Eric Partington

Context Menus - OOTB Options

Blog Post created by Eric Partington Employee on Aug 21, 2017

Context menus are a way to shorten the time that analysts spend in the copy, alt+tab, paste cycle to allow right click integrations with a default set of websites that bring additional context to an investigation.  These are the default integrations that come with RSA NetWitness Suite.  You can locate the existing ones as well as add custom sites by locating this path:

Admin > System > Context Menu Actions

 

These Right click actions can be found in investigator and events view when right clicking on the appropriate metakey to locate the dropdown menu of actions

 

Additional Context Menu actions can be found here:

https://community.rsa.com/search.jspa?q=context+menu&place=%2Fplaces%2F1875&depth=ALL 

 

The following is a summary list of the default actions for external sites that exist in the RSA NW platform:

 

NameActive on metakeysURL
Googlefile.hash,  alias.hosthttp://www.google.com/search?q={0}
Robtex DNSalias.host,  domain.dsthttp://www.robtex.com/dns/{0}
SANS IP Historyip.src, ip.dst,  ipv6.dst, ipv6.src, orig_iphttp://isc.sans.org/ipinfo.html?ip={0}
Google Malware Dignostic for IPS and Hostnamesip.src, ip.dst, ipv6.src, ipv6.dst, orig_ip, alias.host, domain.dsthttp://www.google.com/safebrowsing/diagnostic?site={0}
BFK Passive DNS Collectionip.src, ip.dst, ipv6.src, ipv6.dst, orig_ip, alias.host, domain.dsthttp://www.bfk.de/bfk_dnslogger.html?query={0}
Malwaredomainlist.com Searchip.src, ip.dst, ipv6.src, ipv6.dst, orig_ip, alias.host, domain.dsthttp://www.malwaredomainlist.com/mdl.php?search={0}&colsearch=All&quantity=50
Malwaredomains.com Searchip.src, ip.dst, ipv6.src, ipv6.dst, orig_ip, alias.host, domain.dsthttp://www.google.com/search?q={0}+site%3Awww.malwaredomains.com
SamSpade Searchip.src, ip.dst, ipv6.src, ipv6.dst, orig_ip, alias.host, domain.dsthttp://samspade.org/whois/{0}
UrlVoid Searchalias.host, domain.dsthttp://www.urlvoid.com/scan/{0}
McAfee SiteAdvisor for Hostnamesip.src, ip.dst, ipv6.src, ipv6.dst, orig_ip, alias.host, domain.dsthttp://www.siteadvisor.com/sites/{0}
Robtex IP Searchip.src, ip.dst, ipv6.src, ipv6.dst, orig_iphttp://www.robtex.com/ip/{0}.html
CentralOps Whois for Ips and Hostnamesip.src, ip.dst, ipv6.src, ipv6.dst, orig_ip, alias.host, domain.dsthttp://centralops.net/co/DomainDossier.aspx?addr={0}&dom_whois=true&dom_dns=true&net_whois=true
ThreatExpert Searchip.src, ip.dst, ipv6.src, ipv6.dst, orig_ip, alias.host, domain.dsthttp://www.threatexpert.com/reports.aspx?find={0}

Outcomes