Context Hub Service Overview

Document created by RSA Information Design and Development on Sep 15, 2017Last modified by RSA Information Design and Development on Oct 4, 2017
Version 6Show Document
  • View in full screen mode
  

 

Context Hub service provides enrichment lookup capability in the Respond and Investigate views. An Administrator can configure the Context Hub service and the data sources to enable an Analyst to perform the context lookup for the required data sources.

By default, the Context Hub service supports enrichment lookups for meta types such as IP address, User, Domain, MAC address, File Name, File Hash, and Host.

The following data sources are supported by NetWitness Suite and provide enriched data when configured.

Lists- Provides contextual information from a list of blacklists, whitelists, or watchlists.

RSA Archer- Provides Criticality information of a device or specific asset based on the IP or Host which needs constant monitoring.

Active Directory - Provides contextual information of a user to help determine if the user is suspicious or not.

RSA NetWitness® Endpoint - Provides context information for endpoint module and machine indicators and to help determine if any of the Endpoint devices are compromised.

Respond- Provides contextual information of a specific meta available in respond and enables analyst to respond faster based on context data.

Live Connect - Provides contextual information for IP addresses, Domains and File Hashes from RSA Live Connect Threat intelligence community server.

 

Overview of Context Hub Configuration

The Administrator needs to perform each step in the proper sequence to configure the services to perform the context lookup effectively. In the ADMIN> Services. Services Config view of Context Hub service, an administrator can configure data sources for Context Hub Service. The administrator can also configure Context Lookups for custom meta keys, if required and also import lists or export lists.

The workflow below describes how the Context Hub service can be configured:

Workflow on how Context Hub service works

Context Hub service is pre-installed on primary ESA host, and automatically added to the Netwitness Suite.

Note: You can have only one Context Hub service instance enabled in your NetWitness Suite deployment. If there are multiple ESA service in NetWitness Suite, you must choose the appropriate ESA host for Context Hub. A minimum of 8GB space is required to configure Context Hub on ESA host.

 

 

 

You are here
Table of Contents > How Context Hub works

Attachments

    Outcomes