You can configure NetWitness Endpoint as a data source for Context Hub and use the Context Hub server to fetch contextual information from NetWitness Endpoint. Use the procedures in this topic to add NetWitness Endpoint as a data source for Context Hub service and configure the settings (if required) for NetWitness Endpoint.
Before you configure NetWitness Endpoint data source, ensure that:
- Context Hub service is available in Admin > Services view of NetWitness Suite.
- NetWitness Endpoint (v4.1.1 to 18.104.22.168) is installed and configured.
For more information on how to install, configure and for detailed information on NetWitness Endpoint, see the NetWitness Endpoint documents available at RSA Link.
To add NetWitness Endpoint as a data source for Context Hub:
- Go to Admin > Services.
The Services view is displayed.
- Select the Context Hub service, and click > View > Config.
The Services Config view is displayed.
- In the Data Sources tab, click > RSA Endpoint.
The Add Data Source dialog is displayed.
Provide the following information:
- By default, the Enable checkbox is selected. If this option is unchecked, the save button is disabled, you cannot add the data source, and cannot view the contextual information.
- Enter the following fields:
- Name: Enter a name for NetWitness Endpoint data source.
- Host: Enter the hostname or IP address where NetWitness Endpoint API server is installed.
- Port: The default port is 9443.
- SSL: Select SSL if you want NetWitness Suite to communicate with the host using SSL. This is enabled by default.
- Username: Enter the NetWitness Endpoint API Server username.
- Password: Enter the NetWitness Endpoint API Server password.
- Trust All Certificates: Select this checkbox to add the data source without validating the certificate. If you uncheck this option, you need to upload a valid server generated or CA certificate to authenticate the connection with the supported formats of .cer or .crt of Base64 [PEM] encoded or DER encoded.
- Max. Concurrent Queries: You can configure the maximum number of concurrent queries to be run against the configured data sources. The default value is 10.
- Click Test Connection to test the connection between Context Hub and the NetWitness Endpoint.
- Click Save.
NetWitness Endpoint is added as a data source for Context Hub and is displayed in the Data Sources tab.
After adding the data source, you can configure the settings. For more information, see Configure Context Hub Data Source Settings .
Also you can view the contextual data in the Context Summary Panel of the Respond view or Investigate view. For more information, see the RSA NetWitness Respond User Guide and the RSA Netwitness Investigation and Malware Analysis Guide