Context Hub is a new service in RSA Security Analytics in 10.6 which provide enrichment lookup capability in the Investigation views. The sources for enrichment data include Incident Management, custom lists, and ECAT.
It would be a great help if you would please comment on which may be most useful to your organization and why.
- What type of context is most important for analysts to help their investigations?
- If context is external to SA what type of database connector (e.g. LDAP, Mongo DB, JDBC/ODBC, and REST API) would be most useful.
- Any specific application name in Identity/AD, CMDB, Vulnerability etc. you would like to integrate with SA.
- What type of endpoint data would be valuable to your analysts and integration of it with Context?
- Community Thread
- Context Hub
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
I would like to see option for all listed database connectors, so there is no limitation.
Vulnerability and Identity information is must to have in SA Context hub asap.
Timeline view and historical information would be great to have in the context hub as well, so analyst could compare previous and current state of asset or identity.
As well add option to integrate Tracking data from ECAT to SA.
Thanks Miha for your comment.
Can you elaborate how much historical information you are looking for and also can you give an example of tracking data from ECAT.
For real time analysis we probably need couple of days of data, but I think this should be configurable nad limit for max 5-7 days.
If we can leverage Archiver or use compression in ESA for historical data then we can put much more data.
Tracking data in ECAT is real time data that endpoint is sending to ECAT server every 15 sec (default settings). If we can get this data to context hub then this would be useful in investigation.
I would also like to see an extensible framework that supports many different database sources as well as potentially custom plugins for API lookups:
The type of information that would be great to have enhanced on the fly:
Asset info: OS, Owner, Environment, Business Unit, Hostname, etc
DNS (internal and external)
End-Point Information (HIPS, AntiVirus, Tanium)
It would be great too see a REST API for all services like you see with the core ones, unfortunately it seems like all the new stuff does not have a good REST API.
Here is post how this can be used.
I was thinking to use "ldapsearch" option in SA Server, which is available today and you can pull data from LDAP/AD and then use it for enrichment via Feed.