I found in a recent POC that a customer was unable to drill-down against the Session ID of a NetWitness event. An existing ESM/Express ARB contains integration commands, which launch a script to start up the bundled NetWitness DirectLink tool, which in turn uses arguments from the integration command (eg. Source IP address, Username, Session ID), to launch the NetWitness Investigator console directly into the relevant activity.
All of these worked, except one: It seems that some recent development in the Netwitness products since our integration was first built means that when Netwitness DirectLink is invoked from the ArcSight console to craft a URL for the Session ID, then Investigator launches, but it does not drill down on the session; it just churns.
Now that Integration Commands are able to generate URLs with static and variable parameters themselves, it seems DirectLink may no longer be necessary. Hence, the attached ARB was created to craft an external URL that directly launches NetWitness Investigator. It seems to work.
Provisos for this are:
- Tested in only one environment
- Does not obfuscate the password in the URL (I didn't get round to testing whether nw:// URLs would work with an obfuscated password)
- Parameters set for this particular customer.
Anyone who finds this useful is invited to create the other context drill downs in the same way (eg. Username, Source IP, Destination IP, etc)