You can configure Active Directory (AD) as a data source for Context Hub using LDAP and use the Context Hub service to fetch contextual information from AD. Use the procedures in this topic to add AD as a data source for Context Hub service and configure the settings(if required) for AD.
Before you configure Active Directory data source, ensure that:
- Context Hub service is available in ADMIN > Services view of NetWitness Suite.
- AD is available and is running on Windows versions 2003, 2008, and 2012 are supported.
To add AD as a data source for Context Hub:
- Go to ADMIN > Services.
The services view is displayed.
- Select the Context Hub service and click > View > Config.
The Services Config View of Context Hub is displayed.
- In the Data Sources tab, click > AD.
The Add Data Source dialog is displayed.
All the other attributes replicate automatically.
- Provide the following database connection details:
- By default, the Enable checkbox is selected. If this option is unchecked, the save button is disabled, you cannot add the data source, and cannot view the contextual information.
- Enter the following fields.
- Name: Enter a name for the AD data source.
- Host: Enter the host name or IP address of the AD.
- SSL: By default this will be checked with 636 port number which will connect to the data source using Secure Sockets Layer (SSL) connection.
- Trust All Certificates: Select this checkbox to add the data source without validating the certificate. If you uncheck this option, you need to upload a valid .cer or .crt format Active Directory server certificate for the connection to be successful. If you add multiple AD data sources with ssl, you should configure all the data sources with either a valid certificate or a Trust All Certificates.
- Port: The default port is 636 with SSL and 389 without SSL.
If you want to fetch data from multi-domains you can configure a single data source with the Global catalog port (3269 with SSL or 3268 without SSL).
Alternately, for multi-domain, you can configure a single data source for each domain with the default port (389 with SSL or 636 without SSL).
Multi-forest is a collection of multi-domains. If you want to fetch data from multi-forest you need to configure each forest with the Global catalog port (3269 with SSL or 3268 without SSL).
- Password: Enter password of the user DN used to bind with AD.
- Bind User DN: The distinguished name of the user that will authenticate to the search directory. For example, cn=Administrator,cn=Users,dc=sub,dc=saserver,dc=local.
- Search Base DN: The base distinguished name, or base DN, identifies the entry in the directory from which searches are initiated; the base DN is often referred to as the search base. For example, dc=sub,dc=saserver,dc=local.
- Click Test Connection to test the connection between Context Hub and the data source.
- Click Save.
AD is added as a data source for the configured Context Hub. The added AD data source is displayed in the Data Sources tab.
After adding the data source, you can configure the data source settings. For instructions, see Configure Context Hub Data Source Settings .
After completing the configuration, you can view the contextual data in the Context Summary Panel of the Respond view or Investigate view. For instructions, see the Navigate to Context Summary Panel and View Additional Context topic in the Investigation and Malware Analysis Guide.