Whitelist Insight Alerts from Respond View

From NetWitness Platform version 12.4 or later, administrators and analysts can whitelist unwanted and recurring Insight alerts generated in the Respond > Alerts view. This enhancement allows administrators and analysts to select values such as IP Address and Asset Type and define a Whitelist condition to prevent unwanted alerts from being generated for these values.

For example, an administrator may choose to whitelist all alerts generated from a specific IP address or asset type that is known to be secure or non-malicious. Once the whitelist condition is configured correctly, these alerts will no longer be generated, thus reducing traffic on the Respond > Alerts view.

To whitelist an Insight alert from the Respond View

  1. Log in to the NetWitness Platform.

  2. Go to Respond > Alerts.

    The Alerts view is displayed.

  3. Select an Insight alert and click More Actions > Whitelist Alert.

Note

You can select only one alert at a time for whitelisting.

Select Insight Alerts for Whitelisting

The Alert Whitelisting dialog for Insight is displayed.

Whitelists Insight Alerts Dialog for configuration

  1. Enter the name of the Whitelist.

  2. Select the required values, such as IP Address, Asset Type, or a combination of both.

Note

A minimum of one value must be selected for the field.

  1. Specify the reason for whitelisting in the Comments section.

  2. Click Whitelist.

    The Confirm Alert Whitelisting confirmation dialog is displayed.

    Confirm Insight Alerts Whitelisting pop-up

  3. Click Confirm Whitelist.

Note

  • By enabling the configuration in admin icon Admin > Services > Respond Server > service action button > View > Explore view, administrators can permanently delete existing alerts that match the whitelist condition. By default, the configuration is disabled in the admin icon Admin > Services > Respond Server > service action button > View > Explore view. The alert-cleanup-enabled parameter is set to false. To enable the configuration, you must set the alert-cleanup-enabled parameter to true.
  • After enabling the configuration, any existing alerts that match the Whitelist condition will be permanently deleted. Once deleted, the alerts cannot be restored to the selected values.

Respond Server View for setting up the parameter

Manage the Whitelists

The Whitelist tab allows you to manage alerts you have chosen to whitelist. Both administrators and analysts can view, filter, and delete the whitelisted items from the Whitelist tab. Removing a whitelisted item will resume the generation of new matched alerts for previously excluded values, such as IP addresses or asset types, under the Respond > Alerts view.

Note

Deleting a selected Whitelist item will generate new matching alerts only for the selected values.

You can do the following operations with the Whitelist tab:

  • View whitelisted alerts: View a list of all the alerts you have whitelisted from generating alerts.

  • Delete whitelisted alerts: Remove specific alerts from the whitelist, enabling them to generate alerts again. This can be helpful if you no longer need to exclude those alerts.

  • Filter whitelisted alerts: Quickly find specific whitelisted alerts by using the filtering options.

Important

  • Analysts must have one of the following permissions to view the Whitelists tab in the Respond view:

    • respond-server.alert.delete

    • respond-server.alert.read

    • respond-server.alert.manage

    • respond-server.alertrule.manage

    • respond-server.alertrule.read

  • Analysts must have the respond-server.alert.read permission to view the whitelists item in Respond > Whitelists view and respond-server.alert.manage permission to delete the Whitelists item.

To delete the whitelisted items

  1. Go to Respond > Whitelists.

    The Whitelists view is displayed.

    Whitelists tab

  2. Select the Whitelist item and click Delete.

    A confirmation pop-up is displayed.

  3. Click Delete Whitelist.

    The Whitelist item is deleted.

For more information on the Whitelists tab, see the topic Whitelists List View in the NetWitness Respond User Guide for 12.4.

See also