Investigate: Manage Context Hub Lists and List Values in Naivgate and Events Views

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Apr 25, 2019
Version 17Show Document
  • View in full screen mode

Analysts can add lists and list values for Context Hub enrichment in the Navigate view and the Events view. (In Version 11.2 and later, analysts can add lists and lists values in the Event Analysis view as described in Look Up Additional Context in the Event Analysis View.)

When the Context Hub service is enabled and configured, NetWitness Platform provides enrichment data from NetWitness Respond, custom lists, and NetWitness Endpoint directly in the Navigate view and Events view. A visual cue highlights meta values for which enrichment data is available in the Investigate views, and you can click on the highlighted value to look up the contextual information and intelligence.

In addition, from the Values panel in the Navigate view and from the Events view, you can view lists, edit meta values in an existing list, or create a new list. When you add meta values to a list, you can investigate the meta values using the context lookup option.

For an analyst to manage lists in Investigate, the administrator must:

  • Enable the Context Hub service.
  • Assign an analyst role with permission Manage List from Investigation to the user who will perform Context Lookup from Investigation views.
  • Configure appropriate roles and permissions as described in "Role Permissions" and "Manage Users with Roles and Permissions" in the System Security and User Management Guide.

Add Meta Values to an Existing List

To add a meta value to an existing list in Context Hub:

  1. While investigating a service in the Navigate view or the Events view, right-click a meta value (for example, values under Source IP, Destination IP, or Username) and select Add/Remove from List in the context menu.
    The Add/Remove from List dialog is displayed.
    Add/Remove from List dialog
  2. In the List field, select one or more lists from the drop-down option to which the meta value must be added.
  3. Click Save.
    The meta value is added to the selected lists.

Remove a Meta Value from a Context Hub List

To remove a meta value from list:

  1. In the Add/Remove from List dialog, in the List field, view the lists which include the meta value.
  2. Click the delete icon (x) for each list that should not include the meta value.
  3. Click Save.
    The meta value is removed from the deleted list.

Create a New List

To create a Context Hub list in Investigate:

  1. In the Add/Remove from List dialog, click Create New List.
    Create New List options
  2. In the List Name field, enter an unique name for the list.
  3. In the Description field, enter the description of the list.
  4. Click Create to create the list.
  5. Click Save to add the meta value to the created list.
    These lists are considered as data sources for retrieving context information.

You are here
Table of Contents > Querying and Acting on Data in the Navigate and Events Views > Manage Context Hub Lists and List Values in the Navigate and Events Views