Investigation - Context Lookup Panel

Document created by RSA Information Design and Development on Nov 23, 2016Last modified by RSA Information Design and Development on Nov 29, 2016
Version 2Show Document
  • View in full screen mode
  

After you configure the Context Hub service, you can view the Context Lookup panel in the Navigate view and Events view of the Investigation module. For the first time when you view this panel, it displays the instructions for performing the Context Lookup. Later on, this panel gets minimized and can be expanded if required.

The Context Lookup panel does not display any data until you perform a Context Lookup on a meta value. Meta values that have associated context information are highlighted with a gray color background. The lookup results are displayed in the Context Lookup panel for different configured sources for the selected meta value. Procedures related to this panel are described in View Additional Context for a Data Point.

To access this panel:

  1. In the Security Analytics menu, select Investigation > Navigate or Events.
  2. Right-click a meta value and select Context Lookup in the context menu.

    The Context Lookup panel displays the contextual information.

  3. From the Icon bar, select the source for which you want to view the contextual information by clicking the corresponding icon.

The following figure is an example of the Lookup panel.

ConLkpPnl.png

Features

The Context Lookup Panel has the following controls and features:

                               
FeatureDescription

Source Options Bar
lookup-icons2.png

Displays the icons for the available sources: ECAT, Incidents, Alerts, and Lists. 
Source Name

Displays the source name based on the selected icon:

  • ECAT
  • INCIDENTS
  • ALERTS
  • LISTS
SortProvides a drop-down of sort options for the listed context information. Possible sort options are Severity - High to Low, Severity Low to High, Date - Oldest to Newest. and Date - Newest to Oldest. The sorting options vary by source type.
ic-refresh2.png Refreshes the lookup results.
n items (First n Results)The footer provides a count of the total number of results, and the count of results currently displayed. For example, 50 Alerts (First 50 Alerts).

Lookup Results

The Context Lookup panel displays the following information when retrieving the context data from different configured sources:

Incidents

Incidents are displayed based on time first (Newest to Oldest) and then priority status. The following information is displayed for incident lookups:

  • Incident Name and ID
  • Priority status of the incidents
  • Risk Score value of the incidents
  • Date when the incident was created
  • Status of the incident
  • Assignee for the incident
  • Last Updated: Indicates when contextual data was last fetched from data source and updated to cache. 
  • Time window: This is based on the value that is set for the "Query Last" field in the Configure Incident Management Responses window. For details, see the Configure Incident Management Responses topic in the Context Hub Configuration Guide.
  • Sort: This drop-down field provides option to change the sorting of result based on time or priority.

The following figure is an example of lookup results for Incidents.
F-lookup-panel-incidents.png

Alerts

Alerts are displayed based on the Severity. ;The following information is displayed for alert lookups:

  • Alert Name
  • Severity value of the alerts
  • Date when the alert was created
  • Incident ID: This is the ID of the incident that the alert is associated with (If any).
  • Sources: Event source name
  • Number of events associated with the alert.
  • Last Updated: Indicates when contextual data was last fetched from data source and updated to cache. 
  • Time window: This is based on the value that is set for the "Query Last" field in the Configure Incident Management Responses window, which is described in the Context Hub Configuration Guide
  • Sort: This drop-down field provides option to change the sorting of result based on time or priority.

The following figure is an example of lookup results for Alerts.

F-lookup-panel-alerts.png

Lists

The following information is displayed for list lookups.

  • List Name
  • Owner who created the list
  • Created Date
  • Last Updated Date
  • Description of the list

The following figure is an example of lookup results for Lists data source.

F-lookup-panel-lists.png

ECAT

The following information is displayed for ECAT lookups.

  • Machine name and IP address of the machine. 
    By clicking on the IP or ECAT machine name, you will be navigated to ECAT UI to perform further investigation.
  • Last Updated: Indicates when contextual data was last fetched from data source and updated to cache. 
  • Machine Score: A machine IIOC score is aggregated based on the module scores.
  • Number of modules: Number of active files for the selected machine. 
  • Last Updated: Indicates when the scan results were last updated in ECAT database.
  • Last Login User
  • Machine MAC Address
  • Operating System Version
  • Admin Notes (if any)
  • Admin Status (if any)
  • Top Suspicious Modules (Modules that has IIOC score > 500). This is based on the value set for "Minimum IIOC Score" field in the Configure Incident Management Responses window. The default value for "Minimum IIOC Score" is 500.
  • Machine IIOC Levels

The following figure is an example of lookup results for ECAT data source.

F-lookup-panel-ecat.png

You are here
Table of Contents > Investigation Reference Materials > Context Lookup Panel

Attachments

    Outcomes