Investigation: Manage Lists and List Values in Investigation

Document created by RSA Information Design and Development on Mar 23, 2017Last modified by RSA Information Design and Development on Apr 10, 2017
Version 2Show Document
  • View in full screen mode
  

Analysts can add lists and list values for Context Hub enrichment in the Investigation views. The Context Hub service is included in RSA Security Analytics 10.6 and above.

When the Context Hub service is enabled and configured, Security Analytics provides enrichment data from Incident Management, custom lists,and ECAT directly in the Navigate view and Events view. A visual cue highlights meta values for which enrichment data is available in the Investigation views, and you can click on the highlighted value to look up the contextual information and intelligence.

In addition, from the Values panel in the Navigate view and Events view, you can view lists, edit meta values in an existing list, or create a new list. When you add meta values to a list, you can investigate the meta values using the context lookup option.

Prerequisites

For an analyst to manage lists in Investigation, the Administrator must:

  • Enable the Context Hub service.
  • Assign an analyst role with permission Manage List from Investigation to the user who will perform Context Lookup from Investigation views.
  • Configure appropriate roles and permissions as described in "Role Permissions" and "Manage Users with Roles and Permissions" in the System Security and User Management Guide.

Add Meta Values to an Existing List

To add meta value to an existing list in Context Hub:

  1. While investigating a service in the Navigate view, right-click a meta value (for example, values under Source IP, Destination IP, or Username) and select Add/Remove from List in the context menu.
    F-rc-meta-list.png
    The Add/Remove from List dialog is displayed.
  2. In the List field, select one or more lists from the drop-down option to which the meta value must be added.
    F-add-remove-list1.png
  3. Click Save.
    The meta value is added to the selected lists.

Remove a Meta Value from a Context Hub List in Investigation

To remove a meta value from list:

  1. In the Add/Remove from List dialog, in the List field, view the lists which include the meta value.
  2. Click the delete icon (x) for each list that should not include the meta value.
  3. Click Save.
    The meta value is removed from the deleted list.

Create a New List in Investigation

To create a Context Hub list in Investigation:

  1. In the Add/Remove from List dialog, click Create New List.
    F-add-remove-list2.png
  2. In the List Name field, enter an unique name for the list.
  3. In the Description field, enter the description of the list.
  4. Click Create to create the list.
  5. Click Save to add the meta value to the created list.
    These lists are considered as data sources for retrieving context information.
You are here
Table of Contents > Conduct an Investigation > Act on a Drill Point in the Navigate View > Manage Lists and List Values in Investigation

Attachments

    Outcomes