How Context Hub Works

Context Hub service provides enrichment lookup capability in the Respond and Investigate views. An Administrator can configure the Context Hub service and the data sources to enable an Analyst to perform the context lookup for the required data sources.

By default, the Context Hub service supports enrichment lookups for meta types such as IP address, User, Domain, MAC address, File Name, File Hash, and Host.

The following data sources are supported by NetWitness and provide enriched data when configured.

Lists- Provides contextual information from a list of blacklists, whitelists, or watchlists.

Archer- Provides Criticality information of a device or specific asset based on the IP or Host which needs constant monitoring.

Active Directory - Provides contextual information of a user to help determine if the user is suspicious or not.

RSA NetWitness Endpoint - Provides context information for endpoint module and machine indicators and to help determine if any of the Endpoint devices are compromised.

Respond- Provides contextual information of a specific meta available in respond and enables analyst to respond faster based on context data.

File Reputation Server - Provides contextual information for reputation status of files.

STIX - Provides contextual information on IP address, email address, domain, filename, URL, and file hash from STIX sources.

REST API - Provides contextual information for any accessible web service with an exposed REST API.

Overview of Context Hub Configuration

The Administrator needs to perform each step in the proper sequence to configure the services to perform the context lookup effectively. In the netwitness_adminicon_25x22.png (Admin) > Services. Services Config view of Context Hub service, an administrator can configure data sources for Context Hub Service. The administrator can also configure Context Lookups for custom meta keys, if required and also import lists or export lists.

The workflow below describes how the Context Hub service can be configured:

netwitness_chconfigoverview.png

Context Hub service is pre-installed on primary ESA host, and automatically added to the NetWitness.

Note: You can have only one Context Hub service instance enabled in your NetWitness deployment. If there are multiple ESA service in NetWitness, you must choose the appropriate ESA host for Context Hub. A minimum of 8GB space is required to configure Context Hub on ESA host.