This topic describes the procedure to create and configure custom lists for Context Hub. These lists are automatically considered as data sources for Context Hub.
To use the Context Hub service to fetch contextual information from meta types that support context lookup, you can create one or more lists and add relevant list values to the list. Make sure that you create meaningful list such as blacklisted IPs, whitelisted IPs, and so on. These custom lists may be populated with items either by importing CSV files or by adding meta values by using the option Add/Remove from List in Investigation views.
You can also import and export a list. For more information, see Import or Export Lists for Context Hub.
You can also create lists and add list values from Investigation views. For instructions, see the Manage Lists and List Values in Investigation topic in the Investigation and Malware Analysis Guide
Ensure that Context Hub is enabled and the service is added in Administration > Services view of Security Analytics.
To add a new list for Context Hub:
- In the Security Analytics menu, select Administration > Services.
- In the Services grid, select the Context Hub service and > View > Config.
The Services Config view of the selected Context Hub is displayed.
- Click the List tab.
The List tab consists of the Lists panel and List Values panel.
- Click on the Lists panel to add a new list and complete the following steps:
- In the List Name field, enter a unique name for the list.
- In the Description field, enter the description of the list.
- In the List Values panel, clickto add unique list values.
- To import a list, click on the Lists panel.
- To import list values for a list, click on the List Values panel.
For more information about importing list and list values, see Import or Export Lists for Context Hub.
- Click Save.
The list is saved with the values. These lists are considered as data sources for retrieving contextual information.
After completing the configuration, you can use the Context Lookup option in Investigate > Navigate view or Investigation > Events view to query and view contextual information. For instructions, see the View Additional Context for a Data Point topic in the Investigation and Malware Analysis Guide.