Endpoint: Analyzing Events

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on Sep 5, 2019
Version 7Show Document
  • View in full screen mode
 

If you need to investigate a particular host, IP address, username, filename, or hash to look for related activity across a time range, you can pivot to Navigate view to get the entire context of the activity. By default, the time range is set to 7 days. You can change the time range.

Note: By default, the system detects the best data source to pivot to Navigate view. To change the data source, modify the investigate service ID under endpoint or investigate in the Explore view.

Analyze Events from Files View

To investigate a particular filename or hash (SHA256 and MD5):

  1. Go to INVESTIGATE > Files.
  2. Select the file you want to analyze and do one of the following:

    • Right-click and select Analyze Events from the context menu.
    • Click Analyze Events in the toolbar.

    Pivot to Navigate and Event Analysis views

    This opens the Navigate view with data related to the file. For more information on analyzing events in the Navigate and Event Analysis views, see the NetWitness Investigate User Guide.

Note: If the values are not indexed, the results take time to load. For more information, see Troubleshooting NetWitness Endpoint.

Analyze Events from Hosts View

To investigate a particular host, IP address (IPV4), or username:

  1. Go to INVESTIGATE > Hosts.
  2. Do one of the following.
    • Select a file and click Analyze Events from the toolbar.

    • Right-click a file, select Analyze Events, and select a specific event type (such as network events, file events) that you want to view.
      The following figure is an example of the Autoruns tab.

      Pivot to Navigate and Event Analysis views

      This opens the Navigate view with data related to the file.

For more information on analyzing events in the Navigate and Event Analysis views, see the NetWitness Investigate User Guide.

Text Analysis for an Endpoint Event

You can view all Endpoint events in their original text format in the Event Analysis view Event List panel. When you click an event in the Event list panel, the adjacent panel shows the Text Analysis. Pagination controls add flexibility when paging through the reconstructed text of an event. The Text Analysis displays the following:

  • Event Header, which provides summary information about the event.
  • Options for exporting - log, csv, xml, and json formats.
  • Option to pivot to the Endpoint Thick Client to analyze the meta value.
  • Option to analyze process details associated with the event.
  • Option to view the host details for further analysis.

Below is an example of the Process event for Endpoint. The text in the Text Analysis panel explains that a source process WmiPrvSE.exe opened a browser process named chrome.exe. In the events, if there is a meta value that exceeds 255 characters, the value is displayed in the Large Meta Values panel.

an endpoint event in the Text Analysis view

Below is an example of the Network event:

an endpoint event in the Text Analysis view

For more information on Event Analysis, see the NetWitness Investigate User Guide.

You are here
Table of Contents > Analyzing Events

Attachments

    Outcomes