The Add/Remove from List dialog allows you to add an entity or meta value to an existing Context Hub list, remove an entity or meta value, or create a new Context Hub list containing the entity or meta value. When you look up an IP address or other entity and you find it suspicious or interesting, you can add it to a list that has been added as a data source. An example of a commonly used list is a white list or black list. This improves the visibility of the suspicious IP addresses and reduces false positives that do not need further investigation.
You can add entities or meta values to more than one list. For example, you can add them to one list for suspected domains related to command and control connections and to another list for Trojan connection IP addresses related to remote access. If a list is not available, you can create a list.
The dialog is available in NetWitness Investigate and in NetWitness Respond. When working in Investigate, in the Navigate view, Legacy Events view, or Events view, you can add meta values for the Source IP, Destination IP, or Username meta keys to an existing context hub list or you can create a new list containing the meta values. When you add meta values to a list, you can look up additional context on those meta values.
- To display the dialog in the Navigate view or the Legacy Events view, right-click a meta value under Source IP, Destination IP, or Username) and select Add/Remove from List in the context menu.
- To display the dialog in the Events view, hover over a value and select Add/Remove from List in the Actions section of the context tooltip.
The following workflow diagram shows the workflow for an investigation with the location of the Add to List task highlighted. This workflow has references to several views that were renamed in Version 11.4: Event Analysis --> Events, Events --> Legacy Events.
What do you want to do?
*You can perform this task in the current view.
Quick Look in the Events View
The following is an example of the Add/Remove from List dialog in the Events view.
|1||Entities or meta values to be added or removed.|
|2||Create a new list using the selected meta.|
|3||Select any of the tabs: All, Selected, or Unselected.|
|4||Search using the list name or description.|
|5||Cancel the action.|
|6||Save to update lists or create a new list.|
The following table shows the options in the Add/Remove from List dialog.
Quick Look in the Navigate and Legacy Events Views
The following figure shows the dialog when you select Create New List.
The following table describes the features of the Add/Remove from List and Create New List dialogs.