Context Hub: Configure Responses for Respond Data Sources

Document created by RSA Information Design and Development on Sep 15, 2017Last modified by RSA Information Design and Development on Oct 4, 2017
Version 6Show Document
  • View in full screen mode
 

Responses are different types of context information that are available for a data source. The configuration of these responses for each data source controls what appears in the Context Lookup panel displayed in Investigation views when Context Lookup is performed. The types of responses for AD data source are Users, Computers, and Groups.

Responses for each data source is already configured with default values for optimal performance. You can view or edit the default values by using the procedure in this topic.

Prerequisites

Ensure that:

  • Context Hub is enabled and the service is available in ADMIN > Services view of NetWitness Suite.
  • The RESPOND data source is available and running.

Procedure

Configure Responses and Meta Mapping for RESPOND Data Sources

To view/edit responses and meta mapping for a data source:

  1. In the Data Sources tab, select the RESPOND data source and click .
    The Configure Respond Responses dialog is displayed.
  2. Select the response type (Alerts, or Incidents) to view and edit the settings.
  3. Configure the following fields:

                                   
    FieldDescription
    EnableThis option is enabled by default (checked) and can be used to enable or disable the response from RESPOND data source.
    Context Panel Settings

    Limit: The number of records to be displayed in the Context panel.

    Data Prefetch Settings

    Schedule Recurrence: Specify the number of minutes, hours, or days between recurrences of data to be updated. For example, you can set this setting for 30 minutes and the Context Lookup will fetch data from the Response data source after the specified time.

    Query Last [Days]Specify the number of days for which the data needs to be fetched.

    Cache Settings

    Use this section to define the following cache settings for query lookup:

    Cache Enabled: Select this checkbox to store the fetched data in cache.

    Cache Expiration (Minutes): The time that the lookup results must be stored in cache after Context Lookup is performed.

  4. Click Save to save the changes.

Next steps 

After completing the configuration, you can use the Context Lookup option in Investigate > Navigate view or Investigation > Events view to fetch contextual information. For more information, see the View Additional Context for a Data Point topic in the Investigation and Malware Analysis Guide.

You are here
Table of Contents > Context Hub: Configure Responses for Respond Data Sources

Attachments

    Outcomes