Context Hub: Manage Meta Type and Meta Key Mapping

Document created by RSA Information Design and Development on Sep 15, 2017Last modified by RSA Information Design and Development on Oct 4, 2017
Version 6Show Document
  • View in full screen mode
  

As an administrator you manage the mapping of Context Hub meta types with Netwitness meta keys.

The Context Hub service provides context lookup for meta values in the Respond and Investigation views. These meta values are grouped into meta types based on the category they belong to. For example, meta keys of NetWitness Suite Respond and Investigation like ip.src and ip.dstare grouped into the meta type IP in Context Hub. The meta type IP is in turn mapped to metas like alert.events.source.device.ip_address and alert.events.destination.device.ip_address in the RESPOND database.

In the ADMIN> System > Investigation view, the Context Lookup tab enables the administrator to configure the Netwitness meta keys and meta type mapping. The administrator can add or remove meta keys to the list of meta types supported by Context Hub. 

The Context Hub service is pre-configured with default meta type and meta key mapping, which is expected to work with most deployments, unless there are some custom mappings created for your specific deployment. 

Note: You cannot add a new Meta Type.

The default mapping is given below:

                                       
Meta Type NameMeta Keys
IP

device.ip, ip.src, ip.dst, ip.addr,ipv6.src, alias.ip, ipv6.addr, device.ipv6,forward.ip, forward.ipv6,ipv6.dst, ipv6.addr, stransaddr, transaddr

USERuser.src, user.dst, username, event user
DOMAINdomain.src, domain.dst,fqdn, web.domain, domain, sdomain, ddomain
MAC_ADDRESSeth.dst, eth.src, alias.mac
FILE_NAMEfilename, sourcefile
FILE_HASHchecksum
HOSTdevice.host, alias.host, host.src, host.dst

Procedure

To manage Investigation meta keys mapping:

  1. Go to ADMIN > System.
  2. In the options panel, select Investigation.

    The Investigation Configuration panel is displayed.

  3. Select the Context Lookup tab.

    Map atleast one meta key with a meta type.

  4. Select a meta type to view the default meta keys that are mapped with this meta type.
  5. To add a meta key, click and enter the meta key.
  6. To remove a meta key, select the meta key and click .
  7. To save the changes, click Apply.
  8. In order to add a new meta, they need to be included in the Concentrator's custom index file. For example, if you want to add a meta "fqdn" then you need to add an new entry: <key name="fqdn" description="Fully Qualified Domain Name="IndexValues" form-at="Text" valueMax="100" /> in the index file. For more information on how to include a new meta in the index file, see Index Customization topic in the Core Database Tuning Guide. After you add the new meta, you can view the contextual information on clicking the Pivot to investigate option in the Respond view.

In case a new meta key is added, the Context Lookup menu option is enabled for the meta values under that meta key. For more information, see the "Investigation Configuration Panel" topic in the System Configuration Guide

You are here
Table of Contents > Managing Context Hub > Manage Meta Type and Meta Key Mapping

Attachments

    Outcomes