diff --git a/Packs/RsaNetWitnessPacketsAndLogs/.pack-ignore b/Packs/RsaNetWitnessPacketsAndLogs/.pack-ignore
index 0541a3fee43b..fac542d34029 100644
--- a/Packs/RsaNetWitnessPacketsAndLogs/.pack-ignore
+++ b/Packs/RsaNetWitnessPacketsAndLogs/.pack-ignore
@@ -2,4 +2,8 @@
ignore=PA116
[file:RSANetWitnessPacketsAndLogs_image.png]
-ignore=IM111
\ No newline at end of file
+ignore=IM111
+
+[known_words]
+renderToContext
+useSSL
\ No newline at end of file
diff --git a/Packs/RsaNetWitnessPacketsAndLogs/Integrations/RSANetWitnessPacketsAndLogs/README.md b/Packs/RsaNetWitnessPacketsAndLogs/Integrations/RSANetWitnessPacketsAndLogs/README.md
index c68fa6dbc093..9dfabb25b8d4 100644
--- a/Packs/RsaNetWitnessPacketsAndLogs/Integrations/RSANetWitnessPacketsAndLogs/README.md
+++ b/Packs/RsaNetWitnessPacketsAndLogs/Integrations/RSANetWitnessPacketsAndLogs/README.md
@@ -122,11 +122,14 @@
| concentratorPort |
integer |
- Port to use with concentratorIP
-
-- SSL: 54105
-- Non-SSL: 50105
-
+Port to use with concentratorIP. 50105 (SSL/NON-SSL) for concentrator, 50103 (SSL/NON-SSL) for broker.
+ |
+
+
+| useSSL |
+boolean |
+
+ Send request in HTTPS instead of HTTP. By default the parameter is set to True but if your appliance is not configured to use SSL you can change it here.
|
@@ -342,11 +345,14 @@
concentratorPort |
uint32 |
- Port to use with the concentratorIP parameter
-
-- SSL: 56105
-- Non-SSL: 50105
-
+Port to use with concentratorIP. 50105 (SSL/NON-SSL) for concentrator, 50103 (SSL/NON-SSL) for broker.
+ |
+
+
+| useSSL |
+boolean |
+
+ Send request in HTTPS instead of HTTP. By default the parameter is set to True but if your appliance is not configured to use SSL you can change it here.
|
@@ -448,11 +454,14 @@
concentratorPort |
uint32 |
- Port to use with the concentratorIP parameter
-
-- SSL: 56105
-- Non-SSL: 50105
-
+Port to use with concentratorIP. 50105 (SSL/NON-SSL) for concentrator, 50103 (SSL/NON-SSL) for broker.
+ |
+
+
+| useSSL |
+boolean |
+
+ Send request in HTTPS instead of HTTP. By default the parameter is set to True but if your appliance is not configured to use SSL you can change it here.
|
@@ -657,11 +666,14 @@
concentratorPort |
uint32 |
- Port to use with the concentratorIP parameter
-
-- SSL: 56105
-- Non-SSL: 50105
-
+Port to use with concentratorIP. 50105 (SSL/NON-SSL) for concentrator, 50103 (SSL/NON-SSL) for broker.
+ |
+
+
+| useSSL |
+boolean |
+
+ Send request in HTTPS instead of HTTP. By default the parameter is set to True but if your appliance is not configured to use SSL you can change it here.
|
@@ -672,6 +684,13 @@
Examples: pcap, logs, logs (csv), logs (xml), or logs (json)
+
+| renderToContext |
+boolean |
+
+ If renderToContext is set to True and the render type is set to logs (json), the command will not create a file with the output. It will output to the context data.
+ |
+
@@ -721,11 +740,14 @@
concentratorPort |
uint32 |
- Port to use with the concentratorIP parameter
-
-- SSL: 56105
-- Non-SSL: 50105
-
+Port to use with concentratorIP. 50105 (SSL/NON-SSL) for concentrator, 50103 (SSL/NON-SSL) for broker.
+ |
+
+
+| useSSL |
+boolean |
+
+ Send request in HTTPS instead of HTTP. By default the parameter is set to True but if your appliance is not configured to use SSL you can change it here.
|
@@ -772,11 +794,14 @@
concentratorPort |
uint32 |
- Port to use with the concentratorIP parameter
-
-- SSL: 56105
-- Non-SSL: 50105
-
+Port to use with concentratorIP. 50105 (SSL/NON-SSL) for concentrator, 50103 (SSL/NON-SSL) for broker.
+ |
+
+
+| useSSL |
+boolean |
+
+ Send request in HTTPS instead of HTTP. By default the parameter is set to True but if your appliance is not configured to use SSL you can change it here.
|
@@ -922,11 +947,14 @@
| concentratorPort |
uint32 |
- Port to use with the concentratorIP parameter
-
-- SSL: 56105
-- Non-SSL: 50105
-
+Port to use with concentratorIP. 50105 (SSL/NON-SSL) for concentrator, 50103 (SSL/NON-SSL) for broker.
+ |
+
+
+| useSSL |
+boolean |
+
+ Send request in HTTPS instead of HTTP. By default the parameter is set to True but if your appliance is not configured to use SSL you can change it here.
|
@@ -1039,11 +1067,14 @@
concentratorPort |
uint32 |
- Port to use with the concentratorIP parameter
-
-- SSL: 56105
-- Non-SSL: 50105
-
+Port to use with concentratorIP. 50105 (SSL/NON-SSL) for concentrator, 50103 (SSL/NON-SSL) for broker.
+ |
+
+
+| useSSL |
+boolean |
+
+ Send request in HTTPS instead of HTTP. By default the parameter is set to True but if your appliance is not configured to use SSL you can change it here.
|
@@ -1230,11 +1261,14 @@
concentratorPort |
uint32 |
- Port to use with the concentratorIP parameter
-
-- SSL: 56105
-- Non-SSL: 50105
-
+Port to use with concentratorIP. 50105 (SSL/NON-SSL) for concentrator, 50103 (SSL/NON-SSL) for broker.
+ |
+
+
+| useSSL |
+boolean |
+
+ Send request in HTTPS instead of HTTP. By default the parameter is set to True but if your appliance is not configured to use SSL you can change it here.
|
diff --git a/Packs/RsaNetWitnessPacketsAndLogs/Integrations/RSANetWitnessPacketsAndLogs/RSANetWitnessPacketsAndLogs.js b/Packs/RsaNetWitnessPacketsAndLogs/Integrations/RSANetWitnessPacketsAndLogs/RSANetWitnessPacketsAndLogs.js
index 62559edc69a5..3dd720670968 100644
--- a/Packs/RsaNetWitnessPacketsAndLogs/Integrations/RSANetWitnessPacketsAndLogs/RSANetWitnessPacketsAndLogs.js
+++ b/Packs/RsaNetWitnessPacketsAndLogs/Integrations/RSANetWitnessPacketsAndLogs/RSANetWitnessPacketsAndLogs.js
@@ -5,14 +5,15 @@ var RESPONSE_TYPES = {
'xml': 'text/xml',
'octet-stream': 'application/octet-stream'
};
-var SSL_PORT = '56105';
-var NON_SSL_PORT = '50105';
+var API_REST_PORT = '50105';
var LAST_HOURS = 'lastHours';
var LAST_MINUTES = 'lastMinutes';
var QUERY = 'query';
var USER_NAME = params.user_creds ? params.user_creds.identifier : params.username;
+
var PASSWORD = (params.user_creds || params).password;
+
function fixUrl(base) {
var url = base.trim();
if (base.indexOf('http://') !== 0 && base.indexOf('https://') !== 0) {
@@ -33,18 +34,14 @@ function getUrl(currentUrl){
// Check if port was provided, omit it if yes
var match = args.concentratorIP.match(/(https{0,1}:\/\/?.*):/);
urlToReturn = match ? match[1] : args.concentratorIP;
- var port = args.concentratorPort;
- if(port){
- if(port === SSL_PORT){
- urlToReturn = urlToReturn.indexOf('https://') === -1 ? 'https://' + urlToReturn : urlToReturn;
- }
- else{
- urlToReturn = urlToReturn.indexOf('http://') === -1 ? 'http://' + urlToReturn : urlToReturn;
- }
+ var port = args.concentratorPort || API_REST_PORT;
+ var useSSL = args.useSSL;
+
+ if(useSSL === "true"){
+ urlToReturn = urlToReturn.indexOf('https://') === -1 ? 'https://' + urlToReturn : urlToReturn;
}
else{
urlToReturn = urlToReturn.indexOf('http://') === -1 ? 'http://' + urlToReturn : urlToReturn;
- port = NON_SSL_PORT;
}
urlToReturn = urlToReturn + ":" + port;
@@ -511,7 +508,21 @@ function parseDownloadResponse(resp) {
if(args && args.fileExt){
extension = args.fileExt;
}
- return createFileEntry(resp.Bytes, extension);
+ if (args.renderToContext === "true" && args.render === "application/json"){
+ var jsonstr = JSON.parse(resp.Body);
+ return {
+ Type: entryTypes.note,
+ Contents: jsonstr,
+ ContentsFormat: formats.json,
+ HumanReadable: jsonstr["logs"],
+ ReadableContentsFormat: formats.json,
+ EntryContext: {
+ 'NetWitness.Packets': jsonstr["logs"]
+ }
+ };
+ } else{
+ return createFileEntry(resp.Bytes, extension);
+ }
} catch (e) {
return e;
}
diff --git a/Packs/RsaNetWitnessPacketsAndLogs/Integrations/RSANetWitnessPacketsAndLogs/RSANetWitnessPacketsAndLogs.yml b/Packs/RsaNetWitnessPacketsAndLogs/Integrations/RSANetWitnessPacketsAndLogs/RSANetWitnessPacketsAndLogs.yml
index 7cb8024d5fd4..5364b1f4c362 100644
--- a/Packs/RsaNetWitnessPacketsAndLogs/Integrations/RSANetWitnessPacketsAndLogs/RSANetWitnessPacketsAndLogs.yml
+++ b/Packs/RsaNetWitnessPacketsAndLogs/Integrations/RSANetWitnessPacketsAndLogs/RSANetWitnessPacketsAndLogs.yml
@@ -8,12 +8,11 @@ description: RSA NetWitness Logs and Packets decoders are responsible for the re
configuration:
- display: Server URL (e.g. http(s)://192.168.0.1)
name: url
- defaultvalue: ""
type: 0
required: true
-- display: Appliance Port - Logs(50102) / Packets(50104) / Concentrator (50105) / Broker (50103)
+- display: Appliance Port - Logs(50102) / Packets(50104) / Concentrator (50105) /
+ Broker (50103)
name: port
- defaultvalue: ""
type: 0
required: true
- display: Username
@@ -35,19 +34,18 @@ configuration:
required: false
- display: Validate server certificate
name: secure
- defaultvalue: 'true'
+ defaultvalue: "true"
type: 8
required: false
- display: Use system proxy settings
name: proxy
- defaultvalue: 'false'
+ defaultvalue: "false"
type: 8
required: false
- defaultvalue: ''
display: Expiration time
name: expiry
type: 0
-
required: false
script:
script: ''
@@ -71,7 +69,21 @@ script:
- name: concentratorIP
description: Use the instance that is mapped to this concentrator IP
- name: concentratorPort
- description: Port to use with concentratorIP, 50105 for Non SSL and 56105 for SSL
+ auto: PREDEFINED
+ predefined:
+ - "50102"
+ - "50103"
+ - "50104"
+ - "50105"
+ description: Port to use with concentratorIP, usually 50105 but that can be changed by setting the /rest/config/port parameter.
+ defaultValue: "50105"
+ - name: useSSL
+ auto: PREDEFINED
+ predefined:
+ - "true"
+ - "false"
+ description: Send request using SSL. To enable it in your RSA appliance, go to the setting in /sys/config/ssl.
+ defaultValue: "true"
outputs:
- contextPath: NetWitness.SearchHits.hit
description: all search hits in netwitness
@@ -91,7 +103,21 @@ script:
- name: concentratorIP
description: Use the instance that is mapped to this concentrator address
- name: concentratorPort
- description: Port to use with concentratorIP, 50105 for Non SSL and 56105 for SSL
+ auto: PREDEFINED
+ predefined:
+ - "50102"
+ - "50103"
+ - "50104"
+ - "50105"
+ description: Port to use with concentratorIP, usually 50105 but that can be changed by setting the /rest/config/port parameter.
+ defaultValue: "50105"
+ - name: useSSL
+ auto: PREDEFINED
+ predefined:
+ - "true"
+ - "false"
+ description: Send request using SSL. To enable it in your RSA appliance, go to the setting in /sys/config/ssl.
+ defaultValue: "true"
outputs:
- contextPath: NetWitness.SearchHits
description: all search hits in netwitness
@@ -117,7 +143,21 @@ script:
- name: concentratorIP
description: Use the instance that is mapped to this concentrator address
- name: concentratorPort
- description: Port to use with concentratorIP, 50105 for Non SSL and 56105 for SSL
+ auto: PREDEFINED
+ predefined:
+ - "50102"
+ - "50103"
+ - "50104"
+ - "50105"
+ description: Port to use with concentratorIP, usually 50105 but that can be changed by setting the /rest/config/port parameter.
+ defaultValue: "50105"
+ - name: useSSL
+ auto: PREDEFINED
+ predefined:
+ - "true"
+ - "false"
+ description: Send request using SSL. To enable it in your RSA appliance, go to the setting in /sys/config/ssl.
+ defaultValue: "true"
outputs:
- contextPath: NetWitness.Events.ipSrc
description: Source IP
@@ -132,11 +172,11 @@ script:
- contextPath: NetWitness.Events.userDst
description: Destination user
- contextPath: NetWitness.Events.username
- description: Field includes any username meta available – both source and destination – as defined by the user. This is an optional field that will only appear if configured by the end user.
+ description: Field includes any username meta available - both source and destination - as defined by the user. This is an optional field that will only appear if configured by the end user.
- contextPath: NetWitness.Events.service
description: Field describes the service that created the session (if available)
- contextPath: NetWitness.Events.sessionid
- description: NW Specific field that contains a NW specific ‘serial number’ of the Session. Allows a user to specify a session to retrieve from a Concentrator.
+ description: NW specific field that contains a NW specific 'serial number' of the session. Allows a user to specify a session to retrieve from a concentrator.
- contextPath: NetWitness.Events.deviceType
description: Field describes the type of system that generated a log message (ex. SQUID / Windows / rhlinux)
- contextPath: NetWitness.Events.direction
@@ -171,9 +211,40 @@ script:
- name: concentratorIP
description: Use the instance that is mapped to this concentrator address
- name: concentratorPort
- description: Port to use with concentratorIP, 50105 for Non SSL and 56105 for SSL
+ auto: PREDEFINED
+ predefined:
+ - "50102"
+ - "50103"
+ - "50104"
+ - "50105"
+ description: Port to use with concentratorIP, usually 50105 but that can be changed by setting the /rest/config/port parameter.
+ defaultValue: "50105"
+ - name: useSSL
+ auto: PREDEFINED
+ predefined:
+ - "true"
+ - "false"
+ description: Send request using SSL. To enable it in your RSA appliance, go to the setting in /sys/config/ssl.
+ defaultValue: "true"
- name: render
- description: The render type - pcap, logs, logs (csv), logs (xml) or logs (json)
+ auto: PREDEFINED
+ predefined:
+ - text/plain
+ - text/csv
+ - text/xml
+ - application/json
+ - application/octet-stream
+ description: The render type - pcap, logs, logs (csv), logs (xml) or logs (json)
+ - name: renderToContext
+ defaultValue: "false"
+ auto: PREDEFINED
+ predefined:
+ - "true"
+ - "false"
+ description: If renderToContext is set to True and the render type is set to logs (json), the command will not create a file with the output. It will output to the context data.
+ outputs:
+ - contextPath: NetWitness.Packets
+ description: Raw logs. This output is only available if the renderToContext option is set to true.
description: Stream packets back based on the input parameters provided
- name: nw-sdk-session
arguments:
@@ -186,14 +257,42 @@ script:
- name: concentratorIP
description: Use the instance that is mapped to this concentrator IP
- name: concentratorPort
- description: Port to use with concentratorIP, 50105 for Non SSL and 56105 for SSL
+ auto: PREDEFINED
+ predefined:
+ - "50102"
+ - "50103"
+ - "50104"
+ - "50105"
+ description: Port to use with concentratorIP, usually 50105 but that can be changed by setting the /rest/config/port parameter.
+ defaultValue: "50105"
+ - name: useSSL
+ auto: PREDEFINED
+ predefined:
+ - "true"
+ - "false"
+ description: Send request using SSL. To enable it in your RSA appliance, go to the setting in /sys/config/ssl.
+ defaultValue: "true"
description: Retrieves the meta id range for the session range
- name: nw-sdk-content
arguments:
- name: concentratorIP
description: Use the instance that is mapped to this concentrator IP
- name: concentratorPort
- description: Port to use with concentratorIP, 50105 for Non SSL and 56105 for SSL
+ auto: PREDEFINED
+ predefined:
+ - "50102"
+ - "50103"
+ - "50104"
+ - "50105"
+ description: Port to use with concentratorIP, usually 50105 but that can be changed by setting the /rest/config/port parameter.
+ defaultValue: "50105"
+ - name: useSSL
+ auto: PREDEFINED
+ predefined:
+ - "true"
+ - "false"
+ description: Send request using SSL. To enable it in your RSA appliance, go to the setting in /sys/config/ssl.
+ defaultValue: "true"
- name: session
required: true
description: The session id that will be returned in the response.
@@ -244,7 +343,21 @@ script:
- name: concentratorIP
description: Use the instance that is mapped to this concentrator IP
- name: concentratorPort
- description: Port to use with concentratorIP, 50105 for Non SSL and 56105 for SSL
+ auto: PREDEFINED
+ predefined:
+ - "50102"
+ - "50103"
+ - "50104"
+ - "50105"
+ description: Port to use with concentratorIP, usually 50105 but that can be changed by setting the /rest/config/port parameter.
+ defaultValue: "50105"
+ - name: useSSL
+ auto: PREDEFINED
+ predefined:
+ - "true"
+ - "false"
+ description: Send request using SSL. To enable it in your RSA appliance, go to the setting in /sys/config/ssl.
+ defaultValue: "true"
description: Retrieves summary information from the databases
- name: nw-sdk-values
arguments:
@@ -275,7 +388,21 @@ script:
- name: concentratorIP
description: Use the instance that is mapped to this concentrator IP
- name: concentratorPort
- description: Port to use with concentratorIP, 50105 for Non SSL and 56105 for SSL
+ auto: PREDEFINED
+ predefined:
+ - "50102"
+ - "50103"
+ - "50104"
+ - "50105"
+ description: Port to use with concentratorIP, usually 50105 but that can be changed by setting the /rest/config/port parameter.
+ defaultValue: "50105"
+ - name: useSSL
+ auto: PREDEFINED
+ predefined:
+ - "true"
+ - "false"
+ description: Send request using SSL. To enable it in your RSA appliance, go to the setting in /sys/config/ssl.
+ defaultValue: "true"
outputs:
- contextPath: NetWitness.Values.ipSrc
description: Source IP
@@ -290,11 +417,11 @@ script:
- contextPath: NetWitness.Values.userDst
description: Destination user
- contextPath: NetWitness.Values.username
- description: Field includes any username meta available – both source and destination – as defined by the user. This is an optional field that will only appear if configured by the end user.
+ description: Field includes any username meta available - both source and destination - as defined by the user. This is an optional field that will only appear if configured by the end user.
- contextPath: NetWitness.Values.service
description: Field describes the service that created the session (if available)
- contextPath: NetWitness.Values.sessionid
- description: NW Specific field that contains a NW specific ‘serial number’ of the Session. Allows a user to specify a session to retrieve from a Concentrator.
+ description: NW specific field that contains a NW specific 'serial number' of the session. Allows a user to specify a session to retrieve from a concentrator.
- contextPath: NetWitness.Values.deviceType
description: Field describes the type of system that generated a log message (ex. SQUID / Windows / rhlinux)
- contextPath: NetWitness.Values.direction
@@ -321,7 +448,21 @@ script:
- name: concentratorIP
description: Use the instance that is mapped to this concentrator IP
- name: concentratorPort
- description: Port to use with concentratorIP, 50105 for Non SSL and 56105 for SSL
+ auto: PREDEFINED
+ predefined:
+ - "50102"
+ - "50103"
+ - "50104"
+ - "50105"
+ description: Port to use with concentratorIP, usually 50105 but that can be changed by setting the /rest/config/port parameter.
+ defaultValue: "50105"
+ - name: useSSL
+ auto: PREDEFINED
+ predefined:
+ - "true"
+ - "false"
+ description: Send request using SSL. To enable it in your RSA appliance, go to the setting in /sys/config/ssl.
+ defaultValue: "true"
description: Dumps information out of the database in nwd formatted files
fromversion: 5.0.0
tests:
diff --git a/Packs/RsaNetWitnessPacketsAndLogs/ReleaseNotes/1_0_6.json b/Packs/RsaNetWitnessPacketsAndLogs/ReleaseNotes/1_0_6.json
new file mode 100644
index 000000000000..415a7504e6f6
--- /dev/null
+++ b/Packs/RsaNetWitnessPacketsAndLogs/ReleaseNotes/1_0_6.json
@@ -0,0 +1,4 @@
+{
+ "breakingChanges": true,
+ "breakingChangesNotes": "By default every RSA request will be send using SSL on the port 50105. To disable SSL use the option 'useSSL=false'. As before you can change the port using the parameter 'concentratorPort' and choose a suggested one or set a specific one not listed."
+}
\ No newline at end of file
diff --git a/Packs/RsaNetWitnessPacketsAndLogs/ReleaseNotes/1_0_6.md b/Packs/RsaNetWitnessPacketsAndLogs/ReleaseNotes/1_0_6.md
new file mode 100644
index 000000000000..51cc67f79024
--- /dev/null
+++ b/Packs/RsaNetWitnessPacketsAndLogs/ReleaseNotes/1_0_6.md
@@ -0,0 +1,6 @@
+#### Integrations
+
+##### RSA NetWitness Packets and Logs
+- Fixed an issue where the only possible option for SSL port was 56105.
+- Added support for the *useSSL* parameter in all commands, allowing the selection of SSL with every port.
+- Added the ability to output the result of the command ***netwitness-packets*** in the context data with the argument *renderToContext*.
diff --git a/Packs/RsaNetWitnessPacketsAndLogs/pack_metadata.json b/Packs/RsaNetWitnessPacketsAndLogs/pack_metadata.json
index 4a307068b0fd..5059ad13ed7b 100644
--- a/Packs/RsaNetWitnessPacketsAndLogs/pack_metadata.json
+++ b/Packs/RsaNetWitnessPacketsAndLogs/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "RSA NetWitness Packets and Logs",
"description": "RSA NetWitness Logs and Packets decoders are responsible for the real-time collection of network data. The decode captures data in real time and can normalize and reconstruct data for full session analysis. In addition, the decoder can collect flow and endpoint data.",
"support": "xsoar",
- "currentVersion": "1.0.5",
+ "currentVersion": "1.0.6",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
@@ -17,4 +17,4 @@
"xsoar",
"marketplacev2"
]
-}
\ No newline at end of file
+}