icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Security App for NetWitness
SHA256 checksum (security-app-for-netwitness_098.tgz) 0cb9b1f76d3c4295f5a547e99fedd812f69467bb57a46acbbcd8e7ff875d289f SHA256 checksum (security-app-for-netwitness_097.tgz) 5dd1eb3f3eb7023e3ef805c3712f69e914f2a2f7266e3baad886e65c3725ff6f
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

Security App for NetWitness

This app is NOT supported by Splunk. Please read about what that means for you here.
Overview
Details
This Splunk app will connect to a NetWitness Concentrator/Broker via REST API.
It will poll the NetWitness device regularly to collect new session meta data to be indexed by Splunk, it tries to use the Common Information Model for most of the fields.
For install and configuration instructions please check README.txt after extracting it to $SPLUNK_HOME/etc/apps/

Screenshots:

Status information - Collection Metrics

75832

Status information - Sessions over time

75833

New App:

This app pulls all sessions from the NetWitness device, if you are looking for an app that only pulls certain sessions based on a query criteria, please look at the app ****

Windows Users:

  • Please make sure you change the LAST_SID_FILE path or application will fail.

ISSUE: SSL not working out of the box

  • Summary: Python's default urllib2 and SSL libraries used by the app are hard-coded to only negotiate SSLv23 with servers, however in order to be FIPS compliant the NW services only accept TLS connections.
  • Full Details/Discussion:

Changes worthy of note:

For all other changes see the CHANGELOG

  • Added info to all events All events will now contain the following field rest_host=[rest_host]
    • [rest_host] is extracted from TOP_URL_LEVEL from :// to :
    • Works best in conjunction with the multiple config file feature as it will identify the device where the meta is collected
  • Allow user to specify 'nwsdk' configuration file name as an argument to allow for multiple instances of data collection
    • It allows users to specify multiple inputs on inputs.conf while selecting a different configuration file, it can be used to connect to concentrators directly on larger environments where brokers aren't available or can't be used
    • If none is specified 'nwsdk.conf' will be used by default, otherwise specify only the name and omit extension, the file should be a .conf file under ../local/
    • Not fully documented on README yet, please e-mail me if you think you need to use it and I will assist.
  • Using summary indexing for Dashboards
    • Created Saved Searches to Support summary index based dashboards
  • Changed APP dashboard to show "Skipped" sessions instead of duplicates (mostly these are false-positives)

Contents:

Views (shared globally):

  • Splunk for NetWitness App Status (errors, duplicate sessions, etc...)
  • HTTP traffic statistics based on NetWitness data
  • SMTP traffic statistics based on NetWitness data
  • DNS traffic statistics based on NetWitness data
  • All (services) traffic statistics based on NetWitness data
  • OTHER service traffic statistics based on NetWitness data
  • Forensic Fingerprint statistics based on NetWitness data

Lookup added (shared globally):

  • Lookup for service number to name conversion
    • Usage: | lookup lookup_service service OUTPUT service_alias as service_alias

Older versions:

  • See CHANGELOG file

Major changes include:

  • BUG FIX: Made the trailing "/" on the rest_host extraction optional, app would crash if the trailing "/" was missing (User reported issue)
  • BUG FIX: Added "&expiry=0" to all queries to fix possible HTTP timeouts (User reported issue)
  • BUG FIX: Changes in NetWitness 9.8 (and other late releases) break the script. MAC Addresses are no longer returned as integers and are now returned as strings, the script was expecting an int and not doing proper error checking. It should now handle both cases.
    • You can check if you are affected with the following search index=_* nwsdk.py sourcetype="splunkd" "int()"
  • BUG FIX: Check last session id processed on each batch to make sure is as expected if not force correction (can cause some data loss)
  • BUG FIX: Changed TRUNCATE to 0 in props.conf as some lines are greater than 10000 and were being broken incorrectly
  • BUG FIX: Converted all meta field names to lower case to avoid problems with timestamp parsing
  • BUG FIX: Processing stats were calculated wrong for the initial run (when LAST_SID_FILE is missing)
  • Added code to read in custom/additional mappings from nwsdk.conf under [mappings] section (based on customer feedback)
  • BUG FIX: When reading "NO_SID_FILE_OPTION" from nwsdk.conf it wasn't being properly converted to an integer
  • BUG FIX: SMTP view wasn't parsing attachment names correctly when these contained spaces
  • BUG FIX: SessionIDs were being sorted as string instead of integer causing data duplication

Release Notes

Version 0.9.8
July 14, 2022

- Version 0.9.8: (05 Jul 2022)

> Update Contact Details

Version 0.9.7
Sept. 15, 2021

== CHANGELOG ==
- Version 0.9.7: (15 Sep 2021)

Fix division by 0 error
- Version 0.9.6: (14 Sep 2021)
Updated to Python 3 for latest Splunk Compatibility
- Version 0.9.5: (24 Apr 2017)
FIX: Changed TLS negotiation from TLSv1 to just TLS to support latest version using TLS 1.2
Changed threading library to multiprocessing for performance improvements - 75% reduction load time
- Version 0.9.4: (02 Apr 2017)
Threaded version
Output results immediately (no sorting of sessions or keys)
- Version 0.9.3: (29 Mar 2017)
Fix Python SSL wrapper to use TLSv1 instead of SSLv23 as it causes issues with NW SSL implementation
Changed the loading of the JSON response to better handle encoding errors
Use http://docs.splunk.com/Documentation/Splunk/6.0/AdvancedDev/SetupExampleCredentials to avoid storing credentials in clear-text
Two new configuration settings SLEEP & VERBOSE
Changed read/write SID file functions to expand ENV vars (e.g. $SPLUNK_HOME)
Changed main


Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.