Getting tired of trying to ctrl+c, alt+tab, click, ctrl+v to copy a value from RSA NetWitness to another system to see if that indicator exists ? There must be a faster way to accomplish this right ?
First part of this 2 part post will be Pivoting from RSA NW into Splunk, the second part will cover Splunk to RSA NW
Enter the context menu option of RSA NetWitness
https://community.rsa.com/docs/DOC-55125
Lets say you have Splunk for log collection and RSA NetWitness for packet collection and you want to be able to pivot between a few elements of metadata in both to make it easy for your analysts to move between the two products without the help of copy and paste.
Let's start with
Pivoting from RSA NW (NetWitness) to Splunk
In the Admin > System > Context Menu section we will add the following code to create the context menu option to pivot from RSA NW (ip.dst) to splunk (dst)
You need to change the [splunk_server:port] to match your Splunk instance.
Save the edit, refresh the page for RSA NW and right click on the blue (meta) of ip.dst and you will now see the external > [Pivot to Splunk Logs - Destination IP which will take you to the Splunk interface and search for the dst=[ip] for the last 30 days. (you can changer this to update the timeframe passed to Splunk - &earliest=-30d&latest=now)
{
"displayName": "[Pivot to Splunk Logs - Destination IP]",
"cssClasses": [
"ip-dst",
"ip.dst"
],
"description": "Splunk lookup Destination IP last 30 days",
"type": "UAP.common.contextmenu.actions.URLContextAction",
"version": "Custom",
"modules": [
"investigation"
],
"local": "false",
"groupName": "externalLookupGroup",
"urlFormat": "http://[splunk_server:port]/en-US/app/search/search?q=search%20dst%3D{0}&earliest=-30d&latest=now",
"disabled": "",
"id": "SplunkLogLookupDstExt",
"moduleClasses": [
"UAP.investigation.navigate.view.NavigationPanel",
"UAP.investigation.events.view.EventGrid"
],
"openInNewTab": "true"
}
You could also create the following context menu to pivot from a number of fields into Splunk (ip.src,ip.dst,alias.host)
{
"groupName": "externalLookupGroup",
"openInNewTab": "true",
"urlFormat": "http://192.168.1.250:8000/en-US/app/search/search?q=search%20{0}&earliest=-30d&latest=now",
"moduleClasses": [
"UAP.investigation.navigate.view.NavigationPanel",
"UAP.investigation.events.view.EventGrid"
],
"type": "UAP.common.contextmenu.actions.URLContextAction",
"version": "Custom",
"id": "SplunkLogLookupGeneral",
"description": "Splunk search IP and Hostname",
"local": "false",
"displayName": "Pivot to Splunk Logs - General (IP and hostname)",
"modules": [
"investigation"
],
"disabled": "",
"cssClasses": [
"ip-src",
"ip-dst",
"alias-host",
"ip.src",
"ip.dst",
"aliast.host"
]
}
2 Comments
