SA Cfg: Add Custom Context Menu Actions

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Sep 12, 2018
Version 13Show Document
  • View in full screen mode
  

In the Context Menu Actions panel, Data Privacy Officer, Administrator, Analyst, and SOC Manager can view, add, edit, delete, import, and export context menu actions for the current instance of NetWitness Platform. Each context menu action applies to a specific context in the NetWitness Platform user interface, and appears as an option when you right-click a specific location in the user interface.

Note: All the context menu actions available in Events in NetWitness Suite 11.1 are also now available under Event Analysis in NetWitness Platform 11.2.

If you want to create a custom variation of a built-in context menu action, you can copy the configuration to a new context menu action and modify the custom context menu action. To copy, switch to the Advanced view, open the action and copy the JSON configuration file, create a new action/edit an existing action and paste. A context menu action is defined by:

  • Action: The title of the action in the context menu.
  • Component: The NetWitness Platform module in which the context menu is available.
  • Meta key: The content to which the action applies.
  • Definition: The definition of the action.

Note: All context menu actions created before you upgrade to 11.2, will function as configured.

This is an example of a custom context menu action; the steps to create this example are provided as a procedure below.
steps to create CSS code

View Context Menu Actions in NetWitness Platform

To view existing context actions in NetWitness Platform both default and custom:

  1. Go to ADMIN > System.
  2. In the options panel, select Context Menu Actions.
    All the new actions which were available in NetWitness Suite 11.1 in the Investigate > Event Analysis tab can now be configured using the context menu actions. Details of the information in the Context Menu Action panel are provided in Context Menu Actions Panel.

Add a Context Menu Action

To add a context menu action in NetWitness Platform:

  1. In the toolbar, click .
    The Context Menu Action Configuration dialog is displayed.

Fill the required fields:

  1. Enable: Select Enable to enable this context menu action.
  2. Name: Enter the name of the context menu action.
  3. Description: Enter a description of the context menu action.
  4. Group Name: Select the group name from the drop-down menu. Action will appear under this group in Context menu.
  5. Component(s): The name of the component under which action will appear in the user interface. For example. under Investigate, the Context menu action can appear under Investigate-Navigate, Investigate-Events, Investigate-Event Recon and Investigate-Event Analysis.
  1. Meta Key: Enter the metas separated by commas to further narrow-down scope for the context menu action. The action will appear on these metas. Context menu actions have to be defined specifically for each meta key, all the key references in a meta key do not inherit a context menu actions. For example, a context menu action created for ip.all will not be created for ip.src as well. A separate action has to be created for the sub-category or key reference of a meta.
  2. Open in New Tab: Select this option to open the context menu action in a new tab.
  3. Definition: Enter further action performed for this context menu action. For example, open a certain user interface or navigate to an external URL.
  1. You can also type the CSS code to define the context menu action. The example procedure at the end of this topic provides step-by-step instructions that you can use to create a useful context menu action. Click Switch to Advance View to add the context menu action.
    Context menu Configuration dialog box
  2. Click OK.
    The new context menu action is created and added at the end of the list of context menu actions.
  3. The context menu action becomes available in the configured location.

Edit a Context Action

To edit a context action:

  1. Select the row in the grid and either double-click the row or click .
    The Context Menu Configuration Dialog is displayed.
    Context menu configuration dialog box
  2. Edit the Configuration.
  3. To save the changes, click OK.

Delete a Context Action

To remove a context menu action from NetWitness Platform entirely:

  1. Select the action.
  2. Click .
    A dialog requests confirmation that you want to delete the context menu action.
  3. Click Yes.
    The option is removed from the Context Menu Actions panel.

Export Context Menu Actions

You can export context menu action(s) to a zip file. The zip file contains the JSON files with each each JSON file mapping to a context menu action. To export the context menu action(s), follow these steps:

  1. Go to Admin > System.
  2. Click Context Menu Actions.

  1. Click to select a context menu action to import. Click the header to select ALL the context menu actions.

  1. Click Export Action(s) under Context Menu Actions.
  1. The success message confirming the actions uploaded successfully is displayed.

Import Context Menu Actions

You can import ccontext actions in Context Menu Actions tab. These actions can then be edited or used as is for investigating context where applicable. Follow these steps to import a context menu action(s):

  1. Go to Admin > System.
  2. Click Context Menu Actions.

  1. Click Import Action(s) under Context Menu Actions.
  2. In Import Action(s) click Browse to locate and select the file. The zip file typically contains the json files containing context menu actions exported previously.

  1. Select the Zip file and click Open.
  2. Click Import

Note: There is no validation for an action for Event Analysis with a Javascript function.

  1. The success message confirming the actions uploaded successfully are displayed.

Note: If an error message is displayed, check the log files and try importing the context menu actions file again.

Example Procedure: Context Menu Action to Investigate ip.dst from alias.ip

This example adds a context menu action that allows analysts to pivot from the alias.ip values (the IP addresses returned from a DNS request) to the ip.dst meta key. It helps analysts to locate any detected traffic to the IP address that was returned for a DNS query.

To implement the context menu action:

  1. Determine the unique identifier for your NetWitness Server as follows:
    1. Log onto NetWitness Platform, in the main menu, select INVESTIGATE > Navigate, choose a service (for example, a Concentrator) to investigate, and wait for the values to load.
    2. Look for the URL and locate the number after investigation. In this example, the unique identifier for the action is 4. You need this unique identifier to add to the context menu action.
  2. In the toolbar, click .
    The Context Menu Configuration dialog is displayed.

  3. Copy the entire sample code block below and paste it in the window.
     { "displayName": "[Investigate IP from DNS Response]", "cssClasses": [ "alias-ip", "alias.ip" ], "description": "Update your NW server and ID", "type": "UAP.common.contextmenu.actions.URLContextAction", "version": "Custom", "modules": [ "investigation" ], "local": "false", "groupName": "investigationGroup", "urlFormat": "/investigation/<insert_unique_identifier_here>/navigate/query/ip.dst%3d'{0}'", "disabled": "", "id": "NavigateHost", "moduleClasses": [ "UAP.investigation.navigate.view.NavigationPanel", "UAP.investigation.events.view.EventGrid" ], "openInNewTab": "true" } 
  4. In the urlFormat line replace <insert-unique_identifier_here> with your unique identifier.
    The URL should look like this:
    "/investigation/4/navigate/query/ip.dst%3d'{0}'"
  5. Click OK, and restart your browser.
  6. To test the action, open an investigation in the Navigate view and right-click on the meta key alias.ip.
    The context menu with the Investigation option should look like the following figure.
  7. Should produce a pivot like this.
  8. If you are using this example for DNS traffic investigation, you may want to consider creating a meta group specific to DNS traffic as described in "Manage User-Defined Meta Groups" in the Investigation and Malware Analysis Guide.
Previous Topic:AdditionalProcedures
You are here
Table of Contents > AdditionalProcedures > Add Custom Context Menu Actions

Attachments

    Outcomes