This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA NetWitness® Platform Discussions

Discussions about the RSA NetWitness Platform.
BijuVasudevan
Employee
Employee
‎2016-07-17 05:10 AM

Context Hub

Context Hub is a new service in RSA Security Analytics in 10.6 which provide enrichment lookup capability in the Investigation views. The sources for enrichment data include Incident Management, custom lists, and ECAT.

It would be a great help if you would please comment on which may be most useful to your organization and why.

  1. What type of context is most important for analysts to help their investigations?
  2. If context is external to SA what type of database connector (e.g. LDAP, Mongo DB, JDBC/ODBC, and REST API) would be most useful.
  3. Any specific application name in Identity/AD, CMDB, Vulnerability etc. you would like to integrate with SA.
  4. What type of endpoint data would be valuable to your analysts and integration of it with Context?
0 Likes
Reply
8 Replies
MihaMesojedec
Employee
Employee
‎2016-07-17 07:19 AM

I would like to see option for all listed database connectors, so there is no limitation.

Vulnerability and Identity information is must to have in SA Context hub asap.

 

Timeline view and historical information would be great to have in the context hub as well, so analyst could compare previous and current state of asset or identity.

 

As well add option to integrate Tracking data from ECAT to SA. 

Reply
BijuVasudevan
Employee
Employee
In response to MihaMesojedec
‎2016-07-17 07:31 AM

Thanks Miha for your comment.

 

Can you elaborate how much historical information you are looking for and also can you give an example of tracking data from ECAT.

0 Likes
Reply
MihaMesojedec
Employee
Employee
In response to BijuVasudevan
‎2016-07-17 12:35 PM

HI Biju,

 

For real time analysis we probably need couple of days of data, but I think this should be configurable nad limit for max 5-7 days.

If we can leverage Archiver or use compression in ESA for historical data then we can put much more data.

 

Tracking data in ECAT is real time data that endpoint is sending to ECAT server every 15 sec (default settings). If we can get this data to context hub then this would be useful in investigation.

 

Miha

0 Likes
Reply
ShawnOstapuk
Beginner
Beginner
‎2016-07-25 06:39 PM

I would also like to see an extensible framework that supports many different database sources as well as potentially custom plugins for API lookups:

 

The type of information that would be great to have enhanced on the fly:

 

Asset info: OS, Owner, Environment, Business Unit, Hostname, etc

Vulnerability Data

Identify Data

DNS (internal and external)

Whois (external)

Threat Intelligence

End-Point Information (HIPS, AntiVirus, Tanium)

 

It would be great too see a REST API for all services like you see with the core ones, unfortunately it seems like all the new stuff does not have a good REST API.

0 Likes
Reply
MihaMesojedec
Employee
Employee
‎2016-07-28 11:56 AM

Can we add AD info?

Using LDIF is really easy and can be done already today from SA.

0 Likes
Reply
BijuVasudevan
Employee
Employee
‎2016-07-29 01:45 AM

Miha,

 

Via LDAP AD information will be pulled. Can you share where in SA you can do LDIF currently.  Noted all your other inputs, if anything else do share.

 

Thanks a lot

Biju

0 Likes
Reply
BijuVasudevan
Employee
Employee
‎2016-07-29 01:46 AM

Shawn,

 

Thanks for your inputs.

0 Likes
Reply
MihaMesojedec
Employee
Employee
‎2016-07-29 06:21 AM

Here is post how this can be used.

https://www.digitalocean.com/community/tutorials/how-to-use-ldif-files-to-make-changes-to-an-openlda... 

 

I was thinking to use "ldapsearch" option in SA Server, which is available today and you can pull data from LDAP/AD and then use it for enrichment via Feed.

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.