitness Investigate
INC-22 test blob 60 Assigned 1 2018-03-29T13:41:00.965Z 2018-07-12T13:54:47.194Z admin NetWitness Investigate Physical:Connection
INC-21 User Behavior for test_user 30 New 1 2018-03-28T19:27:48.521Z 2018-03-28T19:27:48.521Z Event Stream Analysis
INC-20 ttyyy 50 New 1 2018-03-27T16:16:01.899Z 2018-03-27T16:16:01.899Z NetWitness Investigate
INC-19 test 50 New 1 2018-03-27T16:15:50.027Z 2018-03-27T16:15:50.027Z NetWitness Investigate
INC-18 log3 50 New 1 2018-03-27T16:08:10.565Z 2018-03-27T16:08:10.565Z NetWitness Investigate
INC-17 log4 50 New 1 2018-03-27T16:07:55.403Z 2018-03-27T16:07:55.403Z NetWitness Investigate
INC-16 log2 50 New 1 2018-03-27T16:07:43.418Z 2018-03-27T16:07:43.418Z NetWitness Investigate

3. Update an incident


Update a specific incident. Currently, an incident’s status and assignee may be modified

Base Command

netwitness-update-incident

Input
Argument Name Description Required
incidentId The incident ID Required
status The incident's current status Optional
assignee The NetWitness user identifier of the user currently working on the incident Optional

Context Output
Path Description
NetWitness.Incidents.id The unique identifier of the incident.
NetWitness.Incidents.title Title of the incident
NetWitness.Incidents.summary Summary of the incident
NetWitness.Incidents.priority The incident priority
NetWitness.Incidents.riskScore Incident risk score calculated based on associated alert’s risk score. Risk score ranges from 0 (no risk) to 100 (highest risk).
NetWitness.Incidents.status The current status of the incident
NetWitness.Incidents.alertCount Number of alerts associated with the incident
NetWitness.Incidents.averageAlertRiskScore Average risk score of the alerts associated with the incident
NetWitness.Incidents.sealed Indicates if additional alerts can be associated with an incident
NetWitness.Incidents.totalRemediationTaskCount The number of total remediation tasks for the incident
NetWitness.Incidents.openRemediationTaskCount The number of open remediation tasks for the incident
NetWitness.Incidents.created The timestamp of when the incident is created
NetWitness.Incidents.lastUpdated The timestamp of when the incident was last updated
NetWitness.Incidents.lastUpdatedBy The NetWitness user identifier of the user who last updated the incident
NetWitness.Incidents.assignee The NetWitness user identifier of the user currently working on the incident
NetWitness.Incidents.sources Unique set of sources for all alerts in the incident
NetWitness.Incidents.ruleId The unique identifier of the rule that created the incident
NetWitness.Incidents.firstAlertTime The timestamp of the earliest occurring alert in this incident
NetWitness.Incidents.categories.id The unique category identifier
NetWitness.Incidents.categories.parent Parent name of the category
NetWitness.Incidents.categories.name Friendly name of the category
NetWitness.Incidents.journalEntries.id The unique journal entry identifier
NetWitness.Incidents.journalEntries.author The author of this entry
NetWitness.Incidents.journalEntries.notes Notes and observations about the incident
NetWitness.Incidents.journalEntries.created The timestamp of the journal entry created date
NetWitness.Incidents.journalEntries.lastUpdated The timestamp of the journal entry last updated date
NetWitness.Incidents.journalEntries.milestone Incident milestone classifier
NetWitness.Incidents.createdBy The NetWitness user ID or username of the rule that created the incident
NetWitness.Incidents.deletedAlertCount The number of alerts that are deleted from the incident
NetWitness.Incidents.eventCount Number of events associated with incident
NetWitness.Incidents.alertMeta.SourceIp Unique source IP addresses
NetWitness.Incidents.alertMeta.DestinationIp Unique destination IP addresses

Command Example
!netwitness-update-incident incidentId=INC-12 status=InProgress
Context Example
{
    "NetWitness": {
        "Incidents": {
            "alertCount": 1,
            "alertMeta": {
                "DestinationIp": [
                    "192.168.5.172"
                ],
                "SourceIp": [
                    "192.168.5.189"
                ]
            },
            "assignee": null,
            "averageAlertRiskScore": 50,
            "categories": [],
            "created": "2018-03-15T16:39:18.802Z",
            "createdBy": "admin",
            "deletedAlertCount": 0,
            "eventCount": 1,
            "firstAlertTime": null,
            "id": "INC-12",
            "journalEntries": null,
            "lastUpdated": "2018-08-28T16:18:20.858Z",
            "lastUpdatedBy": "admin",
            "openRemediationTaskCount": 0,
            "priority": "Medium",
            "riskScore": 50,
            "ruleId": null,
            "sealed": true,
            "sources": [
                "NetWitness Investigate"
            ],
            "status": "InProgress",
            "summary": "",
            "title": "Network Alert1",
            "totalRemediationTaskCount": 0
        }
    }
}
Human Readable Output

NetWitness Update Incident

Incident Details

ID Title Summary Risk score Status Alert count Created Last updated Assignee Sources Categories
INC-12 Network Alert1 50 InProgress 1 2018-03-15T16:39:18.802Z 2018-08-28T16:18:20.858Z NetWitness Investigate

4. Delete an incident


Delete a specific incident, according to the incident ID.

Base Command

netwitness-delete-incident

Input
Argument Name Description Required
incidentId The incident ID Required

Context Output

There is no context output for this command.

Command Example
!netwitness-delete-incident incidentId=INC-12

5. Get all alerts for an incident


Get all the alerts related to a specific incident.

Base Command

netwitness-get-alerts

Input
Argument Name Description Required
incidentId The incident ID Required

Context Output
Path Description
NetWitness.Alerts.id The unique alert identifier
NetWitness.Alerts.incidentId The incident ID associated with the alert
NetWitness.Alerts.title The title or name of the rule that created the alert
NetWitness.Alerts.detail The details of the alert. This can be the module name or meta that the module included.
NetWitness.Alerts.created The timestamp of the alert created date
NetWitness.Alerts.source The source of this alert. For example, "Event Stream Analysis", "Malware Analysis", and so on.
NetWitness.Alerts.riskScore The risk score of this alert, usually in the range 0 - 100.
NetWitness.Alerts.type Type of alert (Network, Log, and so on)
NetWitness.Alerts.events.source.device.ipAddress The source IP address
NetWitness.Alerts.events.source.device.port The source port
NetWitness.Alerts.events.source.device.macAddress The source Ethernet MAC address
NetWitness.Alerts.events.source.device.dnsHostname The source DNS resolved hostname
NetWitness.Alerts.events.source.device.dnsDomain The top-level domain from the DNS resolved hostname (source)
NetWitness.Alerts.events.source.user.username The unique username (source)
NetWitness.Alerts.events.source.user.emailAddress An email address (source)
NetWitness.Alerts.events.source.user.adUsername An Active Directory (AD) username (source)
NetWitness.Alerts.events.source.user.adDomain An Active Directory (AD) domain (source)
NetWitness.Alerts.events.destination.device.ipAddress The destination IP address
NetWitness.Alerts.events.destination.device.port The destination port
NetWitness.Alerts.events.destination.device.macAddress The destination Ethernet MAC address
NetWitness.Alerts.events.destination.device.dnsHostname The destination DNS resolved hostname
NetWitness.Alerts.events.destination.device.dnsDomain The top-level domain from the DNS resolved hostname (destination)
NetWitness.Alerts.events.destination.user.username The unique username (destination)
NetWitness.Alerts.events.destination.user.emailAddress An email address (destination)
NetWitness.Alerts.events.destination.user.adUsername An Active Directory (AD) username (destination)
NetWitness.Alerts.events.destination.user.adDomain An Active Directory (AD) domain (destination)

Command Example
!netwitness-get-alerts incidentId="INC-12"
Context Example
{
    "NetWitness": {
        "Alerts": {
            "created": "2018-03-15T16:39:18.777Z",
            "detail": null,
            "events": [
                {
                    "destination": {
                        "device": {
                            "dnsDomain": null,
                            "dnsHostname": null,
                            "ipAddress": "192.168.5.172",
                            "macAddress": "00:0C:29:62:29:43",
                            "port": 23
                        },
                        "user": {
                            "adDomain": null,
                            "adUsername": null,
                            "emailAddress": null,
                            "username": "administrator"
                        }
                    },
                    "domain": null,
                    "eventSource": null,
                    "eventSourceId": "7",
                    "source": {
                        "device": {
                            "dnsDomain": null,
                            "dnsHostname": null,
                            "ipAddress": "192.168.5.189",
                            "macAddress": "00:0C:29:D1:39:5D",
                            "port": 1045
                        },
                        "user": {
                            "adDomain": null,
                            "adUsername": null,
                            "emailAddress": null,
                            "username": "administrator"
                        }
                    }
                }
            ],
            "id": "5aaaa1b69a95133336911c93",
            "incidentId": "INC-12",
            "riskScore": 50,
            "source": "NetWitness Investigate",
            "title": "Network Alert1",
            "type": "Network"
        }
    }
}
Human Readable Output

Incident INC-12 Alerts

Alert Details

ID Title Detail Created Source Risk score Type Total events
5aaaa1b69a95133336911c93 Network Alert1 2018-03-15T16:39:18.777Z NetWitness Investigate 50 Network 1

Event Details

Domain: None
Source: None
ID: 7

Source

Device IP Device Port Device MAC User UserName
192.168.5.189 1045 00:0C:29:D1:39:5D administrator

Destination

Device IP Device Port Device MAC User UserName
192.168.5.172 23 00:0C:29:62:29:43 administrator

Additional Information


Incidents query with time frame restriction

The time frame can be restricted on only one end, specifying since or until arguments, or restricted on both ends, specifying both arguments.

Both arguments should be passed in ISO 8601 format:

!NetWitness-get-incidents since=2018-01-01T14:00:00.000Z
until=2018-01-01T16:30:00.000Z

In this example, all incidents created between 2:00 PM on January 1, 2018 and 2:30 PM
the same day will be fetched.

Another option is to specify the number of days prior as a time frame:

!NetWitness-get-incidents lastDays=10

In this example, all incidents created in the 10 days prior to the current date will be fetched.

Known Limitations


  • Only an incident’s status and assignee fields can be modified.
  • Incidents query can only be filtered using by time frame.

Troubleshooting


  • ‘Request failed with status: 400..’ error when running a NetWitness command
    If this error raises, it indicates one of the arguments passed is not a valid value.
    For example:

    • Passing non-existing incident id to ‘get-incidents’ will cause this type of error.
    • Passing invalid timestamp to ‘NetWitness-get-incidents’ will cause this type of error.
      The error message provides a short description of the problem.

    Error snap-shot

  • ‘Login failed with status: 401..’ when testing instance configuration
    This error indicates bad credentials are configured in the instance settings.
    Make sure correct credentials and password is configured in the instance settings.

    Error snap-shot

  • ‘…CERTIFICATE_VERIFY_FAILED...’ error when testing instance configuration
    This error may indicate that server certificate is missing/cannot be validated.
    It is possible to bypass certificate validation by checking ‘Do not validate server certificate’ in the instance settings.