The Add/Remove from List dialog allows you to add an entity or meta value to an existing Context Hub list, remove an entity or meta value, or create a new Context Hub list containing the entity or meta value. When you look up an IP address or other entity and you find it suspicious or interesting, you can add it to a list that has been added as a data source. An example of a commonly used list is a white list or black list. This improves the visibility of the suspicious IP addresses and reduces false positives that do not need further investigation.
You can add entities or meta values to more than one list. For example, you can add them to one list for suspected domains related to command and control connections and to another list for Trojan connection IP addresses related to remote access. If a list is not available, you can create a list.
The dialog is available in NetWitness Investigate and in NetWitness Respond. When working in Investigate, in the Navigate view, Events view, or Event Analysis view (Version 11.2), you can add meta values for the Source IP, Destination IP, or Username meta keys to an existing context hub list or you can create a new list containing the meta values. When you add meta values to a list, you can look up additional context on those meta values.
- To display the dialog in the Navigate view or the Events view, right-click a meta value under Source IP, Destination IP, or Username) and select Add/Remove from List in the context menu.
- To display the dialog in the Event Analysis view, hover over a value and select Add/Remove from List in the Actions section of the context tooltip.
The following workflow diagram shows the high-level workflow for Investigate with the location of the Add to List task highlighted.
What do you want to do?
- Look Up Additional Context in the Navigate and Events Views
- Navigate View
- Events View
- Event Analysis View
Quick Look in the Navigate and Events Views
The following figure shows the dialog when you select Create New List.
The following table describes the features of the Add/Remove from List and Create New List dialogs.
Quick Look in the Event Analysis View (Version 11.2 and Later)
The following is an example of the Add/Remove from List dialog in the Event Analysis view.
|1||Entities or meta values to be added or removed.|
|2||Create a new list using the selected meta.|
|3||Select any of the tabs: All, Selected, or Unselected.|
|4||Search using the list name or description.|
|5||Cancel the action.|
|6||Save to update lists or create a new list.|
The following table shows the options in the Add/Remove from List dialog.