Help
FortiSOAR Discussions
khanchand
New Contributor II

Created on ‎07-12-2023 07:48 AM

RSA netwitness SIEM incident/alerts ingestion

Hi Community Members,

 

Hope you are doing well. I have a question regarding data ingestion from RSA Netwitness SIEM, we have configured the connector upon running sample playbooks we can see the data of alerts/incident in output of playbook steps. But there is a confusion for taking these data on scheduled interval. As there is no any data ingestion available for this product. Can someone please guide how to retrieve this alerts in SOAR without having data ingestion.

1240
1 Solution
AmitJain
Staff
Staff

Created on ‎07-13-2023 02:05 AM Edited on ‎07-13-2023 02:05 AM

Hi - You can, 
1. Create a playbook, using ideally, "Get Incidents By Date Range" action, and filling in right parameters and adding extra steps, like "Get related alerts for incident" to complete the incident information pulled in. For all incidents pulled in through the action, you basically should create an "Alert" or "Incident" as suitable to you in FortiSOAR, using Create Record step (here you will map the incoming data fields to FortiSOAR record fields).

2. Once you are happy with the playbook pulling in data - you just schedule this playbook as per the frequency you want the ingestion to happen. 

Having said this, I will make that easier for you and take an action item on us to add Data ingestion wizard feature to this connector also. Hope that helps.

Amit

View solution in original post

1191
4 REPLIES 4
Christopher_Ichelson
New Contributor II

Created on ‎07-12-2023 11:07 PM

You have to pull Netwitness Incidents, then alerts and take the alert data and pull from the specific Concentrator and yes it can be set to a schedule.

1209
Christopher_Ichelson
New Contributor II
In response to Christopher_Ichelson

Created on ‎07-12-2023 11:08 PM

I would also reference the Netwitness API documentation for 12.x and it should be all in there for you.  You will need to use multiple connectors from the Fortisoar connector library.

1207
khanchand
New Contributor II

Created on ‎07-13-2023 02:01 AM

Thanks Christopher, I will work on it, if something needed will ask for support.

1192
0 Kudos
AmitJain
Staff
Staff

Created on ‎07-13-2023 02:05 AM Edited on ‎07-13-2023 02:05 AM

Hi - You can, 
1. Create a playbook, using ideally, "Get Incidents By Date Range" action, and filling in right parameters and adding extra steps, like "Get related alerts for incident" to complete the incident information pulled in. For all incidents pulled in through the action, you basically should create an "Alert" or "Incident" as suitable to you in FortiSOAR, using Create Record step (here you will map the incoming data fields to FortiSOAR record fields).

2. Once you are happy with the playbook pulling in data - you just schedule this playbook as per the frequency you want the ingestion to happen. 

Having said this, I will make that easier for you and take an action item on us to add Data ingestion wizard feature to this connector also. Hope that helps.

Amit
1192
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.