If you haven't yet deployed the content behind the new Hunting Pack and Investigation Model, go here first and follow the steps:
- Hunting Guide: community.rsa.com/docs/DOC-62341
- Hunting Feed: community.rsa.com/docs/DOC-62301
- Investigation Model: community.rsa.com/docs/DOC-62313
- Investigation Feed: community.rsa.com/docs/DOC-62303
The new Investigation Model provides a fantastic way to organise the indicators and metadata produced by NetWitness into a way for analysts to easily interact with their data. The four Investigation Categories - Threats, Assurance, Operations, & Identity - provide the basis for defining Investigation Context for indicators.
The Hunting Guide and its associated Hunting Pack provides new Analysis meta keys that allow Threat Hunters with an operational workflow based on Session Analysis, Service Analysis, and File Analysis. It also introduces new Compromise meta keys for organising indicators into Indicators of Compromise, Behaviors of Compromise, and Enablers of Compromise. These new meta keys should be added to your favourite metagroups for Investigations. They can also be used for Charts and Dashboards.
The attached zip file contains Rules and Charts that can be used to build Hunting and Investigation Dashboards. Simply import the zip file into the Charts section of the Report Engine, enable each chart and make sure it is pointing at the right Data Source (your Concentrator or Broker), then create some dashboards. Here's a suggestion:
Investigation Dashboard that uses the Investigation Category and Investigation Context meta keys:
Hunting Analysis Dashboard that uses the File Analysis, Service Analysis and Session Analysis meta keys:
And Hunting Compromise Dashboard that uses the Indicators of Compromise, Enablers of Compromise and Behaviors of Compromise meta keys: