“RSA NetWitness Using the REST API” eLearning Audio Script

Your company has purchased the RSA NetWitness product.  What do you do if your executives want you to prove time-to-value?  What do you do if your directors have tasked you with resource planning over time?  What happens if an audit team requires proof of compliance?  What will you do if you are charged with ensuring consistency of configurations across the enterprise for this product? What happens if the platform manager needs you to integrate NetWitness with custom apps, visualization tools, and third-party SIEMs? What should you do if the Chief Information Security Officer requires you to ensure that data retention standards have been met? 

In all these cases, you could go into the NetWitness Web Interface GUI and manually go about accomplishing these tasks.  For example if you need to find the oldest packet time to make sure that retention requirements are being met, you could

·         Open a browser

·         And Log into the NetWitness Graphic User Interface

·         Click on the Main Menu’s Administration module

·         Select the Health and Wellness option

·         Click the System Stats Browser

·         Type in a Component of “Decoder”

·         Click the Apply button

·         Type in a Category of “Decoder”

·         Click the Apply button again

·         And finally scroll down to that particular metric

However, what happens if you have to get this metric every week in order to assure management that the standard is being met over time?

Then, repeatedly doing so manually, through the GUI, stops making so much sense.

Fortunately there is web service on each of the core NetWitness appliance types known as the NetWitness REST API that would allow you to get this metric with a Command Line Interface making it a little easier to do so on a frequent basis.

However, what happens if your organization has ten packet decoders or thirty packet decoders? Then, using a CLI to manually go into each appliance could become a problem, and a drain, on your team’s time and efforts.

Again, luck is on your side.  Since the REST API uses a URL based string, you can write scripts or simple applications in the language of your choice, such as Python or JavaScript, to programmatically get this metric from every machine, every week, in an automated fashion.

Similarly, you can use the REST API from within third-party applications such as SIEMs like Splunk,  visualization tools such as Navios, and from within custom apps at your organization.

Thus, REST is a method of not only getting key metrics from the RSA NetWitness Suite, but it can also be used to set configurations, and even to pull analytical information such as metadata and values for use in other applications.

REST is an architectural style that is widely known and uses http or https to interact with web services.  It has been implemented within NetWitness, Out-Of-The-Box!, and contains a web service on each of the core appliance types.  Each of which listens on a unique REST port for your request!

As mentioned, the REST API can enable you to:

·        Integrate third-party network monitoring tools such as Splunk to ingest RSA NetWitness packet data

·        Integrate NetWitness data into third-party visualization tools such as Navios

·        Programmatically generate .csv’s, spreadsheets, and charts every month from statistics pulled out of NetWitness

·        Report on events per second consumed across the enterprise, validate that packets are held for certain periods of time, and help you make better decisions about resource management based on measurable objectives from those statistics every month

·        Provide evidence of Time-To-Value in reports

·        Communicate value to senior leadership by showing increased capture rates for example

·        Chart the metrics that can help your leadership make better informed decisions about the platform and possible upcoming gaps in order to spend their capitol wisely

·        Help prevent costly mis-configurations by providing consistency checks across multiple disparate systems

·        Create automated processes that can identify baselines for performance and tuning 

·        And, Show a Compliance or Audit team that all the devices are logging

There is an accompanying 3 hour tutorial and On-Demand eLab entitled “RSA NetWitness Using REST API” available from RSA University.  It covers the REST API, how to use it, and comes complete with lab exercises in which you will make REST calls, learn how to find key metrics, and even write some simple scripts with step-by-step instructions.

To find out more, send an email to rsauniversity@rsa.com or visit the RSA University at https://community.rsa.com/community/training