Context Hub is a new service in RSA Security Analytics that provides enrichment lookup capability in the Investigation views. This service provides an automated inline enrichment indication as well as an on-demand enrichment lookup capability. Analysts can use the additional insight pulled in by the Context Hub as contextual information and intelligence during investigation. The sources for enrichment data include Incident Management, custom lists, ECAT, and Live Connect.
The Context Hub service:
- Is hosted on Event Stream Analysis (ESA).
- By default supports enrichment lookups for these meta types: IP address, Users, Domains, MAC address, File name, File hash, and Hosts
The Context Hub service brings together contextual information from several data sources into Investigation so that analysts can make better decisions during their investigations. Seeing the meta values and contextual information in a single interface helps analysts in prioritizing and identifying the focus areas. For example, recently generated incidents and alerts from Incident Management involving a given meta value will be displayed when the analyst performs context lookup operation for that meta value.
Custom lists such as blacklists, whitelists, or watchlists can be created by analysts. These custom lists may be populated with items either by importing CSV files or by adding meta values by using the option Add/Remove from List in Investigation views. The custom lists automatically become data sources for in-line indication of meta values as well as on-demand enrichment lookups.
The lists can also provide better interaction between analysts. For example, a Tier 2 analyst can indicate suspicious items and then Tier 1 analysts can use this knowledge to confirm incidents or create incidents as required.
With context information from ECAT, analysts can get endpoint module and machine indicators.
Workflow for Administrators
In the Services Config view of Context Hub service, an administrator can configure data sources for Context Hub Service. For more information, see Step 2. Configure Data Sources for Context Hub.
An administrator can configure Context Lookups for custom meta keys if required. Also, an administrator can import lists or export lists that can be used by the analyst.
Workflow for Analysts
In the Investigation > Navigate view, meta values having contextual information are highlighted with a gray background. Also, there are inline indicators for the highlighted meta values, which show the sources where the contextual information is available.
Note: Not all highlighted meta values will have context lookup information. This is because the contextual information in the data source might have changed from the time it was marked available.
If the meta values do not have any context indicators, the analyst can initiate an on-demand query to check if context information might be available. To do so, analysts can right-click any meta value that supports context lookup and then choose Context Lookup menu option.
The Context Lookup option is also supported in the Investigation > Events view. But inline indicators are not available in this view. So you must initiate an on-demand lookup against the meta values.
After you choose the Context Lookup right-click menu option, a Context Lookup panel opens in the right side of the Investigation views. The panel displays the contextual information from the configured sources relevant to the meta values. If you want additional information on the context, click the corresponding links on the lookup results that appear in the Context Lookup panel. For more information, see the View Additional Context for a Data Point topic in the Investigation and Malware Analysis Guide.
Analysts can add or remove a meta value to a new or existing list with a right-click on the same meta value and then select Add/Remove from List option.
User Roles and Permissions
Analysts using Security Analytics Investigation need to have the appropriate permissions to perform context lookup and use custom lists.
Two new permissions
Context Lookup and
Manage List from Investigation are added for Investigation in Security Analytics 10.6. These permissions are added to Analyst, SOC Managers, and Malware Analysts roles by default. However, when upgrading to Security Analytics 10.6 from older versions, an administrator must configure these permissions. For more information about Roles and Permissions, see the topics Role Permissions and Manage Users with Roles and Permissions in the System Security and User Management Guide.
An Analyst with permission
Context Lookup can perform Context Lookup from the Investigation views. For more information, see the View Additional Context for a Data Point topic in the Investigation and Malware Analysis Guide.
An Analyst with permission Manage List from Investigation can manage lists and list values from the Investigation views. For more information, see the Manage Lists and List Values in Investigation topic in the Investigation and Malware Analysis Guide.
The following use cases explain some scenarios where Context Hub service is used with data sources like Incident Management, ECAT, and Custom Lists.
Use Case of Incident Management in Context Hub Service
When a Tier 2 analyst searches through meta values hunting for new indicators of compromise, the feedback provided by the Context Enrichment source Incident Management is very useful. The analyst can see if there is an existing incident or alert related to the selected meta value. This ability allows the analysts to ignore meta values for which incidents already exist, and focus on finding new, unique indicators of compromise.
The information becomes available in the same Investigation > Navigate view. The accessibility of this information is efficient because analyst can access enrichment data without jumping between views or different tool.
Use Case of ECAT in Context Hub Service
When a Tier 2 analyst views the lookup results in the investigation views, the analyst will be able to view the IPs, hosts, and Mac address that are running ECAT agents. This makes potential compromises easier than ever, directly in the Security Analytics Investigation views. The context lookup details provide high level information related to the endpoint running the ECAT agent, allowing the analyst to understand if the system is compromised or not. If the analyst needs more information on the risk and IIOC scores to make that determination, they have the ability to see notes and status documented in ECAT as well as the top modules by IOC score. If even further details are necessary, the analyst can click on the details provided in the context lookup panel to jump directly into the ECAT user interface. The analyst can then use the machines indicated as pivot points to their investigations to see what other machines the system has been communicating with to find further compromised hosts.
Use Case of List in Context Hub Service
Use Case 1
A Tier 3 analyst checks Incident Management context for IPs and domains associated to suspicious sessions. If there are no incidents or alerts associated and the ip and domain under investigation needs to be monitored for abnormal behavior.
The analyst can include these meta values into a list. For example, to improve the visibility of the suspicious IP addresses, the analyst can add the same meta values to two lists. One list is for domains suspected of being related to command and control connections, and other list is for IP addresses related to remote access Trojan connections.
Now a Tier 2 analyst can use this context list to spot indicators of compromise. The analyst can also export the lists in CSV format and send to the Tier 1 analyst to create incidents for further tracking and analysis.
Use Case 2
As the Tier 3 analyst has created some custom content to detect certain indicators of compromise, they want to provide further details on that new content to guide the other analysts when they come across the newly generated meta values. They can create three new lists (custom critical, custom suspicious, custom advisory) that categorize the new meta values that an analyst will potentially see when the new content has been triggered. The description provided by the analyst to each list gives some background to the other analysts as what the new meta values are depicting and the necessary action to be taken when when they see them marked in investigation. This is not a replacement for the creation of an incident or alert, but a way to provide further details to the analyst when they first see these new meta values in investigation.