Context Hub: Lookup Panel

Document created by RSA Information Design and Development on Mar 22, 2017
Version 1Show Document
  • View in full screen mode
  

After you configure the Context Hub service, you can view the Context Lookup panel in the Navigate view and Events view of the Investigation module. For the first time when you view this panel, it displays the instructions for performing the Context Lookup. Later on, this panel gets minimized and can be expanded if required.

The Context Lookup panel does not display any data until you perform a Context Lookup on a meta value. Meta values that have associated context information are highlighted with a gray color background. The lookup results are displayed in the Context Lookup panel for different configured sources for the selected meta value. Procedures related to this panel are described in the View Additional Context for a Data Point topic of Investigation and Malware Analysis Guide.

To access this panel:

  1. In the Security Analytics menu, select Investigation > Navigate or Events.
  2. Right-click a meta value and select Context Lookup in the context menu.
    The Context Lookup panel displays the contextual information.
  3. From the Icon bar, select the source for which you want to view the contextual information by clicking the corresponding icon.

The following figure is an example of the Lookup panel.

ConLkpPnl.png

Features

The Context Lookup Panel has the following controls and features:

                               
FeatureDescription

Source Options Bar


Displays the icons for the available sources: ECAT, Incidents, Alerts, Lists, and Live Connect.
Source Name

Displays the source name based on the selected icon:

  • ECAT
  • INCIDENTS
  • ALERTS
  • LISTS
  • LIVE CONNECT
SortProvides a drop-down of sort options for the listed context information. Possible sort options are Severity - High to Low, Severity Low to High, Date - Oldest to Newest. and Date - Newest to Oldest. The sorting options vary by source type.
Refreshes the lookup results.
n items (First n Results)The footer provides a count of the total number of results, and the count of results currently displayed. For example, 50 Alerts (First 50 Alerts).

Lookup Results

The Context Lookup panel displays the following information when retrieving the context data from different configured sources:

Incidents

Incidents are displayed based on time first (Newest to Oldest) and then priority status. The following information is displayed for incident lookups:

  • Incident Name and ID
  • Priority status of the incidents
  • Risk Score value of the incidents
  • Date when the incident was created
  • Status of the incident
  • Assignee for the incident
  • Last Updated: Indicates when contextual data was last fetched from data source and updated to cache. 
  • Time window: This is based on the value that is set for the "Query Last" field in the Configure Responses Dialog
  • Sort: This drop-down field provides option to change the sorting of result based on time or priority.

The following figure is an example of lookup results for Incidents.

F-lookup-panel-incidents.png

Alerts

Alerts are displayed based on the Severity. The following information is displayed for alert lookups:

  • Alert Name
  • Severity value of the alerts
  • Date when the alert was created
  • Incident ID: This is the ID of the incident that the alert is associated with (If any).
  • Sources: Event source name
  • Number of events associated with the alert.
  • Last Updated: Indicates when contextual data was last fetched from data source and updated to cache. 
  • Time window: This is based on the value that is set for the "Query Last" field in the Configure Responses Dialog
  • Sort: This drop-down field provides option to change the sorting of result based on time or priority.

The following figure is an example of lookup results for Alerts.
F-lookup-panel-alerts.png

Lists

The following information is displayed for list lookups.

  • List Name
  • Owner who created the list
  • Created Date
  • Last Updated Date
  • Description of the list

The following figure is an example of lookup results for Lists data source.
F-lookup-panel-lists.png

ECAT

The following information is displayed for ECAT lookups.

  • Machine name and IP address of the machine. 
    By clicking on the IP or ECAT machine name, you will be navigated to ECAT UI to perform further investigation.
  • Last Updated: Indicates when contextual data was last fetched from data source and updated to cache. 
  • Machine Score: A machine IIOC score is aggregated based on the module scores.
  • Number of modules: Number of active files for the selected machine. 
  • Last Updated: Indicates when the scan results were last updated in ECAT database.
  • Last Login User
  • Machine MAC Address
  • Operating System Version
  • Admin Notes (if any)
  • Admin Status (if any)
  • Top Suspicious Modules (Modules that has IIOC score > 500). This is based on the value set for "Minimum IIOC Score" field in the Configure Responses Dialog. The default value for "Minimum IIOC Score" is 500.
  • Machine IIOC Levels

The following figure is an example of lookup results for ECAT data source.
F-lookup-panel-ecat.png

Live Connect

For Live Connect, context lookup is supported only for IP meta type (device.ip, ip.src, ip.dst, paddr, ip.addr, alias.ip). The IP addresses that has live connect data can be identified by using the in-line indicator when you hover the mouse over highlighted IP addresses.

The following figures are examples of lookup results for IP address with live connect data.

Sample 1:


Sample 2:

Sample 3:

Sample 3 is an example of Context Lookup panel when Live Connect is disabled. To enable Live Connect data source, go to Administration > Systems > Live Services and enable Threat Insights in Additional Live Services section. For more information, see Configure Live Connect Data Source for Context Hub.

Features

The Context Lookup panel has the following controls and features for Live Connect:

                                   
FieldDescription
IP AddressDisplays the IP address for which the lookup results are displayed.
Reviewed Status

Displays the reviewed status of the IP address based on the analyst activity. This gives the visibility of the analyst activity within an organization.

Below are the types of status:

  • New: If lookup results for an IP address is viewed for the first time within the organization.
  • Viewed: If any analyst within the organization has already viewed the lookup results for an IP address.
  • Marked as Safe: If any analyst within the organization has already viewed the lookup results and marked the IP address as safe.
  • Marked as Risky: If any analyst within the organization has already viewed the lookup results and marked the IP address as risky.
Community Risk Rating and Reasons

Displays the community risk rating for an IP address such as:

  • Safe: An IP address is marked as "Safe" if it is considered safe based on the Live Connect analysis and analyst feedback.
  • Unknown: The risk rating for an IP address is displayed as "Unknown" if there is no enough information to calculate the risk rating.
  • Unsafe: An IP is rated unsafe if it is associated with one or more of the following community risk reasons:
    • Suspicious Domain
    • Suspicious Communication
    • Malware Source
    • Blacklisted by 3rd Party

The risk reasons are represented by appropriate icons. The icons appear normal if it is matched with the IP, else its grayed out.

Community Activity

If the IP address is known within the RSA community, a graphical representation of the community activity trend is displayed for the following:

  • Users (in %) who have viewed the IP address in the Live Connect community over time.
  • Users (in %) who submitted feedback for the IP address.
  • Users (in %) who marked the IP address as risky over time.
  • Users (in %) who marked the IP address as safe over time.
Community Activity Statistics

Community activities such as:

  • Date first seen in the community.
  • Time since the IP was seen for the first time (Current time - First seen time).
  • A Pie chart based on the community activity trend graph.

The pie chart shows the correct breakdown of the % of Live Connect customers that have seen the IP (blue), the % who have submitted feedback (yellow), the % who marked risky (red), and the % who have marked safe (green). The number in the middle of the chart reflects the percent who have marked the IP as risky.

IP Rating Feedback

Provides an option for the analyst to give feedback on the IP address if the IP address was already known within the RSA Community.

The options are:

  • Mark as Safe
  • Mark as Risky

Based on the feedback, the "Reviewed Status" changes to "Marked as Safe" or "Marked as Risky".


Previous Topic:Context Hub List Tab
You are here
Table of Contents > Context Hub Service References > Context Lookup Panel

Attachments

    Outcomes