Look Up Additional Context for Results

The Context Hub is a centralized service that aggregates data about entities from multiple configurable data sources. This data can extend your investigation with additional context beyond the immediate results of a specific query. For example, the Context Hub can tell you if a given entity has been mentioned in any incidents, alerts, feeds, or community intelligence publications.

To enable viewing of contextual information, your administrator must add the Context Hub service in NetWitness Platform and configure data sources for the Context Hub service as described in the Context Hub Configuration Guide. Analysts also need a role with the permission Context Lookup as described in Role Permissions and Manage Users with Roles and Permissions in the System Security and User Management Guide.

When the Context Hub service is enabled and configured, NetWitness provides enrichment data from NetWitness Respond, custom lists, and NetWitness Endpoint directly in the Navigate view, Events view, and Legacy Events view. A visual cue highlights meta values for which enrichment data is available in the Investigate views, and you can click on the highlighted value to look up the contextual information and intelligence. You can look up details and intelligence about elements associated with an event in the Context Hub. These elements, or entities, are identifiers, such as an IP address, a user name, a host name, a domain name, a file name, or a file hash. The data from configured sources, such as NetWitness Endpoint, can help you understand what is happening. In Version 11.5 and later, you can add STIX data sources and view related data using context lookup; associated elements are IP address, file name, file hash, domain name, and URL.

In addition, you can add lists and list values for Context Hub enrichment; you can view lists, edit meta values in an existing list, or create a new list. When you add meta values to a list, you can investigate the meta values using the context lookup option.

For an analyst to manage lists in Investigate, the administrator must:

  • Enable the Context Hub service.
  • Assign an analyst role with permission Manage List from Investigation to the user who will perform Context Lookup from Investigation views.
  • Configure appropriate roles and permissions as described in "Role Permissions" and "Manage Users with Roles and Permissions" in the System Security and User Management Guide.

In Version 11.6 and later, you can add REST API data sources and view related data using context lookup. Also, Administrators can now configure specific Context Hub sources (For example, specific lists, Respond, Endpoint, and so on) for context highlighting during investigation. If context highlighting is disabled for a Context Hub source, analysts will see results from all the data sources when opening the Context Panel for a meta value, but the values are not highlighted in the Investigation views. In the View Context:

  • No data is shown if the meta values is not highlighted.
  • If there are entities common across different data sources, the meta values for those entities are underlined for all the data sources, but the data is shown only for the data source on which context highlighting is enabled.

Open the Context Lookup Panel

In the Context Lookup panel, you can view and explore individual data sources for further investigation. For a detailed description of the information displayed for each data source, see Context Lookup Panel.

In the Navigate view and Legacy Events view, entities that have associated context data available are highlighted with a gray background; hovering over an entity displays a hover box giving a summary of the available data. When you right-click the entity, the Context Hub queries the configured data sources for relevant information, and the Context Lookup panel opens from the right side of the browser window. The Context Lookup panel is populated with the information from the Context Hub as it becomes available. You can perform another lookup by right-clicking on another entity, and the Context Lookup panel is updated with that entity’s information.

NavVwCxLuPn112a.png

In the Events view, you can see underlined entities in the Events panel, the Event Header, or the Event Meta panel. If an entity is underlined, NetWitness is populating information about that entity type in the Context Hub. There may be additional information available about that entity in the Context Hub.

The following figure shows underlined entities in the Events panel with the context tooltip open. The context tooltip has two sections: Context Highlights and Actions.

  • The information in the Context Highlights section helps you to determine the actions that you would like to take. It can show related data for Incidents, Alerts, Lists, Endpoint, Criticality, Asset Risk, and STIX. Depending on your data, you may be able to click these items for more information.
  • The Actions section lists the available actions. In the example, the Add/Remove from List, Pivot to Investigate > Navigate, Pivot to Archer, and Pivot to Endpoint Thick Client options are available.

    EACxUndrEvs1.png

The following figures shows bolded entities in the Overview and the Event Meta panel.

EACxUndrHdrMetDet1.png
EACxUndrHdrMetDet2.png

When you click View Context in the context tooltip, the Context Hub queries the configured data sources for relevant information, and the Context Lookup panel opens from the right side of the browser window. The Context Lookup panel is populated with the information from the Context Hub as it becomes available. You can perform another lookup by using the View Context option on another entity, and the Context Lookup panel is updated with that entity’s information.

You can also take any available action in the Actions section.

To view information in the Context Lookup panel in the Events view

  1. Hover over different meta values to see the data sources for which data is available.
    A context tooltip displays a list of the context data available for the selected meta value.
  2. Click View Context in the context tooltip to open the Context Lookup panel.
    The Context Lookup panel opens from the right side of the browser window. The Context Lookup panel is populated with the information from the Context Hub as it becomes available.
    netwitness_alerts_view_contextual_1891x1098.png
  3. To perform actions on an entity, select one of the available actions in the context tooltip: Add /Remove from List, Pivot to Investigate > Navigate, Pivot to Archer, Pivot to Endpoint Thick Client. For more information, see Pivot to Investigate > Navigate (Events View), Pivot to Archer (Events View), Pivot to NetWitness Endpoint Thick Client (Events View), and Add an Entity to a Whitelist.

    Note: The Pivot to Archer link is disabled when Archer data is not available or when the Archer data source is not responding. Check that the Archer configuration is enabled and configured properly.

    Add an Entity to a Whitelist

    You can add any underlined entity to a list, such as a Whitelist or Blacklist, from a context tooltip. For example, to reduce false positives, you may want to whitelist an underlined domain to exclude it from the related entities.

    1. In the Events panel, the Event Header, or the Event Meta panel, hover over the underlined entity that you would like to add to a Context Hub list.
      A context tooltip showing the available actions is displayed.
    2. In the Actions section of the tooltip, click Add/Remove from List.
      The Add/Remove from List dialog shows the available lists.
      netwitness_121_chtooltipaddto2_1122_480x482.png
    3. Select one or more lists and click Save.
      The entity is added to the selected lists.

    Create a List (Events View)

    You can create lists in Context Hub from the Events view. In addition to using lists to whitelist and blacklist entities, you can use lists to monitor entities for abnormal behavior. For example, to improve the visibility of a suspicious IP address and Domain under investigation, you may want to include them in two separate lists. One list could be for domains suspected of being related to command and control connections, and another list could be for IP addresses related to remote access Trojan connections. You can then identify indicators of compromise using these lists.

    To create a list in the Context Hub

    1. In the Events panel, the Event Header, or the Event Meta panel, hover over the underlined entity that you would like to add to a Context Hub list.
      A context tooltip showing the available actions is displayed.
    2. In the ACTIONS section of the tooltip, click Add/Remove from List.
    3. In the Add/Remove from List dialog, click Create New List.
      netwitness_121_chnewlist_1122_480x482.png
    4. Type a unique List NAME for the list. The list name is not case sensitive.
    5. (Optional) Type a DESCRIPTION for the list.
      Analysts with the appropriate permissions can also export lists in CSV format to send to other analysts for further tracking and analysis. The Context Hub Configuration Guide provides additional information.

    Pivot to Investigate > Navigate (Events View)

    For a more thorough investigation of an entity, you can open the the Navigate view.

    1. In the Events panel, the Event Header, or the Event Meta panel, hover over any underlined entity.
    2. In the Actions section of the tooltip, select Pivot to Investigate > Navigate.
      The Navigate view opens, enabling you to perform a deeper dive investigation. For more information, see Begin an Investigation in the Navigate or Legacy Events View.

    Pivot to Archer (Events View)

    For viewing more details about the device in Archer Cyber Incident & Breach Response, you can pivot to the device details page. This information is displayed only for IP address, host, and Mac address.

    1. In the Events panel, the Event Header, or the Event Meta panel, hover over any underlined entity (IP address, host, and Mac address).
    2. In the Actions section of the context tooltip, select Pivot to Archer.
    3. The device details page in Archer Cyber Incident & Breach Response opens if you are logged in to the application, otherwise the login screen is displayed.

      netwitness_archerdevicedetails.png

    Note: The Pivot to Archer link is disabled when Archer data is not available or when the Archer Datasource is not responding. Check that the Archer configuration is enabled and configured properly.

    For more information, see the Archer Integration Guide.

    Pivot to NetWitness Endpoint Thick Client (Events View)

    If you have the NetWitness Endpoint thick client application installed, you can launch it through the context tooltip. From there, you can further investigate a suspicious IP address, Host, or MAC address.

    1. In the Events panel, the Event Header, or the Event Meta panel, hover over any underlined entity.
    2. In the Actions section of the tooltip, select Pivot to Endpoint Thick Client.
      The NetWitness Endpoint thick client application opens outside of your web browser.

    For more information on the thick client, see the NetWitness Endpoint User Guide.

View the Context Lookup Panel in the Navigate View or Legacy Events View

  1. Hover over different meta values to see the data sources for which data is available.
    A hover box displays a list of the data sources that have context data available for meta value. These are the possible data sources: NetWitness Endpoint, Incidents, Alerts, Hosts, Files, Feeds, and Live Connect.
  2. Right-click a meta value, and click Context Lookup in the drop-down menu to open the Context Lookup panel.
    netwitness_cntxtlookup.png
    The Context Lookup panel opens from the right side of the browser window. The Context Lookup panel is populated with the information from the Context Hub as it becomes available.
  3. To perform actions from the Context Lookup panel, right-click an entity such as IP address.
    The following options are available: Open Link in New Tab, Query in Investigate, Copy Link, Paste, Google Lookup, Virus Total Lookup, and Query in Endpoint.

  4. To close the Context Lookup panel, click netwitness_icon-close.png in the panel.

Add Meta Values to an Existing List (Navigate and Legacy Events Views)

To add a meta value to an existing list in Context Hub

  1. While investigating a service in the Navigate view or the Legacy Events view, right-click a meta value (for example, values under Source IP, Destination IP, or Username) and select Add/Remove from List in the context menu.
    The Add/Remove from List dialog is displayed.
    netwitness_addremlist.png
  2. In the List field, select one or more lists from the drop-down option to which the meta value must be added.
  3. Click Save.
    The meta value is added to the selected lists.

Remove a Meta Value from a Context Hub List (Navigate and Legacy Events Views)

To remove a meta value from list

  1. In the Add/Remove from List dialog, in the List field, view the lists which include the meta value.
  2. Click the delete icon (x) for each list that should not include the meta value.
  3. Click Save.
    The meta value is removed from the deleted list.

Create a New List (Navigate and Legacy Events Views)

To create a Context Hub list in Investigate

  1. In the Add/Remove from List dialog, click Create New List.
    netwitness_createnwlist_495x343.png
  2. In the List Name field, enter an unique name for the list.
  3. In the Description field, enter the description of the list.
  4. Click Create to create the list.
  5. Click Save to add the meta value to the created list.
    These lists are considered as data sources for retrieving context information.