As an administrator you manage the mapping of Context Hub meta types with NetWitness meta keys.
The Context Hub service provides context lookup for meta values in the Respond and Investigation views. These meta values are grouped into meta types based on the category they belong to. For example, meta keys of NetWitness Platform Respond and Investigation like ip.src and ip.dstare grouped into the meta type IP in Context Hub. The meta type IP is in turn mapped to metas like alert.events.source.device.ip_address and alert.events.destination.device.ip_address in the Respond database.
In the (Admin) > System > Investigation view, the Context Lookup tab enables the administrator to configure the NetWitness meta keys and meta type mapping. The administrator can add or remove meta keys to the list of meta types supported by Context Hub.
The Context Hub service is pre-configured with default meta type and meta key mapping, which is expected to work with most deployments, unless there are some custom mappings created for your specific deployment.
The default mapping is given below:
|Meta Type Name||Meta Keys|
device.ip, ip.dst, ip.src, ip.addr, paddr, ip.all, alias.ip
|USER||user.all, user.src, user.dst, username|
|DOMAIN||domain.src, domain.all, domain.dst|
|MAC_ADDRESS||eth.dst, eth.src, eth.all|
|FILE_NAME||filename, filename.all, filename.src, filename.dst, sourcefile|
|FILE_HASH||checksum.all, checksum, checksum.dst, checksum.src|
|HOST||device.host, alias.host, host.all|
To manage Investigation meta keys mapping:
- Go to (Admin) > System.
In the options panel, select Investigation.
The Investigation Configuration panel is displayed.
Select the Context Lookup tab.
- Select a meta type to view the default meta keys that are mapped with this meta type.
- To add a meta key, click and enter the meta key.
- To remove a meta key, select the meta key and click .
- To save the changes, click Apply.
In order to add a new meta, they need to be included in the Concentrator's custom index file. For example, if you want to add a meta "fqdn" then you need to add an new entry: <key name="fqdn" description="Fully Qualified Domain Name="IndexValues" form-at="Text" valueMax="100" /> in the index file. For more information on how to include a new meta in the index file, see Index Customization topic in the Core Database Tuning Guide. After you add the new meta, you can view the contextual information on clicking the Pivot to investigate option in the Respond view.
In case a new meta key is added, the Context Lookup menu option is enabled for the meta values under that meta key. For more information, see the "Investigation Configuration Panel" topic in the System Configuration Guide