This article applies to:

• SIEM OE 5.9

• SIEM OE 5.7

• SIEM OE 5.5 and below

Question:

• I would like to link to a site from an alert

Procedure:

You can use advanced functionality in the Administration Console (AC) to achieve this result.

This procedure has the following main steps (detailed in the sections below):

• Enable User Context Menus

• Add a Message Viewer

• View Message Viewer output

• Add a rule to check that you are on an alert page

• Add a rule to check for an Event Id

• Add a Context menu

• Verify the new function and cleaning up

Enable User Context Menus

1. Log in to the AC with an account with administrator privileges. 2. On the SOC tier, expand the Configuration folder. 3. Expand the customer rules folder.

4. Click edit mode to enable this mode. 5. Click Enable/Disable Rule Extensions. 6. In the Local Rule Enable dialog, check the box labeled Context Menu.

Copyright © 2013 Trustwave Holdings, Inc. All rights reserved. 1 Trustwave Knowledgebase Article Q15070 - April 1, 2013 8:59 AM

7. Click OK. 8. Under Customer Rules, click Context Menu. 9. Click the Operators tab on the lower left hand side of the AC

Adding a message viewer Adding a message viewer allows you to see what happens when you right click on the event and what information is available to create rules using the associated key pairs.

This is a temporary step used to build the context menu function.

NOTE: For the context menus to function correctly you must have the message viewer in line with the flow of traffic. This differs from other functionality in the OE.

1. In the Actions box click Message Viewer

2 Copyright © 2013 Trustwave Holdings, Inc. All rights reserved. Trustwave Knowledgebase Article Q15070 - April 1, 2013 8:59 AM

2. Double click in the graph window and you should see a graph similar to the below. Note: If the graph doesn’t look exactly like this it may have been edited previously. You may want to check with the administrators of the system to verify that any changes you make will not break a previous customization. You can verify your location in the Address bar: soc:/local/soc/workflow/

3. Create a True Edge (line) to add the message viewer in to the path of information: a. Press and hold the CTRL Button, then click and hold on the Message Viewer. Drag the true edge line to the Return Node and release the mouse then CTRL button. (This action is referred to below as CTRL-drag). b. CTRL-drag the Root Node true edge line to the Message Viewer. 4. Now remove the True Edge (line) between the Root Node and Return Node. The resulting diagram should looking like the image below.

You will now be able to see what information is being parsed to the context menu.

Viewing message viewer output On the bottom of the console you will see three tabs; click the Message Viewer tab.

This will enable you see what is going through the context menu.

You can use the Copy link from the bottom right hand corner to copy out the results as shown in the code block below.

Note: Some items have been removed for brevity

Copyright © 2013 Trustwave Holdings, Inc. All rights reserved. 3 Trustwave Knowledgebase Article Q15070 - April 1, 2013 8:59 AM

Debugger_url : /local/soc/workflow/message_viewer ------contextmenu event_id win_sec-4957-ux-failure obj.name 6270df50-4bbe-11e2-8a05-00e0813380ea obj.style primaryalert obj.url /alert/alertviews/primary/6270df50-4bbe-11e2-8a05-00e0813380ea endcontextmenu

In the list of items above, the ones in bold are the ones to be used in following major steps of this procedure.

Adding a rule to check that you are on an alert page This step is required because the system can only handle a request to search for an event ID if the page is an alret page.

1. Go back to the Context Menu under Customer Rules on the domain tab. 2. Click on the Operators tab on the lower left hand side of the AC.

3. In the Expressions box, click Regex.

4. Click in the graph window and you should see an additional icon:

5. Double click the Regular Expression icon, and enter the values as below. This expression will look for the word alertviews in the path given in obj.url.

4 Copyright © 2013 Trustwave Holdings, Inc. All rights reserved. Trustwave Knowledgebase Article Q15070 - April 1, 2013 8:59 AM

Notes on the field values:

• Label: Any name that is meaningful to you

• Key to search: The key pair to search in

• Regular Expression: The text (or regular expression pattern) to search for

• Assignment key: The key to assign the item to. In this case it is a dummy key

6. Press OK to close the window. 7. Remove the true edge line between the root node and Message Viewer. 8. CTRL-drag the root node true edge line to “Check for an alert type”. 9. CTRL-drag the “Check for an alert type” true edge line to the Message Viewer. 10. Right click the true edge between alert type and Message Viewer, and select Set False Edge (the line will turn red).

Adding a rule to check for an Event Id Go back to the Context Menu under Customer Rules on the domain tab.

Copyright © 2013 Trustwave Holdings, Inc. All rights reserved. 5 Trustwave Knowledgebase Article Q15070 - April 1, 2013 8:59 AM

1. Click the Operators tab on the lower left hand side of the AC console.

2. In the Expressions box, click Regex, then click in the graph in some blank space. 3. Double click on the Regular Expression and enter the values as below. This will look for the string “win_” in the key event_id.

4. Press OK to close the window. 5. CTRL-drag the “Check for an alert type” true edge line to “Check for an event id”. 6. CTRL-drag the “Check for an event id” true edge line to the Message Viewer. 7. Right click the true edge between them and select Set False Edge (the line will turn red).

6 Copyright © 2013 Trustwave Holdings, Inc. All rights reserved. Trustwave Knowledgebase Article Q15070 - April 1, 2013 8:59 AM

Adding a Context menu Go back to the Context Menu under Customer Rules on the domain tab.

1. Click the Operators tab on the lower left hand side of the AC.

2. In the Actions box click URL Launch, then click in the graph in some blank space.

3. Double click URL Launch and enter text as below:

Notes on the field values:

• Label: Any meaningful name

• Menu Item text: The visible name of the Context Menu item

Copyright © 2013 Trustwave Holdings, Inc. All rights reserved. 7 Trustwave Knowledgebase Article Q15070 - April 1, 2013 8:59 AM

• URL to launch: The URL result of clicking the Context Menu item, in this case http://support.microsoft.com/search/default.aspx?query=[web_ids_key] Note that the key [web_ids_key] from the last regex is passed to the query to complete it.

4. Press OK to close the window. 5. CTRL-drag the “Check for an event id” true edge line to the “URL Launch”. 6. CTRL-drag the “URL Launch” true edge line to the Message Viewer.

The result should be similar to the below:

Verifying the new function and cleaning up In alerts, when you right click you will now see a new menu option:

8 Copyright © 2013 Trustwave Holdings, Inc. All rights reserved. Trustwave Knowledgebase Article Q15070 - April 1, 2013 8:59 AM

Once you are happy with the results you will need to remove the message viewer and move the true and False edges to the return node. Your final result should resemble this:

Copyright © 2013 Trustwave Holdings, Inc. All rights reserved. 9