Skip to main content
Skip table of contents

Run Contextualize

Contextualization provides information about a host, port, or user in a log or event. It is an option in the context menu of aggregate log or event lists. You access Contextualization from aggregate logs or aggregate events list which you can create in Personal Dashboard, Investigator, or Tail.

  1. After you create an aggregate list of logs or events, select a row in the list.
  2. Right-click the row, and then click Contextualize.
  3. Select an option from the following:

    • Host (Origin) Information or Host (Impacted) Information. Opens the Host Information window with Basic, Ping, Trace Route, and Whois tabs.

    • Port (Origin) Information or Port (Impacted) Information. Opens the Port Information window.

    • Host (Origin) Identity Inference or Host (Impacted) Identity Inference. Opens the Host Identity Inference window appears. The Host Identity Inference feature maintains a mapping of users to hosts based on log activity observed. If the log message doesn't contain user identifying information, the identity of the host is logically inferred and presented to the users and analytic engines.
      For Identity Inference to work, Identity Inference must be configured through one of the following methods:

      • In the Platform Manager in the Global System Settings. Identity Inference can be enabled globally or on a per Data Processor basis.

      • In the Data Processor Modify Data Processor Advanced Properties. Identity Inference can be set for individual Data Processors when it has been globally disabled.

      The Host Identity Inference window includes the following two panes:

      • The Log Message Info includes:

        • Host Name

        • Host IP Address

        • Log Date

      • The Identifier information includes:

        • Identifier

        • Identifier Type. User or Address.

        • Confidence. Represents the highest confidence observed for each identifier within the queried time.

        • Log Date Offset. Hours and minutes when the specific identifier was last observed with respect to the queried message Normal time.

        • Last Observed

        • Last Observed Utc

        To drill down on a specific identifier from the Host Identity Inference window

        1. Select the Identifier(s) you want.

        2. Right-click and select a Launch Investigator option:

          The investigation is launched in the background.

          • Investigate Identify Inference Users in Login

          • Investigate Identify Inference Users in Account

          • Investigate Identify Inference Users in Login or Account

          • Investigate Identify Inference Address in Sender

          • Investigate Identify Inference Address in Recipient

          • Investigate Identify Inference Address in Sender or Recipient

    • User Information. Opens the User Information window.

  4. The Contextualization window opens and displays results according to the parameters you selected.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close