Sean Ennis

Visual Process Analysis With RSA NetWitness Endpoint

Blog Post created by Sean Ennis Employee on Jul 9, 2019

Starting in version 11.3, the RSA NetWitness Platform introduced the ability to analyze endpoint data captured by the RSA NetWitness Endpoint Agent (both the free "Insights" version and the full version). For more information on what RSA NetWitness Endpoint is all about, please start with the RSA NetWitness Endpoint Quick Start Guide for 11.3.

 

One of the helpful new features of the endpoint agent is the ability to not only focus the analyst on the "Hosts" context of their environment, but also the ability to gain full visibility into process behaviors and relationships whenever suspicious behaviors have been detected by the RSA NetWitness platform, or when investigating alerts from others.

 

The various pivot points bring an analyst into Process Analysis in the context of a specific process, including it's parent and child process(es) and based on the current analysis timeline which is adjustable if needed.

 

Example Process Analysis view, drilling into all related events recorded by the NW Endpoint Agent

 

Example Process Analysis view, focused on process properties (powershell.exe) collected by the NW Endpoint Agent

 

The feature is simple to use when RSA NetWitness Endpoint agent data exists, and is accessible from a number of locations in the UI depending on where the analyst is in their workflow:

 

Investigate > Hosts > Details (if endpoint alerts exist):

Investigate > Hosts > Processes (regardless of alert/risk score): 

 

Investigate > Event Analysis:

 

Respond > Incident > Event List (card must be expanded):

 

Respond > Incident > Embedded Event Analysis (reconstruction view):

 

Happy Hunting!

Outcomes