Analysts can view contextual information about users on the NetWitness Platform Users page. This will enable analysts to make better decisions and take appropriate action during their analysis. A single page containing Users and contextual information helps analysts to prioritize and identify areas of interest. The Context Lookup panel displays contextual information for the selected users. The data available depends on the configured sources in the Context Hub.
Note: Contextual Information is not applicable to network entities.
Note: The contexthub-server.contextlookup.read permission is enabled only for Administrators, Analysts, Malware Analysts, SOC Managers and Respond Administrators. Administrators can enable this permission for other roles in the Users view to view context lookup for users and perform the Add/Remove from List actions. For more information, see the "Role Permissions" topic in the System Security and User Management Guide.
To view contextual information for users
-
Log in to the NetWitness Platform.
-
Go to Users > Overview.
-
Do one of the following:
-
In the Overview tab, under the Top Risky Users panel, click on a username.
-
In the Entities tab, click on a username.
The User Profile view is displayed.
-
-
Click after the username to open the user context panel.
A Context Highlights dialog appears with a quick summary of the type of context data that is available for the selected user.
The information in the Context Highlights section helps you to determine the actions that you would like to take. It can show related data for Incidents, Alerts, Lists, and Threat Intelligence (TI). Depending on your data, you may be able to click these items for more information. The above example shows that the user Akiko Sakamoto has 1 related Respond Incident, 28 Alerts, 2 Lists, and 0 incident for TI. For more information, see the Context Hub Configuration Guide.
The other available actions the analysts can perform are Context Lookup, Add/Remove from List, and Pivot to Investigate.
-
Context Lookup: The Context Lookup panel opens from the right side of the browser window, and the Context Lookup panel for Active Directory displays all the related information, incidents, and alerts for a user. For more information on configuring the Active Directory as the data source, see "Configure Active Directory as a Data Source" topic in the Context Hub Configuration Guide.
-
Pivot to Investigate: For a more thorough investigation of user activities and related events, click Pivot to Investigate, and the Events view opens, which enables you to perform a deeper dive investigation.
-
Add/Remove from List: You can create custom lists and add users, which could be used to track users who have been identified as threats or to highlight accounts of particular interest. You can also remove users from the list. This ensures analyst focuses on real threats and reduce false positives that do not need further investigation.
-