This topic describes the procedure to configure Incident Management as a data source for Context Hub.
To use the Context Hub service to fetch contextual information from Incident Management service, you must configure Incident Management as a data source for Context Hub. Use the procedures in this topic to add Incident Management as a data source for Context Hub service and configure the responses (if required) for Incident Management.
Responses are different types of context information that are available for a data source. The configuration of these responses for Incident Management source controls what appears in the Context Lookup panel displayed in Investigation views when Context Lookup is performed. The types of responses for Incident Management data source are Incidents and Alerts.
Responses for each data source is already configured with default values for optimal performance. You can view or edit the default values by using the procedure in this topic.
- Context Hub is enabled and the service is available in Administration > Services view of Security Analytics.
- Incident Management service is available and the Incident Management Database password is kept handy.
Add Incident Management Data Source
To add incident management as a data source for Context Hub:
- In the Security Analytics menu, select Administration > Services.
The services view is displayed.
- In the Services panel, select the Context Hub service and click > view > Config.
The Services Config View of Context Hub is displayed.
- In the Data Sources tab, click > Incident Management.
The Add Data Source dialog is displayed.
- Provide the following database connection details:
- Enable: Select Enable to enable Incident Management Data Source. This option is enabled by default (checked).
- Service: Select the Incident Management service that is available.
The values are populated automatically for the following fields. Change the values if required.
- Database Host: The host name or IP address of the Incident Management database.
- Database Port: The default port is 27017.
- Database Name: The default database name is im.
- Username: The default Username is im.
Password: Enter the password to connect to the incident management database. The default password is im.
- Max. Concurrent Queries: You can configure the maximum number of concurrent queries defined by the Context Hub service to be run against the configured data sources. The default value is 10.
- Click Test Connection to test the connection between Context Hub and the data source.
- Click Save to save the settings.
Incident Management is added as a data source for the configured Context Hub. The added Incident Management data source is displayed in the Data Sources tab.
Configure Responses for Incident Management Data Source
To view/edit responses for Incident Management data source:
- In the Data Sources tab, select the Incident Management source and click .
The Configure Incident Management Responses dialog is displayed.
- In the left panel, select each response (Incidents or Alerts) to view and edit the settings.
Configure the following fields:
Field Description Enable This option is enabled by default (checked) and can be used to enable or disable the selected response. Limit
Enter the maximum number of records (incidents or alerts) to be displayed in the Context Lookup panel of Investigation views when context lookup is performed.
The default value is 50.
For example, if the limit is set to 10, only 10 records are displayed based on the time first and then priority for incidents and severity for alerts.
Query Last Select the duration (in days) for which the contextual information of the selected response type must be fetched. The default value is Last 7 Days. Use Cache Select the checkbox to enable response caching. When enabled, Context Hub stores the lookup results in cache. Subsequent requests for the same meta value is served from cache for the configured time (Cache Expiration). Cache Expiration The time (in minutes) that the lookup results are stored in cache after Context Lookup is performed. The default value is 30 minutes.
- Click Saveto save the settings for Incident Management data source.
After completing the configuration, you can use the Context Lookup option in Investigate > Navigate view or Investigation > Events view to fetch contextual information. For instructions, see the View Additional Context for a Data Point topic in the Investigation and Malware Analysis Guide.