Endpoint: Files View

Document created by RSA Information Design and Development on Apr 11, 2019
Version 1Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.1 and later.

The Files view provides a holistic view of all files in your deployment. To access this view, go to INVESTIGATE > Files. By default, the Files view displays 100 files. To display more files, click Load More at the bottom of the page.

You can either view files specific to an Endpoint server or view all files from multiple Endpoint servers by selecting the Endpoint Broker.

Workflow

Workflow for files

What do you want to do?

                                                
User RoleI want to ...Show me how

Threat Hunter

whitelist files and certificates signed by known good vendors*

Analyze Certificates

Threat Hunter

create filter to identify files for investigation*

Filter Files

Threat Hunteranalyze files*

Investigating Files

Threat Hunter

analyze events*

Analyzing Events

Threat Hunterdownload files for deeper analysis*Analyzing Downloaded Files
Threat Hunterperform external lookups*Launch an External Lookup for a File
Threat Hunterchange file status or remediate*Changing File Status or Remediate

*You can perform this task in the current view

Related Topics

Quick Look

Below is an example of the Files view:

Files view

                             
1Filter Files. You can filter the files by selecting the options in the Filters panel and create filters. For more information, see Filter Files.
2Actions in the toolbar:

Server drop-down list - You can select the Endpoint server or Endpoint Broker server to view the hosts.

View Certificates - Provides a list of code-signing certificates reported by hosts found in your deployment and their associated properties. For more information, see Analyze Certificates.

Change File Status - Provides capabilities to manage suspect and legitimate files and block malicious or infected files to prevent future execution of the file on any host. For more information, see Changing File Status or Remediate.

Analyze Events - Lets you investigate a particular host, IP address, username, filename, or hash to get the entire context of the activity. For more information, see Analyzing Events.

More - Provides options to:

  • Perform external lookups.
  • Download files to server, save a local copy, and analyze files for deeper analysis.
  • Reset risk score.

Note: You can perform the above actions from the right-click context menu.

 

3

Sort Columns. Lets you sort on column titles.

4Settings Menu. You can set Files view preferences by selecting columns from the Settings menu. For more information, see Set Files Preference.
5

Show/Hide File Properties Panel. Click a row to show or hide the File Properties panel. It displays the following tabs:

File details - Displays the file information.

Risk details - Displays the distinct alerts associated with the risk score.

Hosts - Displays the hosts on which file activities are present. For more information, see Analyze Hosts with File Activity.

6Export to CSV - Extracts global files to a CSV file. For more information, see Export Global Files.

Next Topic:Hosts View
You are here
Table of Contents > NetWitness Endpoint Reference Materials > Files View

Attachments

    Outcomes