When conducting an investigation in the Navigate view or Events view, analysts can look up additional context information and intelligence for a meta value or data point from various configured sources, such as ESA.
An Analyst with permission Context Lookup can perform Context Lookup from Investigation views. An administrator must configure roles and permissions as described in "Role Permissions" and "Manage Users with Roles and Permissions".in the System Security and User Management Guide.
To perform context lookup, the administrator must:
- Add the Context Hub service in Security Analytics. (The Context Hub service is included in Security Analytics 10.6 and above.)
- Configure data sources for the Context Hub service as described in the Context Hub Configuration Guide.
View Additional Context using Context Lookup
To view the additional context for a data point from the Investigation views:
- While conducting an investigation or examining events in Security Analytics menu, go to the Navigate view.
The Navigate view has the Values panel on the left and the Context Lookup panel on the right as shown below. The Context Lookup panel does not display any data until you perform a Context Lookup. Meta values that have associated context information are highlighted with a gray color background.
- To view the type of context data that is available for a highlighted meta value, hover the mouse over a highlighted meta value.
An inline indicator shows which type of context data is available for the meta: ECAT, Incidents, Alerts, or Lists.
- To view the Context Lookup data from the Values panel, right-click a highlighted meta value and select Context Lookup in the context menu.
The Context Lookup panel displays the lookup results based on the data available on the configured sources.
Note: The inline indicator for meta values is supported only in the Navigate view. For the Events view, you must perform an on-demand lookup against the meta values.
View Results from Context Lookup Panel
In the Context Lookup panel, you can view the lookup results and explore individual data for further investigation. For example, when you click on a particular Incidents value, the incident details are displayed in the Incident Management view.
For a detailed description of the information displayed on the Context Lookup panel, see Investigation - Context Lookup Panel.