NetWitness Community

Anonymous · ‎2014-01-06

Hey,

In the live feed there are Custom Actions for the investigator but they cannot be deployed anywhere on my system. Although I know how to make custom ones for websites, due to using the ones currently in SA, I would like to use the ones like NSLookup to make it faster for other analyst. Does anyone know either, how to run a command using the current investigator actions or if the current live resources will be updated?

Anonymous · ‎2014-01-06

The Investigator Custom Actions that are in RSA LIVE are for the legacy NetWitness Investigator client software, not for the Investigation module in SA.

View solution in original post

Anonymous · ‎2014-01-06

The Investigator Custom Actions that are in RSA LIVE are for the legacy NetWitness Investigator client software, not for the Investigation module in SA.

huanzhou1 · ‎2014-01-12

any chance we can write our own custom actions to call the nslookup function? The browser need to open command line...

Anonymous · ‎2014-01-22

I tried to write my own and even the custom actions accepted the syntax, it is based on reverse engineering the current actions. but sadly it is not working.

here is a sample code i did.

{

"groupName": "externalLookupGroup",

"openInNewTab": "true",

"moduleClasses": [

"UAP.investigation.InvestigationValuesApplication"

],

"type": "UAP.common.contextmenu.actions.URLContextAction",

"version": "1",

"id": "nslookup",

"order": "23",

"description": "",

"action": "cmd.exe /K nslookup ${VALUE}",

"local": "false",

"displayName": "knslookup",

"modules": [

"investigation"

],

"disabled": "",

"cssClasses": [

"ip.src"

]

}

huanzhou1 · ‎2014-04-07

i open support case but no answer, they don't have document on this also, more ccs related.

Anonymous · ‎2014-04-07

I had open a support ticket for this, but they said they won't allow 3rd party applications to run, risking the way for code injection and malware.

huanzhou1 · ‎2014-04-07

i'm thinking create one web servce which can do the nslookup.

just like mxtoobox:

{

"groupName": "externalLookupGroup",

"openInNewTab": "true",

"urlFormat": "http://mxtoolbox.com/SuperTool.aspx?action=mx:{0}&run=toolpage",

"moduleClasses": [

"UAP.investigation.InvestigationValuesApplication",

"UAP.investigation.events.view.EventGrid"

],

"type": "UAP.common.contextmenu.actions.URLContextAction",

"version": "1",

"id": "mxtoolbox",

"order": "12",

"description": "",

"local": "false",

"displayName": "mxtoolbox",

"modules": [

"investigation"

],

"disabled": "",

"cssClasses": [

"ip-src",

"ip-dst",

"alias-host",

"ip.src",

"ip.dst",

"alias.host"

]

}

Anonymous · ‎2014-04-07

let me know if it works, so far my efforts to do the same was futile.

huanzhou1 · ‎2014-04-08

yes, it's working. You need restart jettysrv in order for it take effect.

Anonymous · ‎2014-04-08

i just refresh the investigator page and it works.

NetWitness Community

RSA Investigator Custom Actions