Add Custom Context Menu Actions

In the Context Menu Actions panel, Data Privacy Officer, Administrator, Analyst, and SOC Manager can view, add, edit, delete, import, and export context menu actions for the current instance of NetWitness. Each context menu action applies to a specific context in the NetWitness user interface, and appears as an option when you right-click a specific location in the user interface.

If you want to create a custom variation of a built-in context menu action, you can copy the configuration to a new context menu action and modify the custom context menu action. To copy, switch to the Advanced view, open the action and copy the JSON configuration file, create a new action/edit an existing action and paste. A context menu action is defined by:

  • Action: The title of the action in the context menu.
  • Component: The NetWitness module in which the context menu is available.
  • Meta key: The content to which the action applies.
  • Definition: The definition of the action.

Note: All context menu actions created before you upgrade to 11.3, functions as configured.

This is an example of a custom context menu action; the steps to create this example are provided as a procedure below.
netwitness_investiateipdstfromaliasip.png

View Context Menu Actions in NetWitness

To view existing context actions in NetWitness both default and custom:

  1. Go to netwitness_adminicon_25x22.png (Admin) > System.

    122_ContextMenuActions1_1122.png

  2. In the options panel, select Context Menu Actions.
    All the new actions which were available in NetWitness Suite 11.1 in the Investigate > Events tab can now be configured using the context menu actions. Details of the information in the Context Menu Action panel are provided in Context Menu Actions Panel.

Add a Context Menu Action

To add a context menu action in NetWitness:

  1. In the toolbar, click netwitness_add.png.
    The Context Menu Action Configuration dialog is displayed.
    netwitness_contextmenuactionconfig.png

Fill the required fields:

  1. Enable: Select Enable to enable this context menu action.
  2. Name: Enter the name of the context menu action.
  3. Description: Enter a description of the context menu action.
  4. Group Name: Select the group name from the drop-down menu. The action appears under this group in Context menu.
  5. Component: The name of the component under which action will appear in the user interface. For example. under Investigate, the Context menu action can appear under Investigate-Navigate, Investigate-Legacy Events, Investigate-Event Recon and Investigate-Events.

Note: The Investigate-Legacy Events option and related data is displayed only if the Enable Legacy Events checkbox is enabled under netwitness_adminicon_25x22.png (Admin) > System > Investigation > Legacy Events.

  1. Meta Key: Enter the meta key separated by commas to further narrow-down scope for the context menu action. The action will appear on these meta key. Context menu actions have to be defined specifically for each meta key, the key references in a meta key do not inherit a context menu actions. For example, a context menu action created for ip.all are not created for ip.src as well. A separate action has to be created for the sub-category or key reference of a meta.
  2. Open in New Tab: Select this option to open the context menu action in a new tab.
  3. Definition: Enter further action performed for this context menu action. For example, open a certain user interface or navigate to an external URL.
  1. You can also type the CSS code to define the context menu action. The example procedure at the end of this topic provides step-by-step instructions that you can use to create a useful context menu action. Click Switch to Advance View to add the context menu action.
    netwitness_creconmenact.png
  2. Click OK.
    The new context menu action is created and added at the end of the list of context menu actions.
  3. The context menu action becomes available in the configured location.

Edit a Context Action

To edit a context action:

  1. Select the row in the grid and either double-click the row or click netwitness_ic-edit.png.
    The Context Menu Action Configuration Dialog is displayed.
    netwitness_editcontextmenuconfig.png
  2. Edit the Configuration.
  3. To save the changes, click OK.

Delete a Context Action

To remove a context menu action from NetWitness entirely:

  1. Select the action.
  2. Click netwitness_ic-delete.png.
    A dialog requests confirmation that you want to delete the context menu action.
  3. Click Yes.
    The option is removed from the Context Menu Actions panel.

Export Context Menu Actions

You can export context menu action to a zip file. The zip file contains the JSON files with each each JSON file mapping to a context menu action. To export the context menu action, follow these steps:

  1. Go to netwitness_adminicon_25x22.png (Admin) > System.
  2. Click Context Menu Actions.

122_ClickContextAction1_1122.png

  1. Click to select a context menu action to import. Click the header to select ALL the context menu actions.

netwitness_selectedexportaction.png

  1. Click netwitness_exportactionicon.pngExport Action(s) under Context Menu Actions.
  1. The success message confirming the actions uploaded successfully is displayed.

netwitness_successmessageexport.png

Import Context Menu Actions

You can import ccontext actions in Context Menu Actions tab. These actions can then be edited or used as is for investigating context where applicable. Follow these steps to import a context menu action(s):

  1. Go to netwitness_adminicon_25x22.png (Admin) > System.
  2. Click Context Menu Actions.

    122_ClickContextAction1_1122.png

  1. Click netwitness_importactionicon.pngImport Action under Context Menu Actions.
  2. In Import Action click Browse to locate and select the file. The zip file typically contains the json files containing context menu actions exported previously.

 

netwitness_browsetoimportaction.png

  1. Select the Zip file and click Open.
  2. Click Import

netwitness_importaction.png

Note: There is no validation for an action for Events with a Javascript function.

  1. The success message confirming the actions uploaded successfully are displayed.

netwitness_successmessage.png

Note: If an error message is displayed, check the log files and try importing the context menu actions file again.

Example Procedure: Context Menu Action to Investigate ip.dst from alias.ip

This example adds a context menu action that allows analysts to pivot from the alias.ip values (the IP addresses returned from a DNS request) to the ip.dst meta key. It helps analysts to locate any detected traffic to the IP address that was returned for a DNS query.

To implement the context menu action:

  1. Determine the unique identifier for your NetWitness Server as follows:
    1. Log onto NetWitness , go to Investigate > Navigate, choose a service (for example, a Concentrator) to investigate, and wait for the values to load.
    2. Look for the URL and locate the number after investigation. In this example, the unique identifier for the action is 4. You need this unique identifier to add to the context menu action.
      122_ExampleProcedureAlias_1122.png
  2. Go to netwitness_adminicon_25x22.png (Admin) > System > Context Menu Actions
    In the toolbar, click netwitness_add.png.
    The Context Menu Action Configuration dialog is displayed.
    netwitness_conmenu_add.png
  3. Copy the entire sample code block below and paste it in the window. 
    {  
    "displayName": "[Investigate IP from DNS Response]",  
    "cssClasses": [  
        "alias-ip",  
        "alias.ip"  
    ],  
    "description": "Update your NW server and ID",  
    "type": "UAP.common.contextmenu.actions.URLContextAction",  
    "version": "Custom",  
    "modules": [  
        "investigation"  
    ],  
    "local": "false",  
    "groupName": "investigationGroup",  
    "urlFormat": "/investigation/<insert_unique_identifier_here>/navigate/query/ip.dst%3d'{0}'",  
    "disabled": "",  
    "id": "NavigateHost",  
    "moduleClasses": [  
        "UAP.investigation.navigate.view.NavigationPanel",  
        "UAP.investigation.events.view.EventGrid"  
    ],  
    "openInNewTab": "true"  
}
  4. In the urlFormat line replace <insert-unique_identifier_here> with your unique identifier.
    The URL should look like this:
    "/investigation/4/navigate/query/ip.dst%3d'{0}'"
  5. Click OK, and restart your browser.
  6. To test the action, open an investigation in the Navigate view and right-click on the meta key alias.ip.
    The context menu with the Investigation option should look like the following figure.
    netwitness_investiateipdstfromaliasip.png
  7. Should produce a pivot like this.
    netwitness_cmpivot.png
  8. If you are using this example for DNS traffic investigation, you may want to consider creating a meta group specific to DNS traffic as described in "Manage User-Defined Meta Groups" in the NetWitness Investigate Guide.