Context Hub: Configure Responses for NetWitness Data Sources

Document created by RSA Information Design and Development on Sep 15, 2017Last modified by RSA Information Design and Development on Oct 4, 2017
Version 6Show Document
  • View in full screen mode
 

Responses are different types of context information that are available for a data source. The configuration of these responses for each data source controls what appears in the Context Lookup panel displayed in Investigation views when Context Lookup is performed. The types of responses for AD data source are Users, Computers, and Groups.

Responses for each data source is already configured with default values for optimal performance. You can view or edit the default values by using the procedure in this topic.

Prerequisites

Ensure that:

  • Context Hub is enabled and the service is available in ADMIN > Services view of NetWitness Suite.
  • The NetWitness Endpoint data source is available and running.

Procedure

Configure Responses and Meta Mapping for NetWitness Endpoint Data Sources

To view/edit responses and meta mapping for a data source:

  1. In the Data Sources tab, select the NetWitness Endpoint data source and click .
    The Configure EndPoint Responses dialog is displayed.
  2. Select the response type (Alerts, or Incidents) to view and edit the settings.
  3. Configure the following fields:

                               
    FieldDescription
    EnableThis option is enabled by default (checked) and can be used to enable or disable the response from RESPOND data source.
    Settings

    You can view or edit the schema by using the following fields:

    Entity Mapping

    From the Entity Mapping section, you can map the meta types with the meta values. Basic mappings are available by default.

    • Click to add supported meta types.
    • Select a meta type on the left panel and add one or more meta values to the selected meta type by using the Add Meta Value drop-down list.

    Schema Mapping

    The mapping of the field name (meta value) between the context hub and the data source is provided here. You can also view a list of available meta values for a particular data source.

    To add a custom meta value, click in the Add Records field.

    Cache Settings

    Use this section to define the following cache settings for query lookup:

    Cache Enabled: Select this checkbox to store the fetched data in cache.

    Cache Expiration (Minutes): The time that the lookup results must be stored in cache after Context Lookup is performed.

      
  4. Click Save to save the changes.

Next steps 

After completing the configuration, you can use the Context Lookup option in Investigate > Navigate view or Investigation > Events view to fetch contextual information. For instructions, see the View Additional Context for a Data Point topic in the Investigation and Malware Analysis Guide.

You are here
Table of Contents > Context Hub: Configure Responses for NetWitness Data Sources

Attachments

    Outcomes