Respond: Context Lookup Panel

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Oct 15, 2017
Version 6Show Document
  • View in full screen mode
  

The Context Hub service brings together contextual information from several data sources into the Respond view so that analysts can make better decisions during their analysis and take appropriate action. Seeing the entities, meta values, and contextual information in a single interface helps analysts to prioritize and identify areas of interest. For example, recently created incidents and alerts from the Respond view involving a given entity or meta value will be displayed when the analyst queries for additional information for that entity or meta value. The Context Lookup panel displays contextual information for the selected entities or meta values such as IP address, User, Host, Domain, File Name, or File Hash. The data available depends on the configured sources in the Context Hub.

    

The Context Lookup panel displays the contextual information based on the data available on the configured sources in the Context Hub.

What do you want to do?

                                 
RoleI want to ...Show me how

Incident Responders, Analysts, Threat Hunters

Navigate to the Context Lookup panel.

From the Incident Details view, see View Contextual Information .

From the Alert Details view, see View Contextual Information .

Incident Responders, Analysts, Threat HuntersUnderstand the information in the Context Lookup panel for a selected entity.See the information in this topic.

Administrator

Configure Data Sources for Context Hub.See "Configure Data Sources for Context Hub" in the Context Hub Configuration Guide.
AdministratorConfigure Context Hub settings.See "Configure Context Hub Data Source Settings" in the Context Hub Configuration Guide.

Related Topics

Contextual Information Displayed in the Context Lookup Panel

The contextual information or query results displayed in the Context Lookup panel depends on the selected entity and the associated data sources.

The Context Lookup panel has separate tabs for each of the data sources. The List data source tab is the first in the context panel followed by Archer, Endpoint, Incidents, Alerts and Live Connect.

The following figure displays the Context Lookup panel for a selected entity in the Incident Details view. The Context Lookup panel Incidents tab is in view.
Context Lookup panel Incidents tab

The following table describes the data available on each tab and the supported entities.

                                                
TabDescriptionSupported Entities

Lists icon
(Lists)

Displays all of the list data associated with the selected entity or meta value. The result is sorted by the last updated list.

All entities

Archer icon
(Archer)
Displays asset information along with criticality ratings using the Archer data source.IP and Host

Active Directory icon
(Active Directory)

Displays all user information for the selected user.

User

NetWitness Endpoint icon
(NetWitness Endpoint)



Displays the NetWitness Endpoint data source information for the selected entity or meta value, which includes the Machines, Modules, and IIOC levels. Modules are by highest IOC score to lowest IIOC score and IIOC levels are sorted by highest IOC levels to lowest IOC levels.IP, MAC address, and Host
Incidents icon
(Incidents)
Displays the list of incidents associated with the selected entity or meta value. The result is sorted by newest incidents to oldest incidents.

All entities

Alerts icon
(Alerts)
Displays the list of alerts associated with the selected entity or meta value. The result is sorted by newest alerts to oldest alerts.All entities
Live Connect icon
(Live Connect)
Displays information related to Live Connect.

IP, Domain, and Filehash

Lists

The Context Lookup panel for Lists shows one or more lists associated with the selected entity or meta value. The following figure is an example of the Context Panel for Lists.

Context Panel for Lists

The following information is displayed for Lists.

                                           
FieldDescription
NameThe name of the list (defined while creating the list).
DescriptionThe description of the list (defined while creating the list).
AuthorThe owner who created the list.
CreatedThe date when the list was created.
UpdatedThe date when the list was last updated or modifed.
CountThe number of lists in which the selected entity or meta value is available.
Time WindowThis is based on the value that is set for the "Query Last" field in the Configure Responses dialog. By default, all Lists data is fetched.

Last Updated

The time when Context Hub fetched and stored the lookup data in cache.

Archer

The Context Lookup panel for Archer displays asset information along with criticality ratings using the Archer data source for IP and Host entities and meta values. The following figure is an example of the Context Panel for Archer.
Context panel for Archer

The following information is displayed for Archer.

                                                               
FieldDescription
Criticality RatingDisplays the device operational Criticality based on the applications it supports. The criticality ratings can be set as Not Rated, Low, Medium-Low, Medium, Medium-High, or High .
Device IDDisplays the automatically populated value that uniquely identifies the record across all applications within the system.
Device NameDisplays the unique name of the device.
Device OwnerDisplays the owner(s) of the device who is responsible for the device and receives read and update rights of the record.
Host NameDisplays the host name of the device.
FacilitiesProvides links to records in the Facilities application that are related to this device.
Business UnitProvides links to records in the Business Unit application that are related to this device.
Risk RatingCalculates the risk rating for the device based on the most recent assessment and the average risk rating of facilities using the device. The risk rating can be set as Severe, High, Medium, Low, or Minimal.
TypeDisplays the device type such as Server, laptop, desktop etc.
IP AddressDisplays the primary internal IP address of the device.

Count

Displays the number of assets available.

Time Window

This is based on the value that is set for the "Query Last" field in the Configure Responses Dialog. By default, all data for Archer is fetched.

Last Updated The time when Context Hub fetched and stored the lookup data in cache.
  

Active Directory

The following figure is an example of a Context Panel for Active Directory.

Context panel for Active Directory

The Context Lookup panel for Active Directory displays all the related information, incidents, and alerts for a user. You can perform a look up using the following formats:

  • userPrincipalName
  • Domain\UserName
  • sAMAccountName

If the user exists in multi-domain or multi-forest, all the related context information is displayed for the specific user.

The following information is displayed for Active Directory.

                                                                               
FieldDescription

Display Name

Displays the name of the specific user.

Employee ID

Displays the employee ID of the specific user.

Phone

Displays the phone number of the specific user.

Email

Displays the email ID of the specific user.

AD User ID

Displays the unique identification of the specific user within an organization.

Job Title

Displays the designation of the specific user.

Manager

Displays the manager's name of the

Groups

Displays the list of groups the specific user is a member.

Company

Displays the name of the company the specific user belongs to.

Department

Displays the department name within the organization that the specific user belongs to.

Location

Displays the location of the specific user.

Last Logon

Displays the time when the specific user logged into to the system only if the Global Catalogue is defined.

Last Logon TimeStampDisplays the time when the specific user logged into to the system.
Distinguished NameDisplays the unique name assigned to the user.
Count

Displays the number of users.

Time Window

This is based on the value that is set for the "Query Last" field in the Configure Data Source Settings dialog. By default, all data for Active Directory is fetched.

Last Updated

The time when Context Hub fetched and stored the lookup data in cache.

  

NetWitness Endpoint

The following information is displayed in the Context Lookup panel for NetWitness Endpoint.

Context panel for NetWitness Endpoint

The following information is displayed for IIOC.

                                           
FieldDescription
# Of ModulesDisplays the number modules that are looked up.
Admin StatusDisplays the admin status (if any).
Last UpdatedDisplays the time when the data was last refreshed.
Last LoginDisplays the time when the user last logged in.
MAC AddressMachine MAC Address.
Operating SystemVersion of the Operating System used by the NetWitness Endpoint machine.
Machine StatusDisplays if the looked you module is Online, Offline, Active, or Inacive.
IP AddressDisplays the IP address of the specific Module.

The following information is displayed for Modules.

                               
FieldDescription
IIOC ScoreA machine IIOC score is an aggregated score based on the module scores. This is based on the value set for "Minimum IIOC Score" field in the Context Hub Data Source Settings The default value for "Minimum IIOC Score" is 500. See the "Configure Context Hub Data Source Settings" topic in the Context Hub Configuration Guide.
Module NameName of the module that is looked up.
Analystic ScoreNumber of active files for the selected machine.
Machine Count Indicates when the scan results were last updated in NetWitness Endpoint database.
SignatureIndicates if the file is signed or unsigned, valid or invalid, and provides signatory information. For example, Google, Apple, and so on.

The following information is displayed for Machines.

                                   
FieldDescription

IOC Levels

Displays the IOC levels.

DescriptionDisplays the description for he IOC level if available.
Last executed Displays the time when the action was executed.

Count

Displays the number of hosts that are looked up.

Time WindowThis is based on the value that is set for the "Query Last" field in the Configure Data Source Settings dialog. By default, all data for NetWitness Endpointis fetched.
Last UpdatedIndicates when the scan results were last updated in NetWitness Endpoint database.

Alerts

The following figure is an example of Context Panel for Alerts that is displayed based on time first (Newest to Oldest) and then severity.

Context panel for Alerts

The following information is displayed in the Context Lookup panel for Alerts.

                                               
FieldDescription
CreatedDate and time when the alert was created.
SeveritySeverity value of the alerts
NameName of the Alert. Click the name to view the details of a specific alert.
SourceAlert source name from where the alert is triggered.
#EventsNumber of events associated with the alert.
Incident IDThis is the ID of the incident that the alert is associated with (If any). Click the ID tto view the details of a specific alert.

Count

Displays the number of alerts. By default only the first 100 alerts are displayed. For more information on how configure the settings, see the "Configure Context Hub Data Source Settings" topic in the Context Hub Configuration Guide.

Time Window

This is based on the value that is set for the "Query Last" field in the Configure Data Source Settings dialog. By default, the alert data for last 7 days is fetched.

Last UpdatedIndicates when contextual data was last fetched from data source.

Incidents

The following figure is an example of the Context Panel for Incidents, which is based on time first (Newest to Oldest) and then priority status.

Context panel for Incidents

The following information is displayed in the Context Lookup panel for Incidents.

                                                       
FieldDescription
CreatedDate when the incident was created
PriorityPriority status of the incidents
Risk ScoreRisk score of the incidents
IDIncident ID of the incident and on clicking displays further details about the incident
NameIncident Name
StatusStatus of the incident
AssigneeCurrent owner of the incident
AlertsNumber of alerts associated with the incident

Count

Displays the number of incidents. By default only the first 100 alerts are displayed. For more information on how configure the settings, see the "Configure Context Hub Data Source Settings" topic in the Context Hub Configuration Guide.

Time Window

This is based on the value that is set for the "Query Last" field in the Configure Data Source Settings dialog. By default, the alert data for last 7 days is fetched.

Last UpdatedIndicates when contextual data was last fetched from data source.

Live Connect

The following figure is an example of a Context Panel for Live Connect.

Context panel for Live Connect

The Live Connect Panel displays the following information:

  • Review Status
  • Live Connect Risk Assessment
  • Risk Indicators
  • Community Activity
  • WHOIS

  • Related Files, Domains, and IPs

  • Identity

  • Certificate Information

The following information is displayed in the Context Lookup panel for Live Connect.

                                                       
FieldDescription
Review Status

Displays the review status of the selected Live Connect entity (IP, file, or domain) based on the analyst activity. This gives the visibility of the analyst activity within an organization.

Status
Below are the types of status:

  • New: If lookup results for an IP address is viewed for the first time within the organization.
  • Viewed: If any analyst within the organization has already viewed the lookup results for an IP address.
  • Marked as Safe: If any analyst within the organization has already viewed the lookup results and marked the IP address as safe.
  • Marked as Risky: If any analyst within the organization has already viewed the lookup results and marked the IP address as risky.
Risk Assessment

Displays the risk assessment for the selected Live Connect entity (IP, file, or domain) based on the Live Connect analysis and analyst feedback. The Risk Assessment categories are:

  • Safe: The Live Connect entity is considered to be safe.
  • Unknown: Live Connect does not have enough information about this entity to calculate the risk.
  • High Risk: Marked as "High Risk" based on the analysis and risk reasons provided by the community. The entities marked as "High Risk" requires immediate attention.
  • Suspicious: Marked as "Suspicious" based on the analysis and risk reasons provided by the community. The analysis indicates potentially threatening activity that requires action.
  • Unsafe: Marked as "Suspicious" based on the analysis and risk reasons provided by the community.
The entity is rated as High Risk, Suspicious, or Unsafe and displays the associated risk reasons accordingly.
Risk Assessment Feedback

Risk Assessment Feedback allows the analyst to submit threat intelligence feedback about an entity to the Live Connect server.

  • Analyst Skill Level
    Below are the Analyst skill level options:
    • Tier 1 - Analysts at this level generally define procedures for remediation, and decide if an incident should be escalated to other areas in a SOC (Security Operation center). This is the default value.
    • Tier 2 - Analysts investigates incidents, and captures intelligence from investigation to feedback into the various work flows in a SOC.
    • Tier 3 - Analysts who shares the investigation results to the SOC organization. They generally manage incidents and have a wide breadth and depth in the skills and tools necessary for incident response.

    Note: While creating a new user for NetWitness Suite (Analyst), an administrator should be able to identify the user as Tier 1, Tier 2, or Tier 3 Analyst.

  • Risk Confirmation - The risk confirmation for the selected Live Connect entity (IP, file, or domain). The Risk confirmation categories are:
    • Safe: The Live Connect entity is considered to be safe.

    • Unknown: The analyst does not have enough information to provide a risk confirmation

    • High Risk: Marked as "High Risk" based on the analysis and risk reasons provided by the community. The entities marked as "High Risk" requires immediate attention.
    • Suspicious: Marked as "Suspicious" based on the analysis and risk reasons provided by the community. The analysis indicates potentially threatening activity that requires action.
    • Unsafe: Marked as "Unsafe" based on the analysis and risk reasons provided by the community.
  • Confidence Level - The confidence level of an analyst in providing feedback for the Live Connect entity. The confidence level categories are:
    • High
    • Medium
    • Low.
  • Risk Indicator Tags - Allows you to select a tag category based on the analysis.

Risk Feedback panel

Community Activity

Community activities such as:

  • Date first seen in the community.
  • Time since the IP/File/Domain was seen for the first time (Current time - First seen time).

Trending Community Activity:

If the IP address is known within the RSA community, a graphical representation of the community activity trend is displayed for the following:

  • Users (in %) who have viewed the IP address in the Live Connect community over time.
  • Users (in %) who submitted feedback for the IP address.
  • Users (in %) who marked the IP address as unsafe over time.

Risk Indicators

Risk Indicators are highlighted based on the tags that are assigned by the community to the entities (IPs, Files, or Domains).
Risk Indicators

The tags are categorized as given below:

  • Reconnaisance
  • Delivery
  • Command and Control
  • Lateral Movement
  • Privilege Escalation
  • Packaging and Exfiltration

These tags are samples and vary based on the inputs received from the community on the Live Connect server.

The analyst can choose the appropriate risk indicator tags while providing the review feedback.

A highlighted tag indicates that the selected entity is associated with that particular category and tag. Clicking a highlighted tag displays the description of the tag.

Identity

Provides the following identity information for the selected entity or meta value:

For IP address:

  • Autonomous System Number (ASN)
  • Prefix
  • Country Code and Country Name
  • Registrant (Organization)
  • Date

For File Hash:

  • File Name
  • File Size
  • MD5
  • SH1
  • SH256
  • Compile Time
  • Mime Type

For Domain:

  • Domain Name
  • Associated IP Address
Certificate Information

Provides the following certificate information for the selected file hash:

  • Certificate Issuer
  • Validity of the Certificate
  • Signature Algorithm
  • Certificate Serial Number
WHO IS Information

The WHO IS information provides the ownership details for a given domain.

WHOIS Information

The following information of the domain owner is displayed:

  • Created Date
  • Updated Date
  • Expired Date
  • Type (Registration Type)
  • Name
  • Organization
  • Address with Postal code
  • Country
  • Phone
  • Fax
  • Email
Related Files

Related Files are displayed for entity types IP and Domain. A list of known associated files are displayed along with the following information:

  • Live Connect Risk Rating (Safe, Risky, or Unknown)
  • File Name
  • MD5
  • Compile Time and Date
  • API Function Import Hash
  • Mime Type

Related Domains

Related Domains are displayed for entity types IP and Files. A list of known associated domains are displayed along with the following information:

  • Live Connect Risk Rating (Safe, Risky, or Unknown)
  • Domain Name
  • Country Name
  • Registered Date
  • Expired Date
  • Registrant Email address
Related IPs

Related IPs are displayed for entity types Domain and Files. A list of known associated IPs are displayed along with the following information:

  • Live Connect Risk Rating (Safe, Risky, or Unknown)
  • IP Address
  • Domain Name
  • Country Code and Country Name
  • Country Name
  • Registered Date
  • Expired Date
  • Registrant Email address
  
You are here
Table of Contents > NetWitness Respond Reference Information > Context Lookup Panel

Attachments

    Outcomes