Joshua Randall

Improving Alerts' Related Links in Respond

Blog Post created by Joshua Randall Employee on Aug 7, 2018

The Respond Engine in 11.x contains several useful pivot points and capabilities that allow analysts and responders to quickly navigate from incidents and alerts to the events that interest them.

 

In this blog post, I'll be discussing how to further enable and improve those pivot options within alert details to provide both more pivot links as well as more easily usable links.

 

During the incident aggregation process, the scripts that control the alert normalizations create several links (under Related Links) that appear within each alert's Event Details page.

 

These links allow analysts to copy/paste the URI into a browser and pivot directly to the events/session that caused the alert, or to an investigation query against the target host. 

 

What we'll we doing here is adding additional links to this Related Links section to allow for more pivot options, as well as adding the protocol and web server components to the existing URI in order to form a complete URL.

 

The files that we will be customizing for the first step are located on the Node0 (Admin) Server in the "/var/netwitness/respond-server/scripts" directory:

  • normalize_core_alerts.js
  • normalize_ma_alerts.js

 

(We will not be modifying the normalize_ecat_alerts.js or normalize_wtd_alerts.js scripts because the Related Links for those pivot you outside of the NetWitness UI.)

 

As always, back up these files before committing any changes and be sure to double-check your changes for any errors.

 

Within each of these files, there is a exports.normalizeAlert function:

 

At the end of this function, just above the "return normalized;" statement, you will add the following lines of

 

//copying additional links created by the utils.js script to the event's related_links
for(var j = 0; j < normalized.events.length; j++){

if (normalized.related_links) {

normalized.events[j].related_links = normalized.events[j].related_links.concat([normalized.related_links]);

}

}

 

 

So the end of the exports.normalizeAlert function now looks like this:

 

Once you have done this, you can now move on to the next step in this process.  This step will require modification of 3 files - the two we have already changed plus the utils.js script - all still located in the "/var/netwitness/respond-server/scripts" directory:

  • normalize_core_alerts.js
  • normalize_ma_alerts.js
  • utils.js

 

Within each of these files search for "url:" to locate the statements that generate the URIs in Related Links.  You will be modifying these URIs into complete URLs by adding "https://<your_UI_IP_or_Hostname>/" to the beginning of the statement.

 

For example, this: 

 

...becomes this:

 

Do this for all of the "url:" statements, except this one in "normalize_core_alerts.js," as this pulls its URI / URL from a function in the script that we are already modifying:

 

Once you have finished modifying these files and double-checking your work for syntax (or other) errors, restart the Respond Server (systemctl restart rsa-nw-respond-server) and begin reaping your rewards:

 

Outcomes