The Add/Remove from List dialog allows you to add an entity or meta value to an existing Context Hub list, remove an entity or meta value, or create a new Context Hub list containing the entity or meta value. When you look up an IP address or other entity and you find it suspicious or interesting, you can add it to a list that has been added as a data source. An example of a commonly used list is a white list or black list. This improves the visibility of the suspicious IP addresses and reduces false positives that do not need further investigation.
You can add entities or meta values to more than one list. For example, you can add them to one list for suspected domains related to command and control connections and to another list for Trojan connection IP addresses related to remote access. If a list is not available, you can create a list.
The dialog is available in NetWitness Investigate and in NetWitness Respond. When working in Investigate, in the Navigate view, Legacy Events view, or Events view, you can add meta values for the Source IP, Destination IP, or Username meta keys to an existing context hub list or you can create a new list containing the meta values. When you add meta values to a list, you can look up additional context on those meta values.
- To display the dialog in the Navigate view or the Legacy Events view, right-click a meta value under Source IP, Destination IP, or Username) and select Add/Remove from List in the context menu.
- To display the dialog in the Events view, hover over a value and select Add/Remove from List in the Actions section of the context tooltip.
What do you want to do?
|User Role||I want to ...||Show me how|
Incident Responder or Threat Hunter
review detections and signals seen in my environment
NetWitness Platform Getting Started Guide
|Incident Responder|| |
review critical incidents or alerts
NetWitness Respond User Guide
|Threat Hunter||query a service, metadata, and time range|
|Threat Hunter|| |
|Threat Hunter|| |
view sequential events
reconstruct and analyze an event
|Threat Hunter||examine files and associated hosts|
|Threat Hunter||perform lookups|
|Threat Hunter||create an incident or add to an incident|
add a meta value to a Context Hub list*
*You can perform this task in the current view.
Quick Look in the Events View
The following is an example of the Add/Remove from List dialog in the Events view.
|1||Entities or meta values to be added or removed.|
|2||Create a new list using the selected meta.|
|3||Select any of the tabs: All, Selected, or Unselected.|
|4||Search using the list name or description.|
|5||Cancel the action.|
|6||Save to update lists or create a new list.|
The following table shows the options in the Add/Remove from List dialog.
|META VALUE||Displays the selected entity or meta value that needs to be added to or removed from one or more lists. You can also a create a new list using the selected value.|
|Create New List||Displays a dialog to create a new list using the selected meta value.|
|ALL||Shows all of the available Context Hub lists. The lists that contain the selected entity or meta value are selected. Select a checkbox to add an entity or meta value to a list. Clear a checkbox to remove it from the list.|
|SELECTED||Shows only the lists that contain the selected entity or meta value. (All lists are selected.)|
|Shows only the lists that do not contain the selected entity or meta value. (All lists are unselected.)|
|Filter Results||Enter the name or description of a specific list to search from multiple lists.|
Displays the name of all the lists.
|DESCRIPTION||Displays information about the selected list. The description that you provide when creating a list appears in this dialog. For example: This list contains all of the blacklisted IP addresses.|
Cancels the operation.
|Save||Saves the changes.|
Quick Look in the Navigate and Legacy Events Views
The following figure shows the dialog when you select Create New List.
The following table describes the features of the Add/Remove from List and Create New List dialogs.
|Meta Value||The selected meta value to be added to the existing or new list.|
|List||The list to which the selected meta value must be added. A drop-down menu provides a list of available lists to which you can add the meta value.|
|Create New List||Opens a new dialog in which you can create a new list for the selected meta value.|
|List Name||The name of the new list.|
|Description||The description of the new list.|
|Create||Creates a new list after entering the required fields.|
|Back||In the new list mode, cancels the new list creation and returns to the original dialog.|
|Cancel||Cancels the addition of the meta value to a list and closes the dialog.|
|Save||Saves the changes made to the lists and closes the dialog.|