Investigate: Add/Remove from List Dialog

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Sep 11, 2018
Version 15Show Document
  • View in full screen mode
 

The Add/Remove from List dialog allows you to add an entity or meta value to an existing Context Hub list, remove an entity or meta value, or create a new Context Hub list containing the entity or meta value. When you look up an IP address or other entity and you find it suspicious or interesting, you can add it to a list that has been added as a data source. An example of a commonly used list is a white list or black list. This improves the visibility of the suspicious IP addresses and reduces false positives that do not need further investigation.

You can add entities or meta values to more than one list. For example, you can add them to one list for suspected domains related to command and control connections and to another list for Trojan connection IP addresses related to remote access. If a list is not available, you can create a list.

The dialog is available in NetWitness Investigate and in NetWitness Respond. When working in Investigate, in the Navigate view, Events view, or Event Analysis view (Version 11.2), you can add meta values for the Source IP, Destination IP, or Username meta keys to an existing context hub list or you can create a new list containing the meta values. When you add meta values to a list, you can look up additional context on those meta values.

  • To display the dialog in the Navigate view or the Events view, right-click a meta value under Source IP, Destination IP, or Username) and select Add/Remove from List in the context menu.
  • To display the dialog in the Event Analysis view, hover over a value and select Add/Remove from List in the Actions section of the context tooltip.

Workflow

The following workflow diagram shows the high-level workflow for Investigate with the location of the Add to List task highlighted.

high-level Investigate workflow with the location of the Add to List tas highlighted

What do you want to do?

                                                     
User RoleI want to ...Show me how
Threat Hunter

browse event metadata

Begin an Investigation in the Navigate or Events View

Threat Hunter

browse raw events

Begin an Investigation in the Navigate or Events View

Threat Hunter

analyze raw events and metadata

Begin an Investigation in the Event Analysis View

Threat Hunterinvestigate endpoints (Version 11.1)Investigate Hosts

Threat Hunter

find suspicious endpoint files (Version 11.1)

Investigate Files

Threat Hunterscan files and events for malwareConducting Malware Analysis

Incident Responder

triage an incident in Investigate

NetWitness Respond User Guide

Threat Huntercreate or add meta values to a Context Hub List*

Manage Context Hub Lists and List Values in the Navigate and Events Views or Look Up Additional Context in the Event Analysis View

Related Topics

Quick Look in the Navigate and Events Views

The following figure is an example of the Add/Remove from List dialog when initially opened.
This is the Add/Remove from List dialog.

The following figure shows the dialog when you select Create New List.

This is how the dialog appears after clicking "Create new list"

The following table describes the features of the Add/Remove from List and Create New List dialogs.

                                                
FeatureDescription
Meta ValueThe selected meta value to be added to the existing or new list.
ListThe list to which the selected meta value must be added. A drop-down menu provides a list of available lists to which you can add the meta value.
Create New ListOpens a new dialog in which you can create a new list for the selected meta value.
List NameThe name of the new list.
DescriptionThe description of the new list.
CreateCreates a new list after entering the required fields.
BackIn the new list mode, cancels the new list creation and returns to the original dialog.
CancelCancels the addition of the meta value to a list and closes the dialog.
SaveSaves the changes made to the lists and closes the dialog.

Quick Look in the Event Analysis View (Version 11.2 and Later)

The following is an example of the Add/Remove from List dialog in the Event Analysis view.

Quick Look - Add/Remove From List Dialog

                             

 

1Entities or meta values to be added or removed.
2Create a new list using the selected meta.
3Select any of the tabs: All, Selected, or Unselected.
4Search using the list name or description.
5Cancel the action.
6Save to update lists or create a new list.

The following table shows the options in the Add/Remove from List dialog.

                                                   
OptionDescription
META VALUEDisplays the selected entity or meta value that needs to be added to or removed from one or more lists. You can also a create a new list using the selected value.
Create New ListDisplays a dialog to create a new list using the selected meta value.
ALLShows all of the available Context Hub lists. The lists that contain the selected entity or meta value are selected. Select a checkbox to add an entity or meta value to a list. Clear a checkbox to remove it from the list.
SELECTEDShows only the lists that contain the selected entity or meta value. (All lists are selected.)

UNSELECTED

Shows only the lists that do not contain the selected entity or meta value. (All lists are unselected.)
Filter ResultsEnter the name or description of a specific list to search from multiple lists.

LIST

Displays the name of all the lists.

DESCRIPTIONDisplays information about the selected list. The description that you provide when creating a list appears in this dialog. For example: This list contains all of the blacklisted IP addresses.

Cancel

Cancels the operation.

SaveSaves the changes.
You are here
Table of Contents > Investigate Reference Materials > Add/Remove from List Dialog

Attachments

    Outcomes