Investigate: Context Lookup Panel

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Oct 24, 2017
Version 8Show Document
  • View in full screen mode
 

After an administrator configures the Context Hub service, you can view the contextual information for the meta values in the Navigate view and the Events view of the Investigate. The Context Hub service is pre-configured with default meta type and meta key mapping. For information about the mapping of the context hub meta value with investigation meta key, see "Manage Meta Type and Meta Key Mapping" in the Context Hub Configuration Guide.

The Context Lookup panel is displayed on the right side of the Navigate view and Events view of the Investigation module. Meta values that have been added to a Context Hub list are highlighted in gray in the Navigate view Values panel. When you right-click a highlighted value and select Context Lookup in the resulting context menu, the lookup results are displayed in the Context Lookup panel for configured sources for the selected meta value. You can select a source in the Context Lookup panel icon bar to view the contextual information.

Workflow

the Investigate workflow, with View Query Results highlighted

What do you want to do?

                                           
User RoleI want to ...Documentation
Threat Hunterinvestigate meta values* View Additional Context for a Data Point
Threat Huntersubmit a queryBeginning an Investigation of a Service or Collection
Threat Hunterview query results* Conducting an Investigation
Threat Hunterreconstruct an eventReconstruct an Event

Threat Hunter

conduct interactive event analysis

Analyze Events in the Event Analysis View

Incident Responder

investigate an incident

NetWitness Respond User Guide

*You can perform this task in the current view.

Related Topics

Quick Look

The following figure is an example of the Context Lookup panel, and controls and features are described in the table.

the Context panel open in the Navigate view

                               
FeatureDescription
Source Options Bar Displays the icons for the available sources: Endpoint, Incidents, Alerts, and Lists.
Source Name Displays the source name based on the selected icon:
  • Endpoint
  • INCIDENTS
  • ALERTS
  • LISTS
SortProvides a drop-down of sort options for the listed context information. Possible sort options are Severity - High to Low, Severity Low to High, Date - Oldest to Newest. and Date - Newest to Oldest. The sorting options vary by source type.
Refresh icon Refreshes the lookup results.
n items (First n Results)The footer provides a count of the total number of results, and the count of results currently displayed. For example, 50 Alerts (First 50 Alerts).

Lookup Results

The Context Lookup panel displays the following information when retrieving the context data from the configured sources.

Incidents

Incidents are displayed based on time first (Newest to Oldest) and then priority status. The following information is displayed for incident lookups:

  • Incident Name and ID
  • Priority status of the incidents
  • Risk Score value of the incidents
  • Date when the incident was created
  • Status of the incident
  • Assignee for the incident
  • Last Updated: Indicates when contextual data was last fetched from data source and updated to cache.
  • Time window: This is based on the value that is set for the "Query Last (Days)" field in the Configure Respond window. For details, see the "Configure Respond as a Data Source" topic in the Context Hub Configuration Guide.
  • Sort: This drop-down field provides options to change the sorting of result based on time or priority.

Alerts

Alerts are displayed based on the Severity. ;The following information is displayed for alert lookups:

  • Alert Name
  • Severity value of the alerts
  • Date when the alert was created
  • Incident ID: This is the ID of the incident that the alert is associated with (If any).
  • Sources: Event source name
  • Number of events associated with the alert.
  • Last Updated: Indicates when contextual data was last fetched from data source and updated to cache.
  • Time window: This is based on the value that is set for the "Query Last (Days)" field in the Configure Respond window. For details, see the "Configure Respond as a Data Source" topic in the Context Hub Configuration Guide
  • Sort: This drop-down field provides option to change the sorting of result based on time or priority.

Lists

The following information is displayed for list lookups.

  • List Name
  • Owner who created the list
  • Created Date
  • Last Updated Date
  • Description of the list

Endpoint

The following information is displayed for Endpoint lookups.

  • Machine name and IP address of the machine.
    By clicking on the IP or Endpoint machine name, you will be navigated to Endpoint UI to perform further investigation.
  • Last Updated: Indicates when contextual data was last fetched from data source and updated to cache.
  • Machine Score: A machine IIOC score is aggregated based on the module scores.
  • Number of modules: Number of active files for the selected machine.
  • Last Updated: Indicates when the scan results were last updated in Endpoint database.
  • Last Login User
  • Machine MAC Address
  • Operating System Version
  • Admin Notes (if any)
  • Admin Status (if any)
  • Top Suspicious Modules (Modules that have an IIOC score > 500). This is based on the value set for "Minimum IIOC Score" field in the Configure Endpoint window. The default value for "Minimum IIOC Score" is 500.
  • Machine IIOC Levels
You are here
Table of Contents > Investigation Reference Materials > Context Lookup Panel

Attachments

    Outcomes