Investigate: Look Up Additional Context in the Event Analysis View

Document created by RSA Information Design and Development on Sep 11, 2018
Version 1Show Document
  • View in full screen mode
 

 

The information in this topic applies to RSA NetWitness® Platform Version 11.2 and later. In earlier versions, you can also look up additional context in the Navigate view or the Events view as described in Look Up Additional Context in the Navigate and Events Views.

From the Event Analysis view, you can look up details and intelligence about elements associated with an event in the Context Hub. These elements, or entities, are identifiers, such as an IP address, a user name, a host name, a domain name, a file name, or file hash. The data from configured sources, such as RSA NetWitness Endpoint, can help you understand what is happening.

Note: To enable viewing of contextual information, your administrator must add the Context Hub service in RSA NetWitness Platform and configure data sources for the Context Hub service as described in the Context Hub Configuration Guide. Analysts also need a role with the permission Context Lookup as described in "Role Permissions" and "Manage Users with Roles and Permissions" in the System Security and User Management Guide. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

The Context Hub is a centralized service that aggregates data about entities from multiple configurable data sources. This data can extend your investigation with additional context beyond the immediate results of a specific query. For example, the Context Hub can tell you if a given entity has been mentioned in any incidents, alerts, feeds, or community intelligence publications.

In the Events panel, the Event Header, or the Event Meta panel, you can see underlined entities. If an entity is underlined, NetWitness Platform is populating information about that entity type in the Context Hub. There may be additional information available about that entity in the Context Hub.

Note: Active Directory entities with available context information are not underlined, but you can hover over these entities to see if any context information is available.

The following figure shows underlined entities in the Events panel with the context tooltip open.

example of underlined events and the hover box in the Event Analysis view
The context tooltip has two sections: Context Highlights and Actions.

  • The information in the Context Highlights section helps you to determine the actions that you would like to take. It can show related data for Incidents, Alerts, Lists, Endpoint, Live Connect, Criticality and Asset Risk. Depending on your data, you may be able to click these items for more information.
  • The Actions section lists the available actions. In the example, the Add/Remove from List, Pivot to Investigate > Navigate, Pivot to Archer, and Pivot to Endpoint Thick Client options are available.

The following figure shows underlined entities in the Event Header and the Event Meta panel.

underlined entities in the Event Header and Event Meta panel

When you click View Context in the context tooltip, the Context Hub queries the configured data sources for relevant information, and the Context Lookup panel opens from the right side of the browser window. The Context Lookup panel is populated with the information from the Context Hub as it becomes available. In the Context Lookup panel, you can view and explore individual data sources for further investigation. For a detailed description of the information displayed for each data source on the Context Lookup panel, see Context Lookup Panel. You can also take any available action in the Actions section.

To view information in the Context Lookup panel in the Event Analysis view:

  1. Hover over different meta values to see the data sources for which data is available.
    A context tooltip displays a list of the context data available for the selected meta value.
  2. Click View Context in the context tooltip to open the Context Lookup panel.
    The Context Lookup panel opens from the right side of the browser window. The Context Lookup panel is populated with the information from the Context Hub as it becomes available.
    the Context Lookup panel
  3. To perform actions on an entity, select one of the available actions in the context tooltip: Add /Remove from List, Pivot to Investigate > Navigate, Pivot to Archer, Pivot to Endpoint Thick Client. For more information, see Pivot to Investigate > Navigate, Pivot to Archer, Pivot to NetWitness Endpoint Thick Client, and Add an Entity to a Whitelist.

    Note: The Pivot to Archer action is disabled when Archer data is not available or when the Archer data source is not responding. Check that the RSA Archer configuration is enabled and configured properly. The same is true for the Pivot to NetWitness Endpoint Thick Client; if the option is disabled, verify that the NetWitness Endpoint Thick Client is installed and configured correctly.

    Add an Entity to a Whitelist

    You can add any underlined entity to a list, such as a Whitelist or Blacklist, from a context tooltip. For example, to reduce false positives, you may want to whitelist an underlined domain to exclude it from the related entities.

    1. In the Events panel, the Event Header, or the Event Meta panel, hover over the underlined entity that you would like to add to a Context Hub list. (Active Directory entities with context data can also be added, but they are not underlined.)
      A context tooltip showing the available actions is displayed.
    2. In the ACTIONS section of the tooltip, click Add/Remove from List.
      The Add/Remove from List dialog shows the available lists.

    3. Select one or more lists and click Save.
      The entity is added to the selected lists. Add/Remove from List Dialog provides additional information.

    Create a List

    You can create lists in Context Hub from the Event Analysis view. In addition to using lists to whitelist and blacklist entities, you can use lists to monitor entities for abnormal behavior. For example, to improve the visibility of a suspicious IP address and Domain under investigation, you may want to include them in two separate lists. One list could be for domains suspected of being related to command and control connections, and another list could be for IP addresses related to remote access Trojan connections. You can then identify indicators of compromise using these lists.

    To create a list in Context Hub:

    1. In the Events panel, the Event Header, or the Event Meta panel, hover over the underlined entity that you would like to add to a Context Hub list. (Active Directory entities with context data can also be added to a new list, but they are not underlined.)
      A context tooltip showing the available actions is displayed.
    2. In the ACTIONS section of the tooltip, click Add/Remove from List.
    3. In the Add/Remove from List dialog, click Create New List.
    4. Type a unique LIST NAME for the list. The list name is not case sensitive.
    5. (Optional) Type a DESCRIPTION for the list.
      Analysts with the appropriate permissions can also export lists in CSV format to send to other analysts for further tracking and analysis. The Context Hub Configuration Guide provides additional information.

    Pivot to Investigate > Navigate

    For a more thorough investigation of an entity, you can open the the Navigate view.

    1. In the Events panel, the Event Header, or the Event Meta panel, hover over any underlined entity. (Active Directory entities with context data can also be investigated, but they are not underlined.)
    2. In the ACTIONS section of the tooltip, select Pivot to Investigate > Navigate.
      The Navigate view opens, enabling you to perform a deeper dive investigation. For more information, see Investigating Metadata in the Navigate View.

    Pivot to Archer

    For viewing more details about the device in RSA Archer® Cyber Incident & Breach Response, you can pivot to the device details page. This information is displayed only for IP address, host, and Mac address.

    1. In the Events panel, the Event Header, or the Event Meta panel, hover over any underlined entity (IP address, host, and Mac address).
    2. In the ACTIONS section of the context tooltip, select Pivot to Archer.
    3. The device details page in RSA Archer Cyber Incident & Breach Response opens if you are logged in to the application, otherwise the login screen is displayed.

     

    Note: The Pivot to Archer link is disabled when Archer data is not available or when the Archer Datasource is not responding. Check that the RSA Archer configuration is enabled and configured properly.

    For more information, see the Archer Integration Guide.

    Pivot to NetWitness Endpoint Thick Client

    If you have the NetWitness Endpoint thick client application installed, you can launch it through the context tooltip. From there, you can further investigate a suspicious IP address, Host, or MAC address.

    1. In the Events panel, the Event Header, or the Event Meta panel, hover over any underlined entity.
    2. In the ACTIONS section of the tooltip, select Pivot to Endpoint Thick Client.
      The NetWitness Endpoint thick client application opens outside of your web browser.

Note: Version 4.4 of the NetWitness Endpoint (NWE) thick client must be installed on the same server, the NWE meta keys must exist in the table-map.xml file on the Log Decoder, and the NWE meta keys must exist in the index-concentrator-custom.xml file. The NWE thick client is a Windows only application. Complete setup instructions are provided in the NetWitness Endpoint User Guide for Version 4.4.

 
You are here
Table of Contents > Analyzing Raw Events and Meta Data in the Event Analysis View > Look Up Additional Context in the Event Analysis View

Attachments

    Outcomes