Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Respond Config: NetWitness Respond Configuration Overview

Document created by RSA Information Design and Development Employee on Sep 13, 2017Last modified by RSA Information Design and Development Employee on Nov 11, 2020
Version 19Show Document
  • View in full screen mode

NetWitness Respond consumes alert data from various sources via the Message Bus and displays these alerts on the NetWitness Platform user interface. The Respond Server service allows you to group the alerts logically and start a NetWitness Respond workflow to investigate and remediate the security issues raised. 

The Respond Server service consumes alerts from the message bus and normalizes the data to a common format (while retaining the original data) to enable simpler rule processing. It periodically runs rules to aggregate multiple alerts into an incident and set some attributes of the Incident (for example, severity, category, and so on). The incidents are persisted into MongoDb by the Respond Server service. Incidents are also posted onto the message bus for consumption by other systems (for example, Archer integration).

Note: NetWitness Respond requires an ESA primary server that contains the MongoDb. Alerts, Incidents, and Task records are persisted into this MongoDb by the Respond Server.

The following diagram illustrates the high-level flow of alerts.

High-level Alert Data Flow Diagram

You have to configure various sources from which the alerts are collected and aggregated by the Respond Server service.

Previous Topic:About this Document
You are here
Table of Contents > NetWitness Respond Configuration Overview