Investigation: Launch an External Lookup of a Meta Key

Document created by RSA Information Design and Development on Mar 23, 2017Last modified by RSA Information Design and Development on Apr 10, 2017
Version 2Show Document
  • View in full screen mode
  

This topic provides instructions for using out-of-the-box Investigation plugins to launch an external lookup of specific meta keys using tools external to Security Analytics while investigating data in the Navigate view or Events view.

Analysts can use out-of-the-box Security Analytics Investigation external lookups to save time during investigations. The out-of-the-box lookups are available by right-clicking one of the these meta keys:  IP address (ip-src, ip-dst, ipv6-src, ipv6-dst, orig_ip)host (alias-host, domain.dst)client, and file-hash.

For all IP and host meta keys, the following lookups are built in to Security Analytics:

  • Google Malware: Opens a Google Malware search in a new tab.
  • McAfee SiteAdvisor: Opens a McAfee SiteAdvisor search in a new tab.
  • BFK Passive DNS Collection:  Opens a BFK Passive DNS collection search in a new tab
  • CentralOps Whois for IPs and Hostnames: Opens a CentralOps Whois search for IPs and hostnames
  • Malwaredomainlist.com Search: Opens a Malwaredomainlist.com search in a new tab
  • Malwaredomains.com Search: Opens a Malwaredomains.com search for in a new tab
  • Robtex IP Search: Opens a RobtexIP search in a new tab
  • SamSpade Search: Opens a SamSpade search in a new tab
  • ThreatExpert Search: Opens a ThreatExpert search in a new tab
  • UrlVoid Search: Opens a UrlVoid Search in a new tab n a new tab

For the file-hash and alias-host meta keys, the Google lookup opens a Google search in a new tab.

For the  client meta key, the ECAT Lookup option opens an ECAT client in a new tab if the ECAT client is installed on the same system on which the browser is being used.

Administrators can add additional external lookups and other custom actions as described in "Add Custom Context Menu Actions" in the System Configuration Guide.

Lauch an ECAT IOC Lookup

To launch an ECAT lookup of data from the Investigation > Navigate view:

  1. Right-click a meta value for one of the following meta keys: ip-src, ip-dst, ipv6-src, ipv6-dst, orig_ip, alias-host, domain.dst, client.
  2. Select External Lookup in the context menu.
    A submenu of external lookup options is displayed.
    ExtLU.png
  3. Select ECAT IOC Lookup.
    A dialog asks you to choose an application.
  4. Select ECAT and click OK.
    The RSA ECAT Configuration dialog is displayed.
    ecatlookup3.png
  5. Enter the user name and password required to log on to the ECAT client, and click Connect.
    The drill point opens in RSA ECAT.
    ecatlookup4.png

Lauch Other External Lookups

To launch an external lookup (other than ECAT IOC) of data from the Investigation > Navigate view: 

  1. Right-click a meta value for one of the following meta keys: ip-src, ip-dst, ipv6-src, ipv6-dst, orig_ip, alias-host, domain.dstclient.
  2. Select External Lookup in the context menu.
    A submenu of external lookup options is displayed.
    ExtLU.png
  3. Select one of the lookup options.
    The selected meta value opens in the selected lookup, for example, if you selected SANS IP History, the drill point information is displayed in SANS Internet Storm Center.
    SANSIPlookup.png
Previous Topic:Export a Drill Point
You are here
Table of Contents > Conduct an Investigation > Act on a Drill Point in the Navigate View > Launch an External Lookup of a Meta Key

Attachments

    Outcomes