SA Cfg: Add Custom Context Menu Actions

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Oct 13, 2017
Version 8Show Document
  • View in full screen mode
  

In the Context Menu Actions panel, administrators can view, add, and edit context menu actions for the current instance of NetWitness Suite. Each context menu action applies to a specific context in the NetWitness Suite user interface, and appears as an option when you right-click a specific location in the user interface.

Some context menu actions are built into NetWitness Suite; you cannot edit or delete any of the default context menu actions. You can create and edit custom context menu actions. If you want to create a custom variation of a built-in context menu action, you can copy the configuration to a new context menu action and modify the custom context menu action. A context menu action is defined by cascading style sheet (CSS) code that defines:

  • The title of the option in the context menu.
  • The NetWitness Suite module in which the context menu is available.
  • The content to which the action applies.

This is an example of a custom context menu action; the steps and CSS code to create this example are provided as an example procedure below.
steps to create CSS code

View Context Menu Actions in NetWitness Suite

To view existing context actions in NetWitness Suite both default and custom:

  1. Go to ADMIN > System.
  2. In the options panel, select Context Menu Actions.

    Details of the information in the Context Menu Action panel are provided in Context Menu Actions Panel.

Add a Context Menu Action

To add a context menu action in NetWitness Suite:

  1. In the toolbar, click .
    The Context Menu Configuration dialog is displayed.
  2. Type the CSS code to define the context menu action. The example procedure at the end of this topic provides step-by-step instructions that you can use to create a useful context menu action.
    Context menu Configuration dialog box
  3. Click OK.
    The new context menu action is created and added at the end of the list of context menu actions.
  4. To activate the new context menu action, restart the browser.
    The context menu action becomes available in the configured location.

Edit a Context Action

To edit a context action:

  1. Select the row in the grid and either double-click the row or click .
    The Context Menu Configuration Dialog is displayed.
    Context menu configuration dialog box
  2. Edit the Configuration.
  3. To save the changes, click OK.
  4. To use the updated action, restart the browser.

Delete a Context Action

To remove a context menu action from NetWitness Suite entirely:

  1. Select the action.
  2. Click .
    A dialog requests confirmation that you want to delete the context menu action.
  3. Click Yes.
    The option is removed from the Context Menu Actions panel.
  4. Restart the browser to remove the action from the context menus in which it appeared.

Example Procedure: Context Menu Action to Investigate ip.dst from alias.ip

This example adds a context menu action that allows analysts to pivot from the alias.ip values (the IP addresses returned from a DNS request) to the ip.dst meta key. It helps analysts to locate any detected traffic to the IP address that was returned for a DNS query.

To implement the context menu action:

  1. Determine the unique identifier for your NetWitness Server as follows:
    1. Log onto NetWitness Suite, in the main menu, select Investigation > Navigate, choose a service (for example, a Concentrator) to investigate, and wait for the values to load.
    2. Look for the URL and locate the number after investigation. In this example, the unique identifier for the action is 4. You need this unique identifier to add to the context menu action.
  2. In the toolbar, click .
    The Context Menu Configuration dialog is displayed.

  3. Copy the entire sample code block below and paste it in the window.
     { "displayName": "[Investigate IP from DNS Response]", "cssClasses": [ "alias-ip", "alias.ip" ], "description": "Update your NW server and ID", "type": "UAP.common.contextmenu.actions.URLContextAction", "version": "Custom", "modules": [ "investigation" ], "local": "false", "groupName": "investigationGroup", "urlFormat": "/investigation/<insert_unique_identifier_here>/navigate/query/ip.dst%3d'{0}'", "disabled": "", "id": "NavigateHost", "moduleClasses": [ "UAP.investigation.navigate.view.NavigationPanel", "UAP.investigation.events.view.EventGrid" ], "openInNewTab": "true" } 
  4. In the urlFormat line replace <insert-unique_identifier_here> with your unique identifier.
    The URL should look like this:
    "/investigation/4/navigate/query/ip.dst%3d'{0}'"
  5. Click OK, and restart your browser.
  6. To test the action, open an investigation in the Navigate view and right-click on the meta key alias.ip.
    The context menu with the Investigation option should look like the following figure.
  7. Should produce a pivot like this.
  8. If you are using this example for DNS traffic investigation, you may want to consider creating a meta group specific to DNS traffic as described in "Manage User-Defined Meta Groups" in the Investigation and Malware Analysis Guide.
Previous Topic:AdditionalProcedures
You are here
Table of Contents > AdditionalProcedures > Add Custom Context Menu Actions

Attachments

    Outcomes