FortiSOAR Discussions
khanchand
New Contributor III

RSA netwitness SIEM incident/alerts ingestion

Hi Community Members,

 

Hope you are doing well. I have a question regarding data ingestion from RSA Netwitness SIEM, we have configured the connector upon running sample playbooks we can see the data of alerts/incident in output of playbook steps. But there is a confusion for taking these data on scheduled interval. As there is no any data ingestion available for this product. Can someone please guide how to retrieve this alerts in SOAR without having data ingestion.

1 Solution
AmitJain
Staff
Staff

Hi - You can, 
1. Create a playbook, using ideally, "Get Incidents By Date Range" action, and filling in right parameters and adding extra steps, like "Get related alerts for incident" to complete the incident information pulled in. For all incidents pulled in through the action, you basically should create an "Alert" or "Incident" as suitable to you in FortiSOAR, using Create Record step (here you will map the incoming data fields to FortiSOAR record fields).

2. Once you are happy with the playbook pulling in data - you just schedule this playbook as per the frequency you want the ingestion to happen. 

Having said this, I will make that easier for you and take an action item on us to add Data ingestion wizard feature to this connector also. Hope that helps.

Amit

View solution in original post

4 REPLIES 4
Christopher_Ichelson
New Contributor II

You have to pull Netwitness Incidents, then alerts and take the alert data and pull from the specific Concentrator and yes it can be set to a schedule.

Christopher_Ichelson

I would also reference the Netwitness API documentation for 12.x and it should be all in there for you.  You will need to use multiple connectors from the Fortisoar connector library.

khanchand
New Contributor III

Thanks Christopher, I will work on it, if something needed will ask for support.

AmitJain
Staff
Staff

Hi - You can, 
1. Create a playbook, using ideally, "Get Incidents By Date Range" action, and filling in right parameters and adding extra steps, like "Get related alerts for incident" to complete the incident information pulled in. For all incidents pulled in through the action, you basically should create an "Alert" or "Incident" as suitable to you in FortiSOAR, using Create Record step (here you will map the incoming data fields to FortiSOAR record fields).

2. Once you are happy with the playbook pulling in data - you just schedule this playbook as per the frequency you want the ingestion to happen. 

Having said this, I will make that easier for you and take an action item on us to add Data ingestion wizard feature to this connector also. Hope that helps.

Amit