ConfigureIcon_17x14.png (CONFIGURE) > More > Response Actions) allows you to integrate the supported third-party tools or connectors with NetWitness platform and perform the following actions.

  • Create and manage Response Actions for metas displayed in Respond, Investigate, Hosts, and Users views that support context highlights.

  • Perform Quick Actions on the applicable meta and post the meta with additional information to the connector for taking further actions.

125_ReponseActionList_0724.PNG

There are four OOTB actions in the NetWitness Platform 12.5. CrowdStrike has two OOTB actions which are:

  • Contain host: This response action allows you to isolate the host.
  • Lift Containment on host: This response action allows you to unisolate the host.

ThreatConnect has two OOTB actions which are:

  • Contain host on Crowdstrike: This response action allows you to isolate the host.
  • Lift Containment of host on Crowdstrike: This response action allows you to unisolate the host.

Note: You cannot create, clone, and delete any of the out-of-the-box Response Actions created by default. You can only edit, disable, and enable them.

For more information on how to create and manage the Response Actions, see Create and Manage Response Actions. For more information on how to add parameters and post the parameters with meta to the connector, see Response Actions and Quick Actions Use Case Examples.

RBAC Permissions for Response Actions

  • You can view the Response Actions configured in the Response Actions view only if you have response-actions-server.actiondefinition.read permission.

  • You must have response-actions-server.actiondefinition.manage permission to create, edit, clone, delete, enable, and disable the Response Action.

  • You must have response-actions-server.history.read permission to view the Response Action history.

  • You must have response-actions-server.actiondefinition.execute permission to execute any response actions.

For more information, see How Role-Based Access Control Works topic in the System Security and User Management Guide for 12.4.

Workflow

The following figure shows the high-level NetWitness Response Actions workflow process.

124_flowchart_0224.png

For more information on the workflow, see Response Actions and Quick Actions Use Case Examples.

Response Actions Server

In 12.4 version, the new service Response Actions Server is introduced in the AdminIcon_20x16.pngAdmin > Hosts view to integrate the third-party tools with NetWitness Platform.

124_services (RAS)_0224.png