Context Hub Lists Tab
In the Lists tab, you can create and configure lists for Context Hub. Navigate to 
The Lists tab of the Context Hub service allows you to create one or more lists and add relevant list values to the list. These lists are automatically considered as data sources for the Context Hub service.
These lists may be populated with items either by importing external or custom feed CSV files or by adding meta values by using the option Add/Remove from List in Investigation and Respond views.
Note: You can also create lists and add list values from Respond and Investigation views. For more information, see the NetWitness Respond User Guide and the NetWitness Investigate User Guide.
Workflow
This workflow shows the procedure to configure lists for Context Hub service and to view contextual information in the Respond and Investigate views.
Creating one or more list is the first task in this workflow. The lists can contain supported metas such as an IP address, User, Host, Domain, MAC address, File Name or File Hash. The next task is to analyze or use the list data to view contextual data in Respond and Investigate views.
What do you want to do?
| Role | I want to ... | Show me how |
|---|---|---|
| Administrator | Configure List Data Source for Context Hub* | Configure Lists as a Data Source |
| Administrator/ Analyst | View Contextual Information in Respond View |
See the NetWitness Respond User Guide. |
|
Administrator/ Analyst |
"Manage Lists and List Values in Investigation |
See the Investigate User Guide. |
|
Administrator/ Analyst |
Create a list |
See the NetWitness Respond User Guide and Investigate User Guide |
| Administrator/ Analyst | Update a list | See the NetWitness Respond User Guide and Investigate User Guide |
|
Administrator/ Analyst |
Delete list |
See the NetWitness Respond User Guide and Investigate User Guide |
| Administrator/ Analyst | Import a list | Import or Export Lists for Context Hub |
|
Administrator/ Analyst |
Export list |
*You can complete this task here (that is in the Context Hub Lists Tab).
Related TopicsRelated Topics
- Context Hub Data Sources Tab
- "Troubleshooting NetWitness Investigate" in the NetWitness Investigate User Guide
Quick Look
The following example illustrates how to add lists for Context Hub service.
The List tab consists of the Lists panel and List Values panel. The Lists panel has a toolbar with options to add, delete, import, and export lists. The entries under List Name are lists that are added or imported for the Context Hub service.
By default, 10 empty single-column lists are available in NetWitness11.1. These lists are empty and you need to add information to these lists. The out of the box 10 list names are used in ESA rules, for more information on ESA rules, see the Alerting with ESA Correlation Rules User Guide. For users upgrading from previous versions, they will be able to view these new lists in addition to their previously created lists. The lists available by default are:
- Admin_Accounts
- Guest_Accounts
- Service_Accounts
- User_Blacklist
- User_Whitelist
- Host_Whitelist
- Domain_Controllers
- IP_Blacklist
- IP_Whitelist
- Host_Blacklist
Note: If a list with the same name already exists prior to updating to or installing NetWitness12.1.0.0, then that list will be retained. Either rename that list before updating to 11.1 or update the contents in such a way that it can be used in ESA rules.
The lists are available in ESA rules tab in CONFIGURE > ESA Rules > Settings > Enrichment Sources. For more information on ESA rules, see the Alerting with ESA Correlation Rules User Guide for Version 12.3.1.
The List Values panel has a toolbar with options to add, delete, and import list values to the selected list. The entries under Value identify each list entry included in the list.
| 1 | Click  to add a new list. |
| 2 | Name that identifies the list. |
| 3 | Description of the list. |
| 4 | Click  to import list(s) to Context Hub. |
| 5 | Click  to export a list to the local machine. |
| 6 | Click to import list values to selected list. |
| 7 | Click  to add or edit entity mapping. |
|
8 |
Displays the custom list(s) that are added to Context Hub. |
| 9 | Displays the list values that are added to the selected list. |
Toolbar
The following table describes the toolbar actions.
| Feature | Description |
|---|---|
 |
Add a new list. For more information, see Configure Lists as a Data Source. |
 |
Delete a list. If you delete a list from Context Hub, the list is no longer considered as a data source for retrieving contextual information. |
|
Import lists to Context Hub. For more information, see Import or Export Lists for Context Hub. |
|
Export a list to the local machine. For more information, see Import or Export Lists for Context Hub. |
Note: You can select multiple lists at a time. Do one of the following:
1. Select a list, press and hold Ctrl key, and click the lists to be selected.
2. Select a list, press and hold Shift Key, and use arrow keys to select other lists.
List View Options
The following table describes the Lists configurations.
| Feature | Description |
|---|---|
| List Name | Unique name to identify the list. |
| Description | Description of the list. |
| Save | Saves the changes made to the list. |
Next steps
After completing the configuration, you can view the contextual data in the Context Summary Panel of the Respond view or Investigate view. For instructions, Navigate to Context Summary Panel and View Additional Context topic in the Investigate User Guide.
