Runtime Environment

• RSA NetWitness version 11.1 or higher

• Verified on 11.2.1
• Verified on 11.3.1.1
• Verified on 11.7

NetWitness Configuration

In the RSA NetWitness ADMIN menu, navigate to Services to view the list of all services. Locate the NetWitness Decoder in the list, click the gear icon, and select View > Security.

Add an account for REST API calls as shown below.

Identify the IP address of the NetWitness Decoder. In the ADMIN main menu, click Hosts to find the IP addresses for each service.

Verify access to the SDK page in a web browser. For example, if the Decoder IP is 172.20.36.152, navigate to http://172.20.36.152:50104. Log in using the credentials you just set up, and confirm that the SDK test page is displayed.

Check the firewall configuration to ensure that connections between the Logpresso server and the RSA NetWitness Decoder are not blocked. Use the following command in the Logpresso shell to verify:

logpresso> tcpscan 172.20.36.152 50104
trying to connect /172.20.36.152:50104
opened

If the result is not opened, check firewall rules to ensure the Logpresso server can reach the RSA NetWitness Decoder port.

Logpresso Configuration

Set up the connect profile with the NetWitness connection details.

Once the configuration is complete, you can query packets using NetWitness or set up NetWitness File Download tasks in the playbook.