Context Hub Lists Tab

In the Lists tab, you can create and configure lists for Context Hub. Navigate to netwitness_adminicon_25x22.png (Admin) > Services > Select Context Hub service > View > Config > Lists tab.

The Lists tab of the Context Hub service allows you to create one or more lists and add relevant list values to the list. These lists are automatically considered as data sources for the Context Hub service.

These lists may be populated with items either by importing external or custom feed CSV files or by adding meta values by using the option Add/Remove from List in Investigation and Respond views.

Note: You can also create lists and add list values from Respond and Investigation views. For more information, see the RSA NetWitness Respond User Guide and the RSA NetWitness Investigate User Guide.

Workflow

This workflow shows the procedure to configure lists for Context Hub service and to view contextual information in the Respond and Investigate views.

Workflow to explain the actions of the Context Hub Lists tab

Creating one or more list is the first task in this workflow. The lists can contain supported metas such as an IP address, User, Host, Domain, MAC address, File Name or File Hash. The next task is to analyze or use the list data to view contextual data in Respond and Investigate views.

What do you want to do?

Role I want to ... Show me how
Administrator Configure List Data Source for Context Hub* Configure Lists as a Data Source
Administrator/ Analyst View Contextual Information in Respond View

See the NetWitness Respond User Guide.

Administrator/ Analyst

"Manage Lists and List Values in Investigation

See the Investigate User Guide.

Administrator/ Analyst

Create a list

See the NetWitness Respond User Guide and Investigate User Guide

Administrator/ Analyst Update a list See the NetWitness Respond User Guide and Investigate User Guide

Administrator/ Analyst

Delete list

See the NetWitness Respond User Guide and Investigate User Guide

Administrator/ Analyst Import a list Import or Export Lists for Context Hub

Administrator/ Analyst

Export list

Import or Export Lists for Context Hub

*You can complete this task here (that is in the Context Hub Lists Tab).

Related Topics

Quick Look

The following example illustrates how to add lists for Context Hub service.

The List tab consists of the Lists panel and List Values panel. The Lists panel has a toolbar with options to add, delete, import, and export lists. The entries under List Name are lists that are added or imported for the Context Hub service.

By default, 10 empty single-column lists are available in RSA NetWitness Platform11.1. These lists are empty and you need to add information to these lists. The out of the box 10 list names are used in ESA rules, for more information on ESA rules, see the Alerting with ESA Correlation Rules User Guide. For users upgrading from previous versions, they will be able to view these new lists in addition to their previously created lists. The lists available by default are:

  • Admin_Accounts
  • Guest_Accounts
  • Service_Accounts
  • User_Blacklist
  • User_Whitelist
  • Host_Whitelist
  • Domain_Controllers
  • IP_Blacklist
  • IP_Whitelist
  • Host_Blacklist

Note: If a list with the same name already exists prior to updating to or installing RSA NetWitness Platform11.6, then that list will be retained. Either rename that list before updating to 11.1 or update the contents in such a way that it can be used in ESA rules.

The lists are available in ESA rules tab in CONFIGURE > ESA Rules > Settings > Enrichment Sources. For more information on ESA rules, see the Alerting with ESA Correlation Rules User Guide for Version 11.1.
The List Values panel has a toolbar with options to add, delete, and import list values to the selected list. The entries under Value identify each list entry included in the list.

Screenshot describing the List tab features.

1 Click netwitness_add.png to add a new list.
2 Name that identifies the list.
3 Description of the list.
4 Click netwitness_ic-import.png to import list(s) to Context Hub.
5 Click netwitness_ic-export.pngto export a list to the local machine.
6 Click netwitness_ic-import.png to import list values to selected list.
7 Click netwitness_editservice.png to add or edit entity mapping.

8

Displays the custom list(s) that are added to Context Hub.

9 Displays the list values that are added to the selected list.

Toolbar

The following table describes the toolbar actions.

Feature Description
netwitness_ic-add.png

Add a new list.

For more information, see Configure Lists as a Data Source.

netwitness_ic-delete.png

Delete a list.

If you delete a list from Context Hub, the list is no longer considered as a data source for retrieving contextual information.

netwitness_ic-import.png

Import lists to Context Hub.

For more information, see Import or Export Lists for Context Hub.

netwitness_ic-export.png

Export a list to the local machine.

For more information, see Import or Export Lists for Context Hub.

Note: You can select multiple lists at a time. Do one of the following:
1. Select a list, press and hold Ctrl key, and click the lists to be selected.
2. Select a list, press and hold Shift Key, and use arrow keys to select other lists.

List View Options

The following table describes the Lists configurations.

Feature Description
List Name Unique name to identify the list.
Description Description of the list.
Save Saves the changes made to the list.

Next steps

After completing the configuration, you can view the contextual data in the Context Summary Panel of the Respond view or Investigate view. For instructions, Navigate to Context Summary Panel and View Additional Context topic in the Investigate User Guide.