When conducting an investigation in the Navigate view or Events view, analysts can look up additional context information and intelligence for a meta value or data point from various configured sources, such as ESA.
An Analyst with permission Context Lookup can perform Context Lookup from Investigation views. An administrator must configure roles and permissions as described in "Role Permissions" and "Manage Users with Roles and Permissions".in the System Security and User Management Guide.
To perform context lookup, the administrator must:
- Add the Context Hub service in Security Analytics. (The Context Hub service is included in Security Analytics 10.6 and above.)
- Configure data sources for the Context Hub service as described in the Context Hub Configuration Guide.
View Additional Context using Context Lookup
To view the additional context for a data point from the Investigation views:
- While conducting an investigation or examining events in Security Analytics menu, go to the Navigate view.
The Navigate view has the Values panel on the left and the Context Lookup panel on the right as shown below. The Context Lookup panel does not display any data until you perform a Context Lookup. Meta values that have associated context information are highlighted with a gray color background.
- To view the type of context data that is available for a highlighted meta value, hover the mouse over a highlighted meta value.
An inline indicator shows which type of context data is available for the meta: ECAT, Incidents, Alerts, or Lists.
- To view the Context Lookup data from the Values panel, right-click a highlighted meta value and select Context Lookup in the context menu.
The Context Lookup panel displays the lookup results based on the data available on the configured sources.
Note: The inline indicator for meta values is supported only in the Navigate view. For the Events view, you must perform an on-demand lookup against the meta values.
Context Lookup for Live Connect
For Live Connect, context lookup is supported only for IP meta type (device.ip, ip.src, ip.dst, paddr, ip.addr, alias.ip). The IP addresses that has live connect data can be identified by using the in-line indicator when you hover the mouse over highlighted IP addresses.
To view live connect contextual data:
- In the Security Analytics menu, select Investigation > Navigate or Events.
The Investigate dialog is displayed.
- Select a service and click Navigate.
- Right-click the IP address and select Context Lookup in the context menu.
The Context Lookup panel displays the lookup results.
Alternatively, if you want to highlight only risky IP addresses, from the Settings dialog, select the option Live Connect: Highlight Risky IPs.
From the lookup panel, you can view the contextual data for the IP address. If the IP address is known within the Live Connect community, you can view community related activities and also provide your feedback based on your investigation.
The following table describes the available options for Live Connect Context Lookup panel:
|IP Address||Displays the IP address for which the lookup results are displayed.|
|Reviewed Status|| |
Displays the reviewed status of the IP address based on the analyst activity. This gives the visibility of the analyst activity within an organization.
Below are the types of status:
|Community Risk Rating and Reasons|| |
Displays the community risk rating for an IP address such as:
The risk reasons are represented by appropriate icons. The icons appear normal if it is matched with the IP, else its grayed out.
|Community Activity|| |
If the IP address is known within the RSA community, a graphical representation of the community activity trend is displayed for the following:
|Community Activity Statistics|| |
Community activities such as:
The pie chart shows the correct breakdown of the % of Live Connect customers that have seen the IP (blue), the % who have submitted feedback (yellow), the % who marked risky (red), and the % who have marked safe (green). The number in the middle of the chart reflects the percent who have marked the IP as risky.
|IP Rating Feedback|| |
Provides an option for the analyst to give feedback on the IP address if the IP address was already known within the RSA Community.
The options are:
Based on the feedback, the "Reviewed Status" changes to "Marked as Safe" or "Marked as Risky".
View Results from Context Lookup Panel
In the Context Lookup panel, you can view the lookup results and explore individual data for further investigation. For example, when you click on a particular Incidents value, the incident details are displayed in the Incident Management view.
For a detailed description of the information displayed on the Context Lookup panel, see Investigation - Context Lookup Panel.