Endpoint: Hosts View - Details Tab

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on Jul 19, 2019
Version 4Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.1 and later.

The Details tab provides details of the selected host. To access this view, go to INVESTIGATE > Hosts, and select a host from the Hosts view.

Workflow

Workflow for Hosts details view

What do you want to do?

                                                                         
User RoleI want to ...Show me how
Threat Hunterreview hosts with highest risk score*

Analyze Hosts Using the Risk Score

Threat Hunteranalyze hosts* Investigating Hosts
Threat Hunterperform adhoc scan*

Scan Hosts

Threat Hunterreview host details*

Analyze Host Details

Threat Huntersearch on snapshot*

Search on Snapshots

Threat Hunteranalyze processes*

Investigating a Process

Threat Hunterreview reported anomalies

Analyze Anomalies

Threat Hunteranalyze risky users* Analyzing Risky Users

Threat Hunter

analyze events*

Analyzing Events

Threat Hunterdownload files for deeper analysis Analyzing Downloaded Files
Threat Hunterperform external lookups Launch an External Lookup for a File
Threat Hunterchange file status or remediateChanging File Status or Remediate

*You can perform this task in the current view.

Related Topics

Quick Look

Below is an example of the Details tab:

                                     
1

Agent and Scan Details. You can view the following agent and scan details of the selected host:

Host name - Name of the host. For example, WIN-ABC.

Risk score - Risk score of the host.

Operating System - Operating system on which the agent is running (Linux, Windows, or Mac).

Agent Scan Status - Current status of the scan - Idle, Scanning, Starting Scan, or Stopping Scan. For more information, see Scan Hosts.

Agent Last Seen - Time when the agent last communicated with the Endpoint server. indicates time when the roaming agent last communicated with the Endpoint server.

Agent Version - Version of the agent. For example, 11.3.0.0.

2Actions in the toolbar:
Snapshot Time - Lists scanned time stamps. To view the scan history, you can select the snapshot time from the drop-down menu.
Start Scan - Starts a scan for the selected hosts. For more information, see Scan Hosts.
Export to JSON - Extracts host attributes and endpoint data to a JSON file of the selected snapshot. For more information, see Export Host Attributes.
3Search on Snapshots. Lets you search on all snapshots (file name, file path, and SHA-256 checksum). For more information, see Search on Snapshots.
4Show/Hide Right Panel - Displays host and policy details panel.
5

Host Details Panel - Displays all properties of the selected host. It is grouped as follows:

Groups - Groups on which the host is added on.

User - Information related to the user.

Network Interfaces - Network adapter information, such as Mac Address, Gateway.

Operating System - Operating system version and build information.

Agent - Agent-related information, such as agent ID, driver error code, install time, and agent mode.

Hardware - Information related to the architecture.

Locale - Time zone and language that is local to the host.

6

Policy Details Panel - Displays the following:

  • EDR Policy Name that is associated with the highest ranked group.
  • Windows Log Policy Name.
  • Policy Status -
    • Updated - Host has the latest policy.
    • Pending - Policy is resolved but the latest policy is not updated on the host. When the host communicates with the Endpoint server next time, the latest policy is applied if there are no errors.
    • Unavailable - Hosts that belong to previous versions, such as NetWitness Platform 11.1 or 11.2, or the source server is not installed.
    • Error - Problem applying the latest policy along with the error description.
  • Evaluated Time - Time when the Endpoint server evaluated the policy.
  • Relay Server. Displays the Relay Server details.
    • Server - Host name or IP address of the Relay Server.
    • Port - Port number.
    • HTTP Beacon Interval - HTTP beacon interval value in minutes.
  • Complete resolved policy settings. For more information, see the NetWitness Endpoint Configuration Guide.
7Alerts Severity - Displays list of distinct alerts, such as Critical, High, Medium and All, along with the total number of events associated with the alert.
8Displays events for an alert and metadata associated with a specific event.

Previous Topic:Hosts View
You are here
Table of Contents > NetWitness Endpoint Reference Materials > Hosts View - Details Tab

Attachments

    Outcomes