Context Hub: Manage Meta Type and Meta Key Mapping

Document created by RSA Information Design and Development on Mar 22, 2017
Version 1Show Document
  • View in full screen mode
  

This topic provides instructions for an administrator to manage mapping of Context Hub meta types with Investigation meta keys.

The Context Hub service provides context lookup for meta values in the Investigation views. These meta values are grouped into meta types based on the category they belong to. For example, meta keys of Security Analytics Investigation like ip.src and ip.dst are grouped into the meta type IP in Context Hub. The meta type IP is in turn mapped to metas like alert.events.source.device.ip_address and alert.events.destination.device.ip_address in the Incident Management database.

In the Administration > System > Investigation view, the Context Lookup tab enables the administrator to configure the Investigation meta keys and meta type mapping. The administrator can add or remove investigation meta keys to the list of meta types supported by Context Hub. 

The Context Hub service is pre-configured with default meta type and meta key mapping, which is expected to work with most deployments, unless there are some custom mappings created for your specific deployment. 

Note: You cannot add a new Meta Type.

The default mapping is given below:

                                       
Meta Type NameMeta Keys
IPdevice.ip, ip.src, ip.dst, paddr, ip.addr, alias.ip
USERuser.src, user.dst, username
DOMAINdomain.src, domain.dst
MAC_ADDRESSeth.dst, eth.src, alias.mac
FILE_NAMEfilename, sourcefile
FILE_HASHchecksum
HOSTdevice.host, alias.host

Procedure

To manage Investigation meta keys mapping:

  1. In the Security Analytics menu, select Administration > System.
  2. In the options panel, select Investigation.

    The Investigation Configuration panel is displayed.

  3. Select the Context Lookup tab.

    meta-key-mapping.png

  4. Select a meta type to view the default meta keys that are mapped with this meta type.
  5. To add a meta key, clickic-add.pngand enter the meta key.
  6. To remove a meta key, select the meta key and clickic-delete.png.
  7. To save the changes, click Apply.

In case a new meta key is added, the Context Lookup menu option is enabled for the meta values under that meta key in the Investigation views.

For more information about Investigation Configuration Panel, see the Investigation Configuration Panel topic in the System Configuration Guide.

You are here
Table of Contents > Additional Procedures > Manage Meta Type and Meta Key Mapping

Attachments

    Outcomes