Context Hub: Configure Lists as a Data Source

Document created by RSA Information Design and Development on Sep 15, 2017Last modified by RSA Information Design and Development on Oct 4, 2017
Version 6Show Document
  • View in full screen mode
  

Lists as a Data Source uses the Context Hub service to fetch contextual information for meta types that support context lookup. You can create one or more lists and add relevant list values to the list. Make sure that you create meaningful list such as blacklisted IPs, whitelisted IPs, and so on. The lists can contain supported entities such as IP address, MAC address, User name, Host name, Domain name, File name or File hash. You can import a single-column list or a multi-column list from the Data Source tab.

List values are in CSV format available in an external location and can be accessed through the following two methods:

  • Local File Store: You can share a file from a local location.
  • HTTP(S): You can share a file using a web server location.

Note: You can also set up recurring job to fetch data on regular intervals by using the Prefetch settings while configuring meta mapping.

Prerequisites

Before you configure Lists data source, ensure that:

  • User should have admin permissions.
  • Context Hub service is available in ADMIN> Services view of NetWitness Suite.
  • If you are using Local File Store or HTTP(S) server, the path mentioned should contain the CSV file
    In case of remote Local File Store, the file must be mounted or placed on the local drive location /var/lib/netwitness/contexthub-server/data.
  • The NetWitness user must have read permission to access the file.

Add List data source using Local File Store

To add List as a data source:

  1. Go to ADMINServices.
    The services view is displayed.
  2. Select the Context Hub service and click > View > Config.
    The Services Config View of Context Hub is displayed.
  3. In the Data Sources tab, click  > LISTS
    The Add Data Source dialog is displayed
  4. By default, the Enable checkbox is selected. If this option is unchecked, the save button is disabled, you cannot add the data source, view the list in the list tab and view the contextual information.
  5. Select the Local File Store Connection Type.
    Add List as a Data Source
  1. Provide the following database connection details:
  • Enter the following fields for Local File Store Connection Type:
    • Name: Provide a name for the list data source.
    • Path: This field displays all the data files available in the data folder /var/lib/netwitness/contexthub-server/data, where context hub service is running. Select the file name from the drop-down.
      A maximum of 32 columns of CSV file are supported that adhere to the RFC1480 standards.
    • (Optional) Description: Add a description for the selected file.
    • With Column Headers: Select this option to consider the first row as column headers from the CSV file. If you don't select this option, you need to enter the column headers in the next screen.

    Note: For Local File Store connection type, the file can be mounted or copied to the local drive. Also, the user must have read permission to the /var/lib/netwitness/contexthub-server/data folder located on the Context Hub machine.

  1. Click Validate.
    If the validation fails, you cannot add the data source.
  2. Click Next.
    The next dialog is displayed.

  3. Select any one of the following options:
    Append - Select this option to add the imported values to an existing list.
    Overwrite - Select this option to replace the values in an existing list with the imported values.
  4. In the List Value Expiration section, the Enable option is unchecked, by default. If you want to store the looked up list values in the cache for a specified number of days then select the Enable checkbox and enter the number of days in the Time to Live (days) field for the list values to be retained.
  5. In the next screen, map at least one meta key with one or more meta types by mapping a column header with a meta. The description for each field is as follows:
  • Column Header: Display headers of the CSV file which must be mapped to a meta type.
  • Meta Mapping: Maps a column header field to a meta type.
  • Values: Displays the first three values from the imported list.
  1. Click Save.

Add List data source using HTTP(S)

To add List as a data source:

  1. Select ADMINServices.
    The services view is displayed.
  2. Select the Context Hub service and click > View > Config.
    The Services Config View of Context Hub is displayed.
  3. In the Data Sources tab, click  > LISTS
    The Add Data Source dialog is displayed.
  4. Select the HTTP(S) Connection Type.

  • Enter the following fields for HTTP(S) Connection Type:
    • Name: Provide a name for the list data source.
    • URL: Enter the path of the CSV file available on the HTTP(S) location along with the host name or IP address of the remote machine where the list is stored. The URL must be of the format: https://<Hostname or IP-address of the HTTP(S)server>:<Port on which the HTTP(S) server is hosted>/<Absolute path of CSV file>. For example, https://10.1.1.1:443/contexthub_lists/multi_user_list.csv
    • (Optional) Description: Add a description for the selected file.
    • (Optional)Username: Enter the username to connect to the HTTP(S) server requires basic authentication.
    • (Optional)Password: Enter the password to connect to the HTTP(S) server requires basic authentication.
    • With Column Headers: Select this option if you want to import a CSV file with headers. If this option is selected and you import the CSV without headers, the first row will be considered as a header which can be edited.
    • SSL: If you enter a URL with HTTPS in this field, then this is selected automatically. If you enter a URL with HTTP, then this checkbox is unselected.

    • Trust All Certificates: Select this checkbox to add the data source without validating the certificate. If you uncheck this option, you need to upload a valid .cer or .crt format HTTP(S)server certificate for the connection to be successful.
  1. Click Test Connection to test the connection between Context Hub and the data source.
  2. Click Save to save the settings.
    List is added as a data source for the configured Context Hub and is displayed in the Data Sources tab.


Next Steps:

  • Add, edit, or remove values from a specific list.
  • Configure the data source settings to determine the data source fields to be displayed in the Context panel. For instructions, see Configure Context Hub Data Source Settings .
  • Import and export a list. For more information, see Import or Export Lists for Context Hub.
  • View the contextual data in the Context Summary Panel of the Respond view or Investigate view. For more information, see the RSA Netwitness Respond User Guide and RSA Netwitness Investigation and Malware Analysis User Guide.
You are here
Table of Contents > Configure Data Sources for Context Hub > Configure Lists as a Data Source

Attachments

    Outcomes