Investigate: Look Up Additional Context for Results

Document created by RSA Information Design and Development Employee on Sep 18, 2017Last modified by RSA Product Team on Jan 30, 2020
Version 20Show Document
  • View in full screen mode

The Context Hub is a centralized service that aggregates data about entities from multiple configurable data sources. This data can extend your investigation with additional context beyond the immediate results of a specific query. For example, the Context Hub can tell you if a given entity has been mentioned in any incidents, alerts, feeds, or community intelligence publications.

To enable viewing of contextual information, your administrator must add the Context Hub service in RSA NetWitness Platform and configure data sources for the Context Hub service as described in the Context Hub Configuration Guide. Analysts also need a role with the permission Context Lookup as described in "Role Permissions" and "Manage Users with Roles and Permissions" in the System Security and User Management Guide.

When the Context Hub service is enabled and configured, NetWitness Platform provides enrichment data from NetWitness Respond, custom lists, and NetWitness Endpoint directly in the Navigate view, Events view, and Legacy Events view. A visual cue highlights meta values for which enrichment data is available in the Investigate views, and you can click on the highlighted value to look up the contextual information and intelligence. You can look up details and intelligence about elements associated with an event in the Context Hub. These elements, or entities, are identifiers, such as an IP address, a user name, a host name, a domain name, a file name, or a file hash. The data from configured sources, such as RSA NetWitness Endpoint, can help you understand what is happening.

In addition, you can add lists and list values for Context Hub enrichment; you can view lists, edit meta values in an existing list, or create a new list. When you add meta values to a list, you can investigate the meta values using the context lookup option.

Note: In Version 11.2 and earlier, you can look up additional context in the Navigate view or the Legacy Events view, but not the Event Analysis view.

For an analyst to manage lists in Investigate, the administrator must:

  • Enable the Context Hub service.
  • Assign an analyst role with permission Manage List from Investigation to the user who will perform Context Lookup from Investigation views.
  • Configure appropriate roles and permissions as described in "Role Permissions" and "Manage Users with Roles and Permissions" in the System Security and User Management Guide.

Open the Context Lookup Panel

In the Context Lookup panel, you can view and explore individual data sources for further investigation. For a detailed description of the information displayed for each data source, see Context Lookup Panel.

In the Navigate view and Legacy Events view, entities that have associated context data available are highlighted with a gray background; hovering over an entity displays a hover box giving a summary of the available data. When you right-click the entity, the Context Hub queries the configured data sources for relevant information, and the Context Lookup panel opens from the right side of the browser window. The Context Lookup panel is populated with the information from the Context Hub as it becomes available. You can perform another lookup by right-clicking on another entity, and the Context Lookup panel is updated with that entity’s information.

example of the Navigate view with the Context Lookup panel open

In the Events view, you can see underlined entities in the Events panel, the Event Header, or the Event Meta panel. If an entity is underlined, NetWitness Platform is populating information about that entity type in the Context Hub. There may be additional information available about that entity in the Context Hub.

The following figure shows underlined entities in the Events panel with the context tooltip open. The context tooltip has two sections: Context Highlights and Actions.

  • The information in the Context Highlights section helps you to determine the actions that you would like to take. It can show related data for Incidents, Alerts, Lists, Endpoint, Live Connect, Criticality and Asset Risk. Depending on your data, you may be able to click these items for more information.
  • The Actions section lists the available actions. In the example, the Add/Remove from List, Pivot to Investigate > Navigate, Pivot to Archer, and Pivot to Endpoint Thick Client options are available.

example of underlined events and the hover box in the Event Analysis view

The following figure shows underlined entities in the Event Header and the Event Meta panel.

underlined entities in the Event Header and Event Meta panel

When you click View Context in the context tooltip, the Context Hub queries the configured data sources for relevant information, and the Context Lookup panel opens from the right side of the browser window. The Context Lookup panel is populated with the information from the Context Hub as it becomes available. You can perform another lookup by using the View Context option on another entity, and the Context Lookup panel is updated with that entity’s information.

You can also take any available action in the Actions section.

To view information in the Context Lookup panel in the Events view:

  1. Hover over different meta values to see the data sources for which data is available.
    A context tooltip displays a list of the context data available for the selected meta value.
  2. Click View Context in the context tooltip to open the Context Lookup panel.
    The Context Lookup panel opens from the right side of the browser window. The Context Lookup panel is populated with the information from the Context Hub as it becomes available.
    the Context Lookup panel
  3. To perform actions on an entity, select one of the available actions in the context tooltip: Add /Remove from List, Pivot to Investigate > Navigate, Pivot to Archer, Pivot to Endpoint Thick Client. For more information, see Pivot to Investigate > Navigate (Events View), Pivot to Archer (Events View), Pivot to NetWitness Endpoint Thick Client (Events View), and Add an Entity to a Whitelist.

    Note: The Pivot to Archer link is disabled when Archer data is not available or when the Archer data source is not responding. Check that the RSA Archer configuration is enabled and configured properly.

    Add an Entity to a Whitelist

    You can add any underlined entity to a list, such as a Whitelist or Blacklist, from a context tooltip. For example, to reduce false positives, you may want to whitelist an underlined domain to exclude it from the related entities.

    1. In the Events panel, the Event Header, or the Event Meta panel, hover over the underlined entity that you would like to add to a Context Hub list.
      A context tooltip showing the available actions is displayed.
    2. In the ACTIONS section of the tooltip, click Add/Remove from List.
      The Add/Remove from List dialog shows the available lists.

    3. Select one or more lists and click Save.
      The entity is added to the selected lists.

    Create a List (Events View)

    You can create lists in Context Hub from the Events view. In addition to using lists to whitelist and blacklist entities, you can use lists to monitor entities for abnormal behavior. For example, to improve the visibility of a suspicious IP address and Domain under investigation, you may want to include them in two separate lists. One list could be for domains suspected of being related to command and control connections, and another list could be for IP addresses related to remote access Trojan connections. You can then identify indicators of compromise using these lists.

    To create a list in the Context Hub:

    1. In the Events panel, the Event Header, or the Event Meta panel, hover over the underlined entity that you would like to add to a Context Hub list.
      A context tooltip showing the available actions is displayed.
    2. In the ACTIONS section of the tooltip, click Add/Remove from List.
    3. In the Add/Remove from List dialog, click Create New List.
    4. Type a unique List NAME for the list. The list name is not case sensitive.
    5. (Optional) Type a DESCRIPTION for the list.
      Analysts with the appropriate permissions can also export lists in CSV format to send to other analysts for further tracking and analysis. The Context Hub Configuration Guide provides additional information.

    Pivot to Investigate > Navigate (Events View)

    For a more thorough investigation of an entity, you can open the the Navigate view.

    1. In the Events panel, the Event Header, or the Event Meta panel, hover over any underlined entity.
    2. In the ACTIONS section of the tooltip, select Pivot to Investigate > Navigate.
      The Navigate view opens, enabling you to perform a deeper dive investigation. For more information, see Refining the Results Set.

    Pivot to Archer (Events View)

    For viewing more details about the device in RSA Archer Cyber Incident & Breach Response, you can pivot to the device details page. This information is displayed only for IP address, host, and Mac address.

    1. In the Events panel, the Event Header, or the Event Meta panel, hover over any underlined entity (IP address, host, and Mac address).
    2. In the ACTIONS section of the context tooltip, select Pivot to Archer.
    3. The device details page in RSA Archer Cyber Incident & Breach Response opens if you are logged in to the application, otherwise the login screen is displayed.

     

    Note: The Pivot to Archer link is disabled when Archer data is not available or when the Archer Datasource is not responding. Check that the RSA Archer configuration is enabled and configured properly.

    For more information, see the Archer Integration Guide.

    Pivot to NetWitness Endpoint Thick Client (Events View)

    If you have the NetWitness Endpoint thick client application installed, you can launch it through the context tooltip. From there, you can further investigate a suspicious IP address, Host, or MAC address.

    1. In the Events panel, the Event Header, or the Event Meta panel, hover over any underlined entity.
    2. In the ACTIONS section of the tooltip, select Pivot to Endpoint Thick Client.
      The NetWitness Endpoint thick client application opens outside of your web browser.

    For more information on the thick client, see the NetWitness Endpoint User Guide.

View the Context Lookup Panel in the Navigate View or Legacy Events View

  1. Hover over different meta values to see the data sources for which data is available.
    A hover box displays a list of the data sources that have context data available for meta value. These are the possible data sources: NetWitness Endpoint, Incidents, Alerts, Hosts, Files, Feeds, and Live Connect.
  2. Right-click a meta value, and click Context Lookup in the drop-down menu to open the Context Lookup panel.
    This is the menu with Context Lookup
    The Context Lookup panel opens from the right side of the browser window. The Context Lookup panel is populated with the information from the Context Hub as it becomes available.
  3. To perform actions from the Context Lookup panel, right-click an entity such as IP address.
    The following options are available: Open Link in New Tab, Query in Investigate, Copy Link, Paste, Google Lookup, Virus Total Lookup, and Query in Endpoint.

  4. To close the Context Lookup panel, click X in the panel.

Add Meta Values to an Existing List (Navigate and Legacy Events Views)

To add a meta value to an existing list in Context Hub:

  1. While investigating a service in the Navigate view or the Legacy Events view, right-click a meta value (for example, values under Source IP, Destination IP, or Username) and select Add/Remove from List in the context menu.
    The Add/Remove from List dialog is displayed.
    Add/Remove from List dialog
  2. In the List field, select one or more lists from the drop-down option to which the meta value must be added.
  3. Click Save.
    The meta value is added to the selected lists.

Remove a Meta Value from a Context Hub List (Navigate and Legacy Events Views)

To remove a meta value from list:

  1. In the Add/Remove from List dialog, in the List field, view the lists which include the meta value.
  2. Click the delete icon (x) for each list that should not include the meta value.
  3. Click Save.
    The meta value is removed from the deleted list.

Create a New List (Navigate and Legacy Events Views)

To create a Context Hub list in Investigate:

  1. In the Add/Remove from List dialog, click Create New List.
    Create New List options
  2. In the List Name field, enter an unique name for the list.
  3. In the Description field, enter the description of the list.
  4. Click Create to create the list.
  5. Click Save to add the meta value to the created list.
    These lists are considered as data sources for retrieving context information.

 

You are here

Table of Contents > Reconstructing and Analyzing Events > Look Up Additional Context for Results

Attachments

    Outcomes