(CONFIGURE) > More > Response Actions) allows you to integrate the supported third-party tools or connectors with the NetWitness platform and perform the following actions.

• Create and manage Response Actions for metas displayed in Respond, Investigate, Hosts, and Users views that support context highlights.

• Perform Quick Actions on the applicable meta and post the meta with additional information to the connector for taking further actions.

Workflow

The following figure is a high-level workflow illustrating the tasks you can do in the NetWitness Response Actions view.

What do you want to do?

User Role	I want to ...	Show me how
Administrator	Create, edit, clone, enable, disable, delete, and view action history for Response Actions	Create and Manage Response Actions
Administrator	Filter Response Actions	See Response Actions Filters Panel in Quick Action History
Administrator	View and filter action history	Response Actions History View

Related Topics

• Integrate the Connector with NetWitness Platform

• Create and Manage Response Actions

• Quick Actions

• Connect with Threat Connect using HTTPS

• Response Actions and Quick Actions Use Case Examples

Quick Look

To access the Response Actions view, go to the ((CONFIGURE) > More > Response Actions view.

1	: Allows you to create a new Response Action. This option is grayed out if you have not integrated any connector with the NetWitness platform. If the connector is integrated with NetWitness Platform, you can select the same from the drop-down list. : Allows you to edit the existing Response Action. : Allows you to clone the existing Response Action. : Allows you to enable an already disabled Response Action. : Allows you to disable the selected Response Action. : Allows you to delete the required Response Action.
2	:Allows you to view the history of the Response Actions.
3	: Allows you to filter and view the required Response Actions in the Response Actions List view.
4	By default, 25 Response Actions are displayed per page. To go to the next page, click . To go to the last page, click

Response Actions List View

The Response Actions List displays all the Response Actions configured in the NetWitness Platform. You can filter this list to view only the Response Actions of interest.

The following table describes the columns in the Response Actions List.

Columns	Description
Name	Displays the name of all the Response Actions in the Response Actions List view.
Description	Displays the descriptions of the Response Actions.
Connector	Displays the name of the third-party tool for which the particular Response Action is configured.
Meta Keys	Displays the list of meta keys for which the Response Action is supported.
Status	Displays the current status of the Response Action. For example: Enabled and Disabled.
Last Updated	Displays the date and time when the Response Action was last updated.
Last Updated By	Displays the name of the user who updated the Response Action last time.

Response Actions Filters Panel

The following figure shows the filters available in the Response Actions Filters panel.

You can filter the Response Actions based on the following parameters.

• Response Action Name

• Status of the Response Action

• Supported Meta Keys

• Last updated Date and Time

The following table lists all the fields displayed in the Response Actions List view Filters panel.

Fields	Description
Name	Allows you to enter the name of the required Response Action.
Status	Allows you to filter the Response Action based on the status Enabled or Disabled.
Meta Keys	Allows you to filter the Response Action based on the meta keys supported.
Last Updated	Allows you to filter the Response Action based on the date and time when the action was last updated.
Reset	Removes your existing filters.

Response Actions Overview panel

When you click any row in the Response Actions List, the Overview panel is displayed on the right side of the Response Actions List view, which shows the basic summary information about the particular Response Action.

The following table displays the fields and parameters associated with the Overview panel.

Field Name	Description
Name	Displays the name of the Response Action executed. For example, Block IP
Description	Displays a brief description of what the response action contains.
Connector	Displays the connector name associated with the Response Action executed. For example, ThreatConnect.
Connector API	Displays the connector API details associated with the Response Action executed. For example, block-host-threatconnect.
Status	Displays the status of the Response Action executed. For example, Enabled.
Meta Keys	Displays the supported Meta Key for which the particular Response Action was executed. For example, ip.src and mac_address.
Last Updated By	Displays the name of the user who executed the Response Action last time.
Last Updated	Displays the Date and Time when the Response Action was last executed. For example, 12/19/2023 07:32:01 am
IP-Meta	Displays the meta value on which the quick action is performed.
Additional IP	Displays the additional IP details.

Response Actions History List view

When you execute Response Actions in the Quick Actions, the actions performed are recorded and the associated data is displayed in the Response Actions History view ((CONFIGURE) > More > Response Actions > View Action History > Response Actions History). This is a global view of all actions performed across all Response actions.

The Response Actions History List displays the history of all the Response Actions executed in the NetWitness Platform.

The following table describes the columns in the Response Actions History List view.

Columns	Description
Executed On	Displays the date and time when the Response Action was last executed. For example: 12/11/2023 05:06am
Name	Displays the name of all the Response Actions executed.
Connector	Displays the name of the third party tool for which the particular Response Action was executed. For example: ThreatConnect
Meta Key	Displays the list of meta keys for which the Response Action was executed. For example: ip.src
Meta Value	Displays the value of the meta key for which the Response Action was executed. For example: 10.125.237.89
Status	Displays the status of the execution of Response Action. For example: Success and Failed.
Executed By	Displays the name of the user who executed the Response Action last time.

Response Actions History Filters Panel

The following figure shows the filters available in the Response Actions History Filters panel.

You can filter the Response Actions based on the following parameters.

• Response Action Name

• Status of the Response Action

• Supported Meta Keys

• Last updated Date and Time

The following table lists all the fields displayed in the Response Actions List view Filters panel.

Fields	Description
Name	Allows you to enter the name of the required Response Action.
Status	Allows you to filter the Response Action on the basis of the status. For example, you can select Enabled or Disabled status to filter the required Response Action.
Meta Keys	Allows you to filter the Response Action on the basis of the meta keys supported.
Last Updated	Allows you to filter the Response Action based on the date and time when the action was last updated.
Reset	Removes your existing filters.

Response Actions History Overview panel

When you click any row in the Response Actions History List, the Overview panel is displayed on the right side of the Response Actions History view, which shows the basic summary information about the particular Response Action executed. The following fields and parameters are displayed in the Overview panel.

The following table lists all the fields displayed in the Response Actions History Overview view panel details.

Field   Name	Description
Name	Displays the name of the Response Action executed. For example, If you provided Block IP as the Response Action name while executing the Response Action, the same Block IP name will be displayed in the Name field in the Response Actions History Overview panel.
Connector	Displays the connector name associated with the Response Action executed. For example, ThreatConnect.
Meta Value	Displays the meta value associated with the Meta Key. For example, If the supported Meta Key is ip.src, the meta value will be displayed in the form of an IP address such as 10.125.246.29.
Meta Key	Displays the supported Meta Key for which the particular Response Action was executed. For example, ip.src and mac_address.
Status	Displays the status of the Response Action executed. For example, If the meta key and the additional parameters are forwarded to the connector successfully, the Status field displays Success. If the meta key and the additional parameters are not forwarded.
Executed By	Displays the name of the user who executed the Response Action last time.
Executed On	Displays the Date and Time when the Response Action was last executed. For example, 12/19/2023 07:32:01 am.
Additional Parameters	Displays the Parameter Key and Parameter Label that are posted to the connector. For example, the Data Posted section in the Response Actions History Overview panel displays the meta keys and additional parameters posted to ThreatConnect.
Comment	Displays the comment provided during the execution of the Response Action. For example, Post the parameters and the meta key to ThreatConnect.