NetWitness Community

BijuVasudevan · ‎2016-07-17

Context Hub is a new service in RSA Security Analytics in 10.6 which provide enrichment lookup capability in the Investigation views. The sources for enrichment data include Incident Management, custom lists, and ECAT.

It would be a great help if you would please comment on which may be most useful to your organization and why.

What type of context is most important for analysts to help their investigations?
If context is external to SA what type of database connector (e.g. LDAP, Mongo DB, JDBC/ODBC, and REST API) would be most useful.
Any specific application name in Identity/AD, CMDB, Vulnerability etc. you would like to integrate with SA.
What type of endpoint data would be valuable to your analysts and integration of it with Context?

MihaMesojedec · ‎2016-07-17

I would like to see option for all listed database connectors, so there is no limitation.

Vulnerability and Identity information is must to have in SA Context hub asap.

Timeline view and historical information would be great to have in the context hub as well, so analyst could compare previous and current state of asset or identity.

As well add option to integrate Tracking data from ECAT to SA.

BijuVasudevan · ‎2016-07-17

Thanks Miha for your comment.

Can you elaborate how much historical information you are looking for and also can you give an example of tracking data from ECAT.

MihaMesojedec · ‎2016-07-17

HI Biju,

For real time analysis we probably need couple of days of data, but I think this should be configurable nad limit for max 5-7 days.

If we can leverage Archiver or use compression in ESA for historical data then we can put much more data.

Tracking data in ECAT is real time data that endpoint is sending to ECAT server every 15 sec (default settings). If we can get this data to context hub then this would be useful in investigation.

Miha

ShawnOstapuk · ‎2016-07-25

I would also like to see an extensible framework that supports many different database sources as well as potentially custom plugins for API lookups:

The type of information that would be great to have enhanced on the fly:

Asset info: OS, Owner, Environment, Business Unit, Hostname, etc

Vulnerability Data

Identify Data

DNS (internal and external)

Whois (external)

Threat Intelligence

End-Point Information (HIPS, AntiVirus, Tanium)

It would be great too see a REST API for all services like you see with the core ones, unfortunately it seems like all the new stuff does not have a good REST API.

MihaMesojedec · ‎2016-07-28

Can we add AD info?

Using LDIF is really easy and can be done already today from SA.

BijuVasudevan · ‎2016-07-29

Miha,

Via LDAP AD information will be pulled. Can you share where in SA you can do LDIF currently. Noted all your other inputs, if anything else do share.

Thanks a lot

Biju

BijuVasudevan · ‎2016-07-29

Shawn,

Thanks for your inputs.

MihaMesojedec · ‎2016-07-29

Here is post how this can be used.

https://www.digitalocean.com/community/tutorials/how-to-use-ldif-files-to-make-changes-to-an-openldap-system

I was thinking to use "ldapsearch" option in SA Server, which is available today and you can pull data from LDAP/AD and then use it for enrichment via Feed.