Endpoint: Investigating Files

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on Apr 26, 2019
Version 2Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.3 and later.

The Files view provides a holistic view of all files in your deployment. You can apply various filters, sort, and categorize files into different status to reduce the number of files for analysis and identify suspicious or malicious files.

Best Practices

The following are some best practices and tips that may help you investigate efficiently to identify and isolate threats or attacks:

Workflow for files

  • Whitelist all files signed by RSA, Microsoft, and any other known good vendors. Use the filters to list the files and change the status of all these files to whitelist. For more information, see Filter Files and Changing File Status or Remediate.

    Note: Some Microsoft signed files are restricted from whitelisting as there is a potential risk of them being used for malicious purposes. To view the list, see Files Restricted from Whitelisting.

  • Change the status of certificate and the associated files automatically. For more information, see Analyze Certificates.
  • Filter to exclude whitelisted, files with valid signature, known good files based on reputation status. For more information, see Filter Files.
  • Lookup Google or VirusTotal with the filename or hash to get more information about a suspected file. For more information, see Launch an External Lookup for a File.
  • Analyze the files using one or more of these indicators:

    1. Risk score - Displays the risk score for a file. Analysts can view the associated alerts and events for further investigation. For more information, see Analyze Files Using the Risk Score.
    2. Active on - Indicates the number of hosts on which this file is active in the past seven days. This helps an analyst to determine whether the file is of interest or not. If a file is present on fewer hosts with a high risk score, it may require further investigation. For more information, see Analyze Hosts with File Activity.

    3. File status - To manage suspected and legitimate files, analysts can use the file status to manage. For more information on the various file status, see Changing File Status or Remediate.
    4. Reputation status - Indicates the reputation of a file hash for analyst to narrow-down the files to investigate. For more information, see File Reputation.
    5. Signature - A valid signature on a file signed by a trusted vendor, such as Microsoft and Apple indicates that the file is not a risk. If a file is unsigned, it may be malicious, and needs investigation.
    6. File name - Many trojans write random file names when dropping their payloads to prevent an easy search across the hosts in the network based on the filename. For example, if a file is named svch0st.exe, scvhost.exe, or svchosts.exe, it indicates that the legitimate Windows file named svchost.exe is being mimicked.
  • Investigate a particular file name or hash by pivoting to Navigate or Event Analysis view to view context, file activity on different hosts, and any file transfers across the network through packet data. For more information, see Analyzing Events.
  • Download suspicious files to the server for deeper analysis. For more information, see Analyzing Downloaded Files.
  • Change the status of the file (blacklist or graylist), and block an infected or malicious file. For more information, see Changing File Status or Remediate.

View Files

You can view all files present on a specific Endpoint server or consolidated list of all files on multiple Endpoint servers using the Endpoint Broker for analysis. To view files:

  1. Go to INVESTIGATE > Files.

  2. Select one of the following:

    Selecting a server

    • Endpoint Broker Server to view all files across all Endpoint servers.
    • Endpoint Server to view files on a specific Endpoint server.

  3. Select the file that you want to analyze.
  4. Click a row to view the following details:

    View file details

Filter Files

You can narrow down the search by filtering files on file name, file status, risk score, remediation, reputation status, operating system, size, entropy, format, signature, company name, checksum (MD5 and SHA256), and downloaded status.

Note: While filtering on a large data set, use at least one indexed field with the Equals operator for better performance. The following fields are indexed in the database - Filename, MD5, SHA256, Operating System, First Seen Time, Format, Risk Score, File Status, and Reputation Status.

Filter files

Select the parameters in the Filters tab. Click Save to save the search and provide a name (up to 250 alphanumeric characters). The filter is added to the Saved Filters list. To delete a filter, hover over the name and click Delete.

Note: Special characters are not allowed in the filter name except underscore ( _ ) and hyphen (-) while saving the filter.

For example, to filter the files based on file reputation, select the reputation status in the Filter panel.

Note: For the file size, 1 KB is calculated as 1024 bytes. For example, if the actual size of the file is 8421 bytes, the UI will display it as 8.2 KB instead of 8.22 KB. It is recommended to search using the bytes format when using the Equals operator.

Add and Sort Columns in the Table

By default, the Files view displays a few columns, and files are sorted based on the risk score. To add or remove columns:

  1. Go to INVESTIGATE > Files.

  2. Select the columns by clicking Settings in the right-hand corner.
    Select Columns for Files

  3. Scroll down or enter the keyword to search and select the required columns.

  4. To sort the column in ascending or descending order, click the arrow on the column header.

Analyze Files Using the Risk Score

To analyze files using the risk score:

  1. Go to INVESTIGATE > Files.

    The Files view is displayed.

  2. In the Server drop-down list, select the Endpoint server or Endpoint Broker server to view the files.

  3. Select the file and do any of the following.
    • Click a row to view the risk associated with the file in the Risk Details panel.

    • Click the hostname to investigate the host.

      The Details tab is displayed.

  4. In the Alert Severity panel, click the alert severity, such as Critical, High, Medium, or All.
    The list of distinct alerts is displayed along with the total number of events associated with the alert.

  5. Click an alert to view the associated events.

    Note: Only the latest 1000 events are displayed.

  6. To view all the metadata associated with a specific event, click the event header. The information such as source path, target path, filename, and others is displayed.

    View metadata

  7. Hover over one of the meta values for IP, Hostname, Mac, File name, File hash, User, and Domain to view additional information about the specific metadata. A hover box displays a list of the data sources that have context data available for meta value. These are the possible data sources: NetWitness Endpoint, Incidents, Alerts, Hosts, Files, Feeds, and Live Connect.

    View information about specific metadata

  8. To investigate the original event and destination domain of the event, do any of the following:

    Investigate the event

    • To reconstruct an event in a readable form that matches the original, click the Investigate Original Event link highlighted in blue. For more information on event reconstruction, see the NetWitness Investigate User Guide.

    • For details about the elements associated with an event, click the Investigate Destination Domain link highlighted in blue. For more information on Contextual Information for an Event, see the NetWitness Investigate User Guide.

      Note: Investigate Destination Domain link is not displayed if there is no domain.dst event.

    • To view a list of processes captured on the hosts and investigate a particular process, click the Analyze Process link highlighted in blue. For more information on process analysis, see Investigating a Process.

      Note: Analyze Process link is not displayed if there is no createprocess event.

Analyze Hosts with File Activity

To view the list of hosts on which the file activities are present, do the following:

Note: By default, the system detects the best data source for the active on aggregation. To change the data source, modify the investigate service ID under endpoint/investigate in the Explore view.

  1. Click the number in the Active on column for the file you want to analyze.

  2. In the right panel, click the Hosts tab. The list of hosts is displayed.

    Active on

  3. Click the host name to open the host details.

  4. Click to analyze events on the host in the Event Analysis view. For more information, see Analyzing Events.

Launch an External Lookup for a File

While analyzing a file, you can search Google or VirusTotal with the filename or hash to get more information about the file. To launch the search:

  1. Go to INVESTIGATE > Files.

  2. View the details of the file name and hash from the table MD5, SHA1, and SHA256 columns, or view the details in the File Details tab on the right panel.
  3. Select one or more files, and right-click or in the More drop-down list in the toolbar, do the following:

    External lookup

    1. Select Google Lookup and perform a search on the filename, MD5, SHA1, or SHA256.
    2. Select VirusTotal Lookup and perform a search on MD5, SHA1, or SHA256.

    Note: To open files in multiple tabs, make sure you enable the pops-up in the browser.

Set Files Preference

By default, the Files view displays a few columns and the files are sorted based on the risk score. If you want to view specific columns and sort data on a specific field:

  1. Go to INVESTIGATE > Files.
  2. Select the columns by clicking Settings in the right-hand corner. The following example shows the drop-down list displayed while adding columns:
    Select Columns for Files
  3. Sort the data on the required column.

Note: The selections you make here become your default view every time you log in to the Files view.

Export Global Files

To extract the list of global files to a comma-separated values (csv) file:

Note: While filtering on a large data set, use at least one indexed field with the Equals operator for better performance. You can export up to 100k files at a time.

  1. Go to INVESTIGATE > Files.

  2. Filter the files by selecting the required filter option.

  3. Add columns by clicking Settings in the right-hand corner.

  4. Click Export to CSV to export the files to a csv file.

    Export to CSV

You can either save or open the CSV file.

Note: This exports all columns in the table except Active on.

Analyze Certificates

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.3 and later.

The Certificates view provides a list of code-signing certificates reported by hosts found in your deployment and their associated properties. You can select the certificates under a specific Endpoint server.

To view the certificates in an Endpoint server:

  1. Go to INVESTIGATE > Files.

  2. From the drop-down menu, select the Endpoint server to view certificates present on that server. To view a consolidated list of certificates, select the Endpoint Broker server.

  3. Select a file and do one of the following:

    View certificates

    • Right-click and select View Certificates from the context menu.

    • Click View Certificates in the toolbar.

Change the Certificate Status

You can assign a Whitelist status to the certificate signed by certain trusted vendors and this status can be automatically applied to all files that is signed by this certificate. If you consider abc a trusted vendor, you can set the status for the certificates signed by abc as Whitelist.

Similarly, you can also set the certificate status as Blacklist or Neutral. If a company's certificate is stolen or compromised, you can blacklist this certificate and remediate.

To change the certificate status:

  1. Select a certificate, and click Change Certificate Status.

    Change Certificate Status

  2. In the Change Certificate Status dialog, select a status - Blacklist, Whitelist, or Neutral.

    Note: If you have manually updated a file status in the Files or Hosts view, changing the status in the Certificate view does not impact the file status as the manual update takes precedence. For example, if you have whitelisted the file vmci.sys that is signed by VMware, Inc. in the Files or Hosts view, and you have blacklisted VMware, Inc. in the Certificate view, the file vmci.sys remains Whitelisted though the certificate is blacklisted.

  3. Add a comment and click Save.

  4. Click < Files to go to the Files view.

Note: In a multi-server environment, changing the status of a certificate in one endpoint server updates the respective files in other endpoint servers. For example, if a certificate status is set to Blacklist on one endpoint server, all files signed by this certificate are set to Blacklisted on all endpoint servers.

Filter Certificates

You can filter certificates on status, signature, friendly name, and thumb print.

Filter Certificates

Click Save to save the filter and provide a name (up to 250 alphanumeric characters). The filter is added to the Saved Filters list. To delete a filter, hover over the name, and click Delete.

Note: Special characters are not allowed except underscore (_) and hyphen (-) while saving the filter.

Resetting Risk Score of Files

You can reset the risk score for a file in these situations:

  • If the alerts or events triggered by the host or a file are considered to be false positive, you can make required changes to the Endpoint Application rules or ESA rules.
  • After you take required action on a malicious file.

When you reset the risk score, the risk calculation for the file is deleted and score is set to 0. The risk score on all the hosts on which this file exists is recalculated. You can reset the risk score for a single file or multiple files.

To reset the risk score of a file:

  1. Go to INVESTIGATE > Files.

  2. Select the Endpoint Server or Endpoint Broker.

  3. Select one or more files and do one of the following:

    Reset risk score

    • Right-click and select Reset Risk Score from the context menu.
    • Click More ActionsReset Risk Score in the toolbar.

    All the alerts associated with the score are deleted.

    Note: You can select a maximum of 100 files to reset the score.

  4. Refresh the page to view and confirm if the file's score is reset. This may take sometime for changes to take effect.

You are here
Table of Contents > Investigate Files

Attachments

    Outcomes