NetWitness Respond consumes alert data from various sources via the Message Bus and displays these alerts on the NetWitness Platform user interface. The Respond Server service allows you to group the alerts logically and start a NetWitness Respond workflow to investigate and remediate the security issues raised.
The Respond Server service consumes alerts from the message bus and normalizes the data to a common format (while retaining the original data) to enable simpler rule processing. It periodically runs rules to aggregate multiple alerts into an incident and set some attributes of the Incident (for example, severity, category, and so on). The incidents are persisted into MongoDb by the Respond Server service. Incidents are also posted onto the message bus for consumption by other systems (for example, Archer integration).
The following diagram illustrates the high-level flow of alerts.
You have to configure various sources from which the alerts are collected and aggregated by the Respond Server service.