Investigate: Look Up Additional Context in the Navigate and Events Views

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Sep 11, 2018
Version 16Show Document
  • View in full screen mode
 

 

From the Events view and the Navigate view, you can look up details and intelligence about elements associated with an event in the Context Hub. (In Version 11.2 and later, you can also look up additional context in the Event Analysis view as described in Look Up Additional Context in the Event Analysis View.) These elements, or entities, are identifiers, such as an IP address, a user name, a host name, a domain name, a file name, or a file hash. The data from configured sources, such as RSA NetWitness Endpoint, can help you understand what is happening.

Note: To enable viewing of contextual information, your administrator must add the Context Hub service in RSA NetWitness Platform and configure data sources for the Context Hub service as described in the Context Hub Configuration Guide. Analysts also need a role with the permission Context Lookup as described in "Role Permissions" and "Manage Users with Roles and Permissions" in the System Security and User Management Guide. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

The Context Hub is a centralized service that aggregates data about entities from multiple configurable data sources. This data can extend your investigation with additional context beyond the immediate results of a specific query. For example, the Context Hub can tell you if a given entity has been mentioned in any incidents, alerts, feeds, or community intelligence publications.

In the Navigate view and Events view, entities that have associated context data available are highlighted with a gray background; hovering over an entity displays a hover box giving a summary of the available data. When you right-click the entity, the Context Hub queries the configured data sources for relevant information, and the Context Lookup panel opens from the right side of the browser window. The Context Lookup panel is populated with the information from the Context Hub as it becomes available. You can perform another lookup by right-clicking on another entity, and the Context Lookup panel is updated with that entity’s information.

example of the Navigate view with the Context Lookup panel open

In the Context Lookup panel, you can view and explore individual data sources for further investigation. For a detailed description of the information displayed for each data source, see Context Lookup Panel.

To view information in the Context Lookup panel in the Navigate view or the Events view:

  1. Hover over different meta values to see the data sources for which data is available.
    A hover box displays a list of the data sources that have context data available for meta value. These are the possible data sources: NetWitness Endpoint, Incidents, Alerts, Hosts, Files, Feeds, and Live Connect.
  2. Right-click a meta value, and click Context Lookup in the drop-down menu to open the Context Lookup panel.
    This is the menu with Context Lookup
    The Context Lookup panel opens from the right side of the browser window. The Context Lookup panel is populated with the information from the Context Hub as it becomes available.
  3. To perform actions from the Context Lookup panel, right-click an entity such as IP address.
    The following options are available: Open Link in New tab, Query in Investigate, Copy Link, Paste, Google Lookup, Virus Total Lookup, and Query in Endpoint.

  4. To close the Context Lookup panel, click X in the panel.
 
You are here
Table of Contents > Querying and Acting on Data in the Navigate and Events Views > Look Up Additional Context  in the Navigate and Events Views

Attachments

    Outcomes