ConfigureIcon_17x14.png(CONFIGURE) > More > Response Actions) allows you to integrate the supported third-party tools or connectors with the NetWitness platform and perform the following actions.

  • Create and manage Response Actions for metas displayed in Respond, Investigate, Hosts, and Users views that support context highlights.

  • Perform Quick Actions on the applicable meta and post the meta with additional information to the connector for taking further actions.

Workflow

The following figure is a high-level workflow illustrating the tasks you can do in the NetWitness Response Actions view.

124_flowchart_0224.png

What do you want to do?

User Role I want to ... Show me how
Administrator Create, edit, clone, enable, disable, delete, and view action history for Response Actions Create and Manage Response Actions
Administrator Filter Response Actions See Response Actions Filters Panel in Quick Action History
Administrator View and filter action history Response Actions History View

Related Topics

Quick Look

To access the Response Actions view, go to the (ConfigureIcon_17x14.png(CONFIGURE) > More > Response Actions view.

124_ref_0224.png

1

124_create_0224.png: Allows you to create a new Response Action. This option is grayed out if you have not integrated any connector with the NetWitness platform. If the connector is integrated with NetWitness Platform, you can select the same from the drop-down list.

124_edit_0224 icon.png: Allows you to edit the existing Response Action.

124_cloneicon_0224.png: Allows you to clone the existing Response Action.

124_enable_0224.png: Allows you to enable an already disabled Response Action.

124_disable_0224.png: Allows you to disable the selected Response Action.

124_delete_0224_70x24.png: Allows you to delete the required Response Action.
2 124_view actions history_0224.png:Allows you to view the history of the Response Actions.
3 124_filter icon_024_58x52.png: Allows you to filter and view the required Response Actions in the Response Actions List view.
4 By default, 25 Response Actions are displayed per page. To go to the next page, click 124_greaterthan_0224_30x28.png. To go to the last page, click 124_greaterthann_0224_47x26.png

Response Actions List View

The Response Actions List displays all the Response Actions configured in the NetWitness Platform. You can filter this list to view only the Response Actions of interest.

124_respactionlw_0224.png

The following table describes the columns in the Response Actions List.

Columns Description
Name Displays the name of all the Response Actions in the Response Actions List view.
Description Displays the descriptions of the Response Actions.
Connector Displays the name of the third-party tool for which the particular Response Action is configured.
Meta Keys Displays the list of meta keys for which the Response Action is supported.
Status Displays the current status of the Response Action. For example: Enabled and Disabled.
Last Updated Displays the date and time when the Response Action was last updated.
Last Updated By Displays the name of the user who updated the Response Action last time.

Response Actions Filters Panel

The following figure shows the filters available in the Response Actions Filters panel.

124_Filterspanel_0224_311x460.png

You can filter the Response Actions based on the following parameters.

  • Response Action Name

  • Status of the Response Action

  • Supported Meta Keys

  • Last updated Date and Time

The following table lists all the fields displayed in the Response Actions List view Filters panel.

Fields Description
Name Allows you to enter the name of the required Response Action.
Status Allows you to filter the Response Action based on the status Enabled or Disabled.
Meta Keys Allows you to filter the Response Action based on the meta keys supported.
Last Updated Allows you to filter the Response Action based on the date and time when the action was last updated.
Reset Removes your existing filters.

Response Actions Overview panel

When you click any row in the Response Actions List, the Overview panel is displayed on the right side of the Response Actions List view, which shows the basic summary information about the particular Response Action.

124_blockIP_0224_339x486.png

The following table displays the fields and parameters associated with the Overview panel.

Field Name Description
Name Displays the name of the Response Action executed. For example, Block IP
Description Displays a brief description of what the response action contains.
Connector Displays the connector name associated with the Response Action executed. For example, ThreatConnect.
Connector API Displays the connector API details associated with the Response Action executed. For example, block-host-threatconnect.
Status Displays the status of the Response Action executed. For example, Enabled.
Meta Keys Displays the supported Meta Key for which the particular Response Action was executed. For example, ip.src and mac_address.
Last Updated By Displays the name of the user who executed the Response Action last time.
Last Updated Displays the Date and Time when the Response Action was last executed. For example, 12/19/2023 07:32:01 am
IP-Meta Displays the meta value on which the quick action is performed.
Additional IP Displays the additional IP details.

Response Actions History List view

When you execute Response Actions in the Quick Actions, the actions performed are recorded and the associated data is displayed in the Response Actions History view (ConfigureIcon_17x14.png(CONFIGURE) > More > Response Actions > View Action History > Response Actions History). This is a global view of all actions performed across all Response actions.

The Response Actions History List displays the history of all the Response Actions executed in the NetWitness Platform.

124_refa_0224.png

The following table describes the columns in the Response Actions History List view.

Columns Description
Executed On Displays the date and time when the Response Action was last executed. For example: 12/11/2023 05:06am
Name Displays the name of all the Response Actions executed.
Connector Displays the name of the third party tool for which the particular Response Action was executed. For example: ThreatConnect
Meta Key Displays the list of meta keys for which the Response Action was executed. For example: ip.src
Meta Value Displays the value of the meta key for which the Response Action was executed. For example: 10.125.237.89
Status Displays the status of the execution of Response Action. For example: Success and Failed.
Executed By Displays the name of the user who executed the Response Action last time.

Response Actions History Filters Panel

The following figure shows the filters available in the Response Actions History Filters panel.

124_refb_0224.png

You can filter the Response Actions based on the following parameters.

  • Response Action Name

  • Status of the Response Action

  • Supported Meta Keys

  • Last updated Date and Time

The following table lists all the fields displayed in the Response Actions List view Filters panel.

Fields Description
Name Allows you to enter the name of the required Response Action.
Status Allows you to filter the Response Action on the basis of the status. For example, you can select Enabled or Disabled status to filter the required Response Action.
Meta Keys Allows you to filter the Response Action on the basis of the meta keys supported.
Last Updated Allows you to filter the Response Action based on the date and time when the action was last updated.
Reset Removes your existing filters.

Response Actions History Overview panel

When you click any row in the Response Actions History List, the Overview panel is displayed on the right side of the Response Actions History view, which shows the basic summary information about the particular Response Action executed. The following fields and parameters are displayed in the Overview panel.

124_refc_0224.png

The following table lists all the fields displayed in the Response Actions History Overview view panel details.

Field   Name Description
Name Displays the name of the Response Action executed. For example, If you provided Block IP as the Response Action name while executing the Response Action, the same Block IP name will be displayed in the Name field in the Response Actions History Overview panel.
Connector Displays the connector name associated with the Response Action executed. For example, ThreatConnect.
Meta Value Displays the meta value associated with the Meta Key. For example, If the supported Meta Key is ip.src, the meta value will be displayed in the form of an IP address such as 10.125.246.29.
Meta Key Displays the supported Meta Key for which the particular Response Action was executed. For example, ip.src and mac_address.
Status Displays the status of the Response Action executed. For example, If the meta key and the additional parameters are forwarded to the connector successfully, the Status field displays Success. If the meta key and the additional parameters are not forwarded.
Executed By Displays the name of the user who executed the Response Action last time.
Executed On Displays the Date and Time when the Response Action was last executed. For example, 12/19/2023 07:32:01 am.
Additional Parameters Displays the Parameter Key and Parameter Label that are posted to the connector. For example, the Data Posted section in the Response Actions History Overview panel displays the meta keys and additional parameters posted to ThreatConnect.
Comment Displays the comment provided during the execution of the Response Action. For example, Post the parameters and the meta key to ThreatConnect.