Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Endpoint: Focus on Endpoint Analysis

Document created by RSA Information Design and Development Employee on Apr 11, 2019Last modified by RSA Information Design and Development Employee on Nov 11, 2020
Version 26Show Document
  • View in full screen mode

This guide provides the information needed to conduct an investigation that is focused on endpoint data from configured hosts. Analysts who conduct analysis using Investigate need to have the appropriate system roles and permissions set up for their user accounts. An administrator must configure roles and permissions as described in Roles and Permissions for Endpoint Analysts. For more information on roles and permissions, see the System Security and User Management Guide.

To hunt for information on hosts that have the agent running, begin the investigation in the Hosts view (Hosts). For every host, you can see processes, drivers, DLLs, files (executables), services, anomalies, and autoruns that are running, and information related to logged-in users. (See Investigating Hosts.)

You can begin the investigation on files in your deployment in the Files view (Files). (See Investigating Files.)

Note: To access the Hosts and Files views, you must have the endpoint-server.filter.manage permission.

Analysts use the Hosts and Files views to investigate or perform analysis on hosts or files using attributes such as IP address, host name, Mac address, risk score, and so on. This figure shows the high-level capabilities of an endpoint investigation. The top box are all the possible starting points, and the lower box shows the tasks that you can accomplish from different starting points.

Workflow of an Endpoint Investigation

Previous Topic:Introduction
You are here
Table of Contents > Workflow of an Investigation