Investigation: View Additional Context for a Data Point

Document created by RSA Information Design and Development on Mar 23, 2017Last modified by RSA Information Design and Development on Apr 10, 2017
Version 2Show Document
  • View in full screen mode
  

When conducting an investigation in the Navigate view or Events view, analysts can look up additional context information and intelligence for a meta value or data point from various configured sources, such as ESA.

An Analyst with permission Context Lookup can perform Context Lookup from Investigation views. An administrator must configure roles and permissions as described in "Role Permissions" and "Manage Users with Roles and Permissions".in the System Security and User Management Guide.

To perform context lookup, the administrator must:

  • Add the Context Hub service in Security Analytics. (The Context Hub service is included in Security Analytics 10.6 and above.)
  • Configure data sources for the Context Hub service as described in the Context Hub Configuration Guide.

View Additional Context using Context Lookup 

To view the additional context for a data point from the Investigation views:

  1. While conducting an investigation or examining events in Security Analytics menu, go to the Navigate view.
    The Navigate view has the Values panel on the left and the Context Lookup panel on the right as shown below. The Context Lookup panel does not display any data until you perform a Context Lookup. Meta values that have associated context information are highlighted with a gray color background.
    F-Navigate-view1.png
  2. To view the type of context data that is available for a highlighted meta value, hover the mouse over a highlighted meta value.
    An inline indicator shows which type of context data is available for the meta: ECAT, Incidents, Alerts, or Lists.
    F-Navigate-view-inline-indicator.png
  3. To view the Context Lookup data from the Values panel, right-click a highlighted meta value and select Context Lookup in the context menu.
    F-rc-meta-context-lookup.png

The Context Lookup panel displays the lookup results based on the data available on the configured sources.

Note: The inline indicator for meta values is supported only in the Navigate view. For the Events view, you must perform an on-demand lookup against the meta values.

Context Lookup for Live Connect

For Live Connect, context lookup is supported only for IP meta type (device.ip, ip.src, ip.dst, paddr, ip.addr, alias.ip). The IP addresses that has live connect data can be identified by using the in-line indicator when you hover the mouse over highlighted IP addresses.

To view live connect contextual data:

  1. In the Security Analytics menu, select Investigation > Navigate or Events.
    The Investigate dialog is displayed.
  2. Select a service and click Navigate.
  3. View and select an IP address that has Live Connect data by using the in-line indicator on the highlighted IP addresses.

  4. Right-click the IP address and select Context Lookup in the context menu.
    The Context Lookup panel displays the lookup results.
  5. Alternatively, if you want to highlight only risky IP addresses, from the Settings dialog, select the option Live Connect: Highlight Risky IPs.

  6. From the lookup panel, you can view the contextual data for the IP address. If the IP address is known within the Live Connect community, you can view community related activities and also provide your feedback based on your investigation.

The following table describes the available options for Live Connect Context Lookup panel:

                                   
FieldDescription
IP AddressDisplays the IP address for which the lookup results are displayed.
Reviewed Status

Displays the reviewed status of the IP address based on the analyst activity. This gives the visibility of the analyst activity within an organization.

Below are the types of status:

  • New: If lookup results for an IP address is viewed for the first time within the organization.
  • Viewed: If any analyst within the organization has already viewed the lookup results for an IP address.
  • Marked as Safe: If any analyst within the organization has already viewed the lookup results and marked the IP address as safe.
  • Marked as Risky: If any analyst within the organization has already viewed the lookup results and marked the IP address as risky.
Community Risk Rating and Reasons

Displays the community risk rating for an IP address such as:

  • Safe: An IP address is marked as "Safe" if it is considered safe based on the Live Connect analysis and analyst feedback.
  • Unknown: The risk rating for an IP address is displayed as "Unknown" if there is no enough information to calculate the risk rating.
  • Unsafe: An IP is rated unsafe if it is associated with one or more of the following community risk reasons:
    • Suspicious Domain
    • Suspicious Communication
    • Malware Source
    • Blacklisted by 3rd Party

The risk reasons are represented by appropriate icons. The icons appear normal if it is matched with the IP, else its grayed out.

Community Activity

If the IP address is known within the RSA community, a graphical representation of the community activity trend is displayed for the following:

  • Users (in %) who have viewed the IP address in the Live Connect community over time.
  • Users (in %) who submitted feedback for the IP address.
  • Users (in %) who marked the IP address as risky over time.
  • Users (in %) who marked the IP address as safe over time.
Community Activity Statistics

Community activities such as:

  • Date first seen in the community.
  • Time since the IP was seen for the first time (Current time - First seen time).
  • A Pie chart based on the community activity trend graph.

The pie chart shows the correct breakdown of the % of Live Connect customers that have seen the IP (blue), the % who have submitted feedback (yellow), the % who marked risky (red), and the % who have marked safe (green). The number in the middle of the chart reflects the percent who have marked the IP as risky.

IP Rating Feedback

Provides an option for the analyst to give feedback on the IP address if the IP address was already known within the RSA Community.

The options are:

  • Mark as Safe
  • Mark as Risky

Based on the feedback, the "Reviewed Status" changes to "Marked as Safe" or "Marked as Risky".

View Results from Context Lookup Panel

In the Context Lookup panel, you can view the lookup results and explore individual data for further investigation. For example, when you click on a particular Incidents value, the incident details are displayed in the Incident Management view.

For a detailed description of the information displayed on the Context Lookup panel, see Investigation - Context Lookup Panel.

Next Topic:Examine Events
You are here
Table of Contents > Conduct an Investigation > Act on a Drill Point in the Navigate View > View Additional Context for a Data Point

Attachments

    Outcomes