Endpoint: Hosts View - Anomalies Tab

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on Sep 5, 2019
Version 5Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness Platform Version 11.3 and later.

The Anomalies panel provides a list of image hooks, suspicious threads, kernel hooks, and registry discrepancies running on the host. To access this tab, select a host from the Hosts view and click the Anomalies tab.

Workflow

Workflow for Hosts

What do you want to do?

                                                                         
User RoleI want to ...Show me how
Threat Hunterreview hosts with highest risk score*

Analyze Hosts Using the Risk Score

Threat Hunteranalyze hosts* Investigating Hosts
Threat Hunterperform adhoc scan*

Scan Hosts

Threat Hunterreview host details

Analyze Host Details

Threat Huntersearch on snapshot*

Search on Snapshots

Threat Hunteranalyze processes

Investigating a Process

Threat Hunterreview reported anomalies*

Analyze Anomalies

Threat Hunteranalyze risky users Analyzing Risky Users

Threat Hunter

analyze events*

Analyzing Events

Threat Hunterdownload files for deeper analysis*Analyzing Downloaded Files
Threat Hunterperform external lookups* Launch an External Lookup for a File
Threat Hunterchange file status or remediate* Changing File Status or Remediate

*You can perform this task in the current view.

Related Topics

Quick Look

Below is an example of the Anomalies tab:

Anomalies tab

                             
1

Agent and Scan Details. You can view the following agent and scan details of the selected host:

Host name - Name of the host. For example, WIN-ABC.

Risk score - Risk score of the host.

Operating System - Operating system on which the agent is running (Linux, Windows, or Mac).

Agent Scan Status - Current status of the scan - Idle, Scanning, Starting Scan, or Stopping Scan. For more information, see Scan Hosts.

Agent Last Seen - Time when the agent last communicated with the Endpoint server. indicates time when the roaming agent last communicated with the Endpoint server.

Agent Version - Version of the agent. For example, 11.3.0.0.

2

Actions in the toolbar:
Snapshot Time - Lists scanned time stamps. To view the scan history, you can select the snapshot time from the drop-down menu.
Start Scan - Starts a scan for the selected hosts. For more information, see Scan Hosts.
Export to JSON - Extracts host attributes and endpoint data to a JSON file of the selected snapshot. For more information, see Export Host Attributes.

Change File Status - Provides capabilities to manage suspect and legitimate files and block malicious or infected file to prevent future execution of the file on any host. For more information, see Changing File Status or Remediate.

Analyze Events - Lets you investigate a particular host, IP address, username, filename, or hash to get the entire context of the activity. For more information, see Analyzing Events.

More - Provides options to:

  • Perform external lookups.
  • Download files to server, save a local copy, and analyze files for deeper analysis.

Note: You can perform some of the above actions from the right-click context menu.


3Search on Snapshots. Lets you search on all snapshots (file name, file path, and SHA-256 checksum). For more information, see Search on Snapshots.
4

Details Panel - Displays the following tabs:

5Show/Hide Right Panel - Displays the following properties in the right panel:
  • File Details - Displays all properties of the selected process. It is grouped as follows:

    General - General information about the file, such as file name, entropy, size, and format.

    Signature - Provides signatory information.

    Hash - Hash type of the file (MD5, SHA1, and SHA256).

    Time - Time when the file was created, modified, or accessed.

    Location - Location of the file.

    Image Hooks/Kernel Hooks/Suspicious Threads/Registry Discrepancies - Details related to image hooks, kernel hooks, suspicious threads, or registry discrepancies.

  • Local Risk Details - Displays the alerts associated with the local risk score, such as Critical, High, Medium and All.
6Clicking a filename lets you navigate to the Files view for further analysis.

Image Hooks

Image hooks found in executable image are displayed in the following columns.

                                               
Columns Description
Type

Type of the hook . Possible values are - inline, iat, eat, or exception Handler.

Local Risk ScoreRisk score of suspicious or malicious activities performed by the file on a specific host.
Global Risk ScoreAggregated score of all suspicious and malicious activities performed by the file across all hosts.
ReputationReputation of a file hash. The statuses are - Malicious, Suspicious, Unknown, Known, Known Good, and Invalid.
SignatureProvides signatory information.
DownloadedIndicates the status of the downloaded file - Downloaded, Not Downloaded, and Error.
Hooked ProcessProcess in which hooks are placed.
Hooked FilenameName of the file that was modified by the hook.
Hooked SymbolSymbol in which the hook is performed.

Kernel Hooks

Hooks found on kernel objects are displayed in the following columns.

                                                
CategoryDescription
TypeType of kernel object which was modified. Possible values are: objectInitializer,basicObjectPointer, majorFunction, invalidObject, fastIO, notifyRoutine, attachedDevice, device, miniPort, sdt, sysEnter, or type.idt.
Driver nameName of the driver which placed the hooks.
Local Risk ScoreRisk score of suspicious or malicious activities performed by the file on a specific host.
Global Risk ScoreAggregated score of all suspicious and malicious activities performed by the file across all hosts.
ReputationReputation of a file hash. The statuses are - Malicious, Suspicious, Unknown, Known, Known Good, and Invalid.
SignatureProvides signatory information.
DownloadedIndicates the status of the downloaded file - Downloaded, Not Downloaded, and Error.
Object FunctionName of the object function hooked into.
Hooked File NameName of the file that was modified by the hook.

Suspicious Threads

Threads whose service table was hooked are displayed in the following columns.

                                                    
CategoryDescription
Start AddressStart Address - Start address of the thread.
DLL NameName of the DLL.
Local Risk ScoreRisk score of suspicious or malicious activities performed by the file on a specific host.
Global Risk ScoreAggregated score of all suspicious and malicious activities performed by the file across all hosts.
ReputationReputation of a file hash. The statuses are - Malicious, Suspicious, Unknown, Known, Known Good, and Invalid.
ProcessFile name and PID of the process in which thread is running.
DownloadedIndicates the status of the downloaded file - Downloaded, Not Downloaded, and Error.
SignatureProvides signatory information.
Thread IDID of the running thread.
Thread Environment BlockAddress of the thread environment block.

Registry Discrepancies

Configuration settings and options on Microsoft Windows operating systems that are stored are displayed in the following columns.

                                        
CategoryDescription
HiveName of the registry hive when possible, otherwise it displays the hive ID. Possible values are: hkeyClassesRoot, hkeyCurrentUser, hkeyLocalMachine, hkeyUsers, or hkeyPerformanceData.
ReasonType of registry discrepancy. Possible values are: notFound, embeddedNull, accessDenied, parentIsHidden, or dataMismatch.
Registry PathRegistry path that is affected. The value is separated by a @ character.
Raw TypeValue type found in the low-level parsing.
Raw Data

Value data extracted from the low-level parsing.

API TypeValue type from the Win32 registry API.
API Data Value data from the Win32 registry API.

You are here
Table of Contents > NetWitness Endpoint Reference Materials > Hosts View - Anomalies Tab

Attachments

    Outcomes