Use Contextualize
Contextualization provides information about a host, port, or user in a log or event. It also provides opportunities to retrieve additional information by executing whois, ping, and traceroute queries.
To use contextualization:
- On the lower-right side of the page, click the Logs tab to open the Analyzer grid.
- Click on a metadata field type that is supported by Contextualize. If the Inspector panel is not already open, click the Configuration icon in the metadata cell or the Arrow icon on the panel to open it and view the Contextualize tool. The following field types are supported:
- Host (Impacted)
- Host (Origin)
- Hostname (Impacted)
- Hostname (Origin)
- IP Address (Impacted)
- IP Address (Origin)
- Known Host (Impacted)
- Known Host (Origin)
- Recipient
- Sender
- TCP/UDP Port (Impacted)
- TCP/UDP Port (Origin)
- User (Impacted)
User (Origin)
When you click a field type that is not supported, the Contextualize interface does not appear in the Inspector panel.
- Scroll down to the Contextualize section, if necessary, to see additional information about the selected metadata. The following three types of information are available:
Hosts. For known hosts, the Contextualize feature returns information stored in the LogRhythm database. If no information is available, those fields do not appear in the Contextualize section. If an IP address exists in the database for the known host, you can run whois, trace, and ping queries. You can manually edit the IP address field with another IP address or Host. You can also click the Configuration icon to configure parameters for those queries. Query settings do not persist and must be reset each time you refresh or browse away from the current page.
You may need to configure your firewall to use contextualize. For more information, see the Networking and Communication topic in the LogRhythm SIEM Help.
Ports. Returns information that is stored in the LogRhythm database. It allows you to see what the port name is, what it is used for, whether it is a system or custom port, and whether the port is mapped to an application. For more information on port settings, see Networking and Communication.
Users. Queries domain user information. The domain is populated with the domain from the log if it is available. If it is not available, the Web Console auto-populates the domain that your LogRhythm Web Services Host API runs on. You can also manually edit the Domain field.
All dates display in Coordinated Universal Time (UTC).
- At the bottom of the Contextualize section, click Add to Current Case to add the information to the current case.