Context Hub service provides enrichment lookup capability in the Respond and Investigate views. An Administrator can configure the Context Hub service and the data sources to enable an Analyst to perform the context lookup for the required data sources.
By default, the Context Hub service supports enrichment lookups for meta types such as IP address, User, Domain, MAC address, File Name, File Hash, and Host.
The following data sources are supported by NetWitness Suite and provide enriched data when configured.
Lists- Provides contextual information from a list of blacklists, whitelists, or watchlists.
RSA Archer- Provides Criticality information of a device or specific asset based on the IP or Host which needs constant monitoring.
Active Directory - Provides contextual information of a user to help determine if the user is suspicious or not.
RSA NetWitness® Endpoint - Provides context information for endpoint module and machine indicators and to help determine if any of the Endpoint devices are compromised.
Respond- Provides contextual information of a specific meta available in respond and enables analyst to respond faster based on context data.
Live Connect - Provides contextual information for IP addresses, Domains and File Hashes from RSA Live Connect Threat intelligence community server.
Overview of Context Hub Configuration
The Administrator needs to perform each step in the proper sequence to configure the services to perform the context lookup effectively. In the ADMIN> Services. Services Config view of Context Hub service, an administrator can configure data sources for Context Hub Service. The administrator can also configure Context Lookups for custom meta keys, if required and also import lists or export lists.
The workflow below describes how the Context Hub service can be configured:
Context Hub service is pre-installed on primary ESA host, and automatically added to the Netwitness Suite.