If you need to investigate a particular host, IP address, username, filename, or hash to look for related activity across a time range, you can pivot to Navigate view to get the entire context of the activity. By default, the time range is set to 7 days. You can change the time range.
Analyze Events from Files View
To investigate a particular filename or hash (SHA256 and MD5):
- Go to INVESTIGATE > Files.
Select the file you want to analyze and do one of the following:
- Right-click and select Analyze Events from the context menu.
- Click Analyze Events in the toolbar.
This opens the Navigate view with data related to the file. For more information on analyzing events in the Navigate and Event Analysis views, see the NetWitness Investigate User Guide.
Analyze Events from Hosts View
To investigate a particular host, IP address (IPV4), or username:
- Go to INVESTIGATE > Hosts.
- Do one of the following.
Select a file and click Analyze Events from the toolbar.
Right-click a file, select Analyze Events, and select a specific event type (such as network events, file events) that you want to view.
The following figure is an example of the Autoruns tab.
This opens the Navigate view with data related to the file.
For more information on analyzing events in the Navigate and Event Analysis views, see the NetWitness Investigate User Guide.
Text Analysis for an Endpoint Event
You can view all Endpoint events in their original text format in the Event Analysis view Event List panel. When you click an event in the Event list panel, the adjacent panel shows the Text Analysis. Pagination controls add flexibility when paging through the reconstructed text of an event. The Text Analysis displays the following:
- Event Header, which provides summary information about the event.
- Options for exporting - log, csv, xml, and json formats.
- Option to pivot to the Endpoint Thick Client to analyze the meta value.
- Option to analyze process details associated with the event.
- Option to view the host details for further analysis.
Below is an example of the Process event for Endpoint. The text in the Text Analysis panel explains that a source process WmiPrvSE.exe opened a browser process named chrome.exe. In the events, if there is a meta value that exceeds 255 characters, the value is displayed in the Large Meta Values panel.
Below is an example of the Network event:
For more information on Event Analysis, see the NetWitness Investigate User Guide.