Integrating Third-Party Portals
You can reach other web services to view additional information about the alert data through dynamically created URLs by adding click-through navigation in the Alerts user interface. For example you can view third-party threat intelligence portals or corporate ticketing systems and directories. You can attach click-through navigation to a cell or a raw in the Alerts UI table.
-
Change the
isEnabled
property in/$METRON/web/alerts-ui/assets/context-menu.conf.json
file totrue
:{ isEnabled: true, config: { ...
-
To attach and configure a menu configuration to a column in the Alerts table, use
the field ID to target the particular column.
For example, to configure the "Whois Reputation Service" item for the context menu, add the following information:
{ isEnabled: true, config: { "host": [ { "label": "Whois Reputation Service", "urlPattern": "https://www.whois.com/whois/{}" } ], ...
Clicking on the item opens another browser tab and calls the URL in theurlPattern
config field.-
The
{}
at the end of theurlPattern
is a default placeholder. If you add any available alert property field at the end of theurlPattern
, the value of the host field replaces the default placeholder.For example:{ isEnabled: true, config: { "host": [ { "label": "Whois Reputation Service", "urlPattern": "https://www.whois.com/whois/{ip_src_addr}" } ], ...
-
You can also reference multiple fields and combine default and specific
placeholders:
{ isEnabled: true, config: { "host": [ { "label": "Whois Reputation Service", "urlPattern": "https://www.whois.com/whois/{}?srcip={ip_src_addr}&destip={ip_dest_addr}" } ], ...
-
You can also configure multiple menu items to a particular column:
{ isEnabled: true, config: { "ip_src_addr": [ { "label": "IP Investigation Notebook", "urlPattern": "http://zepellin.example.com:9000/notebook/someid?ip={ip_src_addr}" }, { "label": "IP Conversation Investigation", "urlPattern": "http://zepellin.example.com:9000/notebook/someid?ip_src_addr={ip_src_addr}&ip_dst_addr={ip_dst_addr}" } ], "host": [ { "label": "Whois Reputation Service", "urlPattern": "https://www.whois.com/whois/{}?srcip={ip_src_addr}&destip={ip_dest_addr}" } ], ...
-
The
-
To attach and configure a menu configuration to a row in the Alerts table, you can
configure for an alert or a meta alert.
To cofigure for an alert, use the keyword
alertEntry
. For a meta alert, use the keywordmetaAlertEntry
:{ isEnabled: true, config: { "alertEntry": [ { "label": "Internal ticketing system", "urlPattern": "http://mytickets.org/tickets/{id}" } ], "metaAlertEntry": [ { "label": "MetaAlert specific item", "urlPattern": "http://mytickets.org/tickets/{id}" } ], ...