Context Lookup Panel

After an administrator configures the Context Hub service, you can view the contextual information for the meta values in the Navigate view, Legacy Events view, and Events view. The Context Hub service is pre-configured with a default meta type and meta key mapping. For information about mapping of the context hub meta value with investigation meta key, see "Manage Meta Type and Meta Key Mapping" in the Context Hub Configuration Guide.

The Context Lookup panel is displayed on the right side of the Navigate view, Legacy Events view, or Events view. Meta values that have been added to a Context Hub list are highlighted in gray in the Navigate view or Legacy Events view results. In the Events view, they are marked by an underscore. When you right-click a highlighted value and select Context Lookup in the resulting context menu, the lookup results are displayed in the Context Lookup panel for configured sources for the selected meta value. You can select a source in the Context Lookup panel icon bar to view the contextual information.

There are some differences between the appearance and contents of the Context Lookup panel when open in the Navigate view or Events view and when open in the Events view.

Note: The contexthub-server.contextlookup.read permission is enabled only for Administrators, Analysts, Malware Analysts, SOC Managers and Respond Administrators. Administrators can enable this permission for other roles in the Respond view to view context lookups for meta values and perform the Add/Remove from List actions. For more information, see the "Role Permissions" topic in the System Security and User Management Guide.

What do you want to do?

Workflow

What do you want to do?What do you want to do?

User Role:
Incident Responder or Threat Hunter
I want to ...:
review detections and signals seen in my environment
Show me how:
NetWitness Platform Getting Started Guide

User Role: Incident Responder
I want to ...:
review critical incidents or alerts
Show me how:
NetWitness Respond User Guide

User Role: Threat Hunter
I want to ...: query a service, metadata, and time range
Show me how:
- Begin an Investigation in the Events View
- Begin an Investigation in the Navigate or Legacy Events View

User Role: Threat Hunter
I want to ...:
view metadata
Show me how:
- Filter Results in the Navigate View
- Drill into Metadata in the Events View

User Role: Threat Hunter
I want to ...:
view sequential events
Show me how:
- Filter Results in the Events View
- Filter Results in the Legacy Events View

User Role:
Threat Hunter
I want to ...:
reconstruct and analyze an event
Show me how:
- Examine Event Details in the Events View
- Reconstruct an Event in the Legacy Events View

User Role: Threat Hunter
I want to ...: examine files and associated hosts
Show me how:
- Download Data in the Events View
- Export or Print a Drill Point in the Navigate View
- Export Events in the Legacy Events View

User Role: Threat Hunter
I want to ...: perform lookups*
Show me how:
- Look Up Additional Context for Results
- Launch a Lookup of a Meta Key

User Role: Threat Hunter
I want to ...: create an incident or add to an incident
Show me how:
- Add Events to an Incident in the Legacy Events View
- Add Events to an Incident in the Events View

User Role:
Threat Hunter
I want to ...:
add a meta value to a Context Hub list
Show me how:
Look Up Additional Context for Results

*You can perform this task in the current view.

Quick Look (in the Navigate and Legacy Events Views)

The following figure is an example of the Context Lookup panel as it appears in the Navigate view. Controls and features are described in the table.

Feature: Source Options Bar
Description: Displays the icons for the available sources: Endpoint, Incidents, Alerts, and Lists.

Feature: Source Name
Description: Displays the source name based on the selected icon:
- Endpoint
- Incidents
- Alerts
- Lists

Feature: Sort
Description:
Provides a drop-down of sort options for the listed context information. Possible sort options are Severity - High to Low, Severity Low to High, Date - Oldest to Newest. and Date - Newest to Oldest. The sorting options vary by source type.

Feature:
Description: Refreshes the lookup results.

Feature: (First Results)
Description: The footer provides a count of results currently displayed and the total number of results. For example, 5 Alerts (First 50 Results).

IncidentsIncidents

Incidents are displayed based on time first (Newest to Oldest) and then priority status. The following information is displayed for incident lookups:

Incident Name and ID
Priority status of the incidents
Risk Score value of the incidents
Date when the incident was created
Status of the incident
Assignee for the incident
Last Updated: Indicates when contextual data was last fetched from data source and updated to cache.
Time window: This is based on the value that is set for the "Query Last (Days)" field in the Configure Respond window. For details, see the "Configure Respond as a Data Source" topic in the Context Hub Configuration Guide.
Sort: This drop-down field provides options to change the sorting of result based on time or priority.

Alerts

Alerts are displayed based on the Severity. ;The following information is displayed for alert lookups:

Alert Name
Severity value of the alerts
Date when the alert was created
Incident ID: This is the ID of the incident that the alert is associated with (If any).
Sources: Event source name
Number of events associated with the alert.
Last Updated: Indicates when contextual data was last fetched from data source and updated to cache.
Time window: This is based on the value that is set for the "Query Last (Days)" field in the Configure Respond window. For details, see the "Configure Respond as a Data Source" topic in the Context Hub Configuration Guide
Sort: This drop-down field provides option to change the sorting of result based on time or priority.

Lists

The following information is displayed for list lookups.

List Name
Owner who created the list
Created Date
Last Updated Date
Description of the list

Endpoint

The following information is displayed for Endpoint lookups.

Machine name and IP address of the machine.
By clicking on the IP or Endpoint machine name, you will be navigated to Endpoint UI to perform further investigation.
Last Updated: Indicates when contextual data was last fetched from data source and updated to cache.
Machine Score: A machine IIOC score is aggregated based on the module scores.
Number of modules: Number of active files for the selected machine.
Last Updated: Indicates when the scan results were last updated in Endpoint database.
Last Login User
Machine MAC Address
Operating System Version
Admin Notes (if any)
Admin Status (if any)
Top Suspicious Modules (Modules that have an IIOC score > 500). This is based on the value set for "Minimum IIOC Score" field in the Configure Endpoint window. The default value for "Minimum IIOC Score" is 500.
Machine IIOC Levels

Quick Look in the Events View

The following figure is an example of the Context Lookup panel as it appears in the Events view.

The contextual information or query results displayed in the Context Lookup panel depends on the selected entity and the associated data sources. The Context Lookup panel has separate tabs for each of the data sources. The tabs are: List data source, Archer, Active Directory, Endpoint, Incidents, Alerts, and REST API. The following figure shows the Context Lookup panel for a selected entity in the Incident Details view.

The following table describes the data available on each tab and the supported entities.

Tab:

(Lists)
Description: Displays all of the list data associated with the selected entity or meta value. The result is sorted by the last updated list.
Supported Entities:
All entities

Tab:
(Archer)
Description: Displays asset information along with criticality ratings using the Archer data source.
Supported Entities: IP, Host, and Mac

Tab:

(Active Directory)
Description: Displays all user information for the selected user.
Supported Entities:
User

Tab:

(NetWitness Endpoint)
Description: Displays the NetWitness Endpoint data source information for the selected entity or meta value, which includes the Machines, Modules, and IIOC levels. Modules are by highest IOC score to lowest IIOC score and IIOC levels are sorted by highest IOC levels to lowest IOC levels.
Supported Entities: IP, MAC address, and Host

Tab:
(Incidents)
Description: Displays the list of incidents associated with the selected entity or meta value. The result is sorted by newest incidents to oldest incidents.
Supported Entities:
All entities

Tab:
(Alerts)
Description: Displays the list of alerts associated with the selected entity or meta value. The result is sorted by newest alerts to oldest alerts.
Supported Entities: All entities

Tab:
(Live Connect)
Description: Displays information related to Live Connect.
Supported Entities:
IP, Domain, and Filehash

Tab:

(File Reputation)
Description: Displays file reputation status for Filehash entities.
Supported Entities: Filehash entities

Tab:

TI
Description:
Displays information for STIX data sources.
Supported Entities:
IP address, email address, domain, filename, URL's, and file hash.

Note: The context lookup for email address and URL will be displayed only if these metas are mapped. Navigate to (Admin) > System > Investigation > Context Lookup.

Tab:
REST API
Description: Displays the list of REST APIs (enabled in Context Hub) associated with selected the entity.
Supported Entities: All entities

Lists Tab

The Context Lookup panel for Lists shows one or more lists associated with the selected entity or meta value. The following figure is an example of the Context Panel for Lists, and the table describes the fields.

Field: Name
Description: The name of the list (defined while creating the list).

Field: Description
Description: The description of the list (defined while creating the list).

Field: Header
Description: Displays the metas available for the list.

Field: Value
Description: Displays the values for each meta in the list.

Field: Author
Description: The owner who created the list.

Field: Created
Description: The date when the list was created.

Field: Updated
Description: The date when the list was last updated or modifed.

Field: Count
Description: The number of lists in which the selected entity or meta value is available.

Field: Time Window
Description: The time window based on the value set for the "Query Last" field in the Configure Responses dialog. By default, all Lists data is fetched.

Field: Last Updated
Description: The time when Context Hub fetched and stored the lookup data in cache.

Archer Tab

The Context Lookup panel for Archer displays asset information along with criticality ratings using the Archer data source for IP, Host, and Mac entities. The following figure is an example of the Context Lookup panel for Archer, and the table describe , , , Low, Medium-Low, Medium, Medium-High, or High.Risk RatingThe calculated risk rating for the device based on the most recent assessment and the average risk rating of facilities using the device. The risk rating can be set as Severe, High, Medium, Low , , , , , all data for Archer is fetched.Last UpdatedThe time when Context Hub fetched and stored the lookup data in cache., only these twelve fields are displayed: Criticality Rating, Risk Rating, Device Owner, Business Unit, Host Name, MAC Address, Facilities, IP Address , , , incidents, and alerts for a user. You can perform a look up using the following formats:

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , only if the Global Catalogue is defined., , , , , , all data for Active Directory is fetched., , , , , , , , Offline, Active, or Inactive.IP AddressThe IP address of the specific module., , valid or invalid, and signatory information. For example, Google, Apple, and so on., , , , , , , , , , all data for NetWitness Endpoint is fetched.Last UpdatedThe time when scan results were last updated in NetWitness Endpoint database., , , , , , , , see "Configure Context Hub Data Source Settings" in the Context Hub Configuration Guide., , , , the alert data for last 7 days is fetched., , , which is based on time first (Newest to Oldest) and then priority status., , , , , , see "Configure Context Hub Data Source Settings" in the Context Hub Configuration Guide., , , , the alert data for last 7 days is fetched., , , , see "View Reputation of files" in the UEBA User Guide.Scanner MatchNumber of scanners that detected malware or suspicious activity in the last scan.Classification PlatformClassification for the queried filehash based on the platform. For example, the platform can be Win 32.Classification TypeClassification for the queried filehash based on the type.Classification FamilyClassification for the queried filehash based on the malware family name., , and the table describes the information displayed.

, , , , , , , , , , systems, and networks using the STIX Cyber-observable Objects (SCOs)., , , , , , , , , the fields that are mapped with friendly names (during REST API configuration) are only displayed for context Lookup. If you have not mapped any fields, all fields are displayed for context lookup., , , , , , , , , , , , ,

Context Lookup Panel