Investigate: View Additional Context for a Data Point

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Oct 24, 2017
Version 9Show Document
  • View in full screen mode


From an event reconstruction or Values panel in the Investigate view, you can look up details and intelligence about elements associated with an event in the Context Hub. The data from configured sources, such as RSA NetWitness Endpoint, can help you understand what is happening.

These elements, or entities, are identifiers, such as an IP address, a user name, a host name, a domain name, a file name or file hash. To look up external information about a given entity, NetWitness Suite uses the Context Hub. The Context Hub is a centralized service that aggregates data about entities from multiple configurable data sources. This data can extend your investigation with additional context beyond the immediate results of a specific query. For example, the Context Hub can tell you if a given entity has been mentioned in any incidents, alerts, feeds, or community intelligence publications.

When you right-click the entity in Investigate, the Context Hub queries the configured data sources for relevant information. The Context panel opens from the right side of the browser window. The Context panel is populated with the information from the Context Hub as it becomes available.

To perform another lookup, right-click on another entity, and the Context Panel is updated with that entity’s information.

To close the Context Panel, click the in the Context Panel.

In the Context Lookup panel, you can view and explore individual data sources for further investigation. For example, when you click on a particular Incident's value, the specific incident details are displayed in the Incident Respond view.

For a detailed description of the information displayed for each data source on the Context Lookup panel, see Context Lookup Panel.

Before an analyst can view contextual information, the administrator must:

  • Ensure that the Analyst has a role with the permission Context Lookup as described in "Role Permissions" and "Manage Users with Roles and Permissions" in the System Security and User Management Guide.
  • Add the Context Hub service in RSA NetWitness Suite.
  • Configure data sources for the Context Hub service as described in the Context Hub Configuration Guide.

Note: Go to the Master Table of Contents for Version 11.0 to find NetWitness Suite 11.0 documents.

To view information in the Context Summary panel:

  1. In the Navigate view or the Events view, identify a meta value for which you want to view additional context and hover over the meta value.
    The Context Highlights panel is displayed with a quick summary of the type of context data is available for the data source: NetWitness Endpoint, Incidents, Alerts, Hosts, Files, Feeds, and Live Connect.
  2. Right-click a meta value , and click Context Lookup to open the Context Lookup panel.
    This is the menu with Context Lookup
    The Context Summary panel opens from the right side of the browser window. The Context Summary panel is populated with the information from the Context Hub as it becomes available.
  3. To perform actions from the Context panel, click an entity such as IP address and right-click.
    The following options are available: Open Link in New tab, Query in Investigate, Copy Link, Paste, Google Lookup, Virus Total Lookup, and Query in Endpoint.

Next Topic:Examining Events
You are here
Table of Contents > Conducting an Investigation > Acting on a Drill Point in the Navigate View > View Additional Context for a Data Point