NetWitness Investigate Quick Start Guide for RSA NetWitness® Platform 11.x

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by Susan Ewald on Apr 17, 2019
Version 8Show Document
  • View in full screen mode

What Is NetWitness® Investigate?

NetWitness Platform audits and monitors all traffic on a network. One type of service--a Decoder--ingests, parses, and stores the packets, logs, and endpoint data traversing the network. The configured parsers and feeds on the Decoder create metadata that analysts can use to investigate the ingested logs and packets. Another type of service, called a Concentrator, indexes and stores the metadata. NetWitness Investigate provides the data analysis capabilities in RSA NetWitness® Platform, so that analysts can analyze packet, log, and endpoint data, and identify possible internal or external threats to security and the IP infrastructure.

About This Guide

This guide provides end-to-end guidelines for all members of the SOC team to configure NetWitness Investigate and to investigate log and network events. End-to-end guidelines for investigating endpoints and user entity behavior using NetWitness Investigate are provided in separate documents:

RSA NetWitness Platform 11.3 Documentation in RSA Link

NetWitness Platform product documentation is organized along functional lines. If you are looking for a specific guide or version, go to the Version 11.x Master Table of Contents.

Use these links to view the RSA NetWitness Platform 11.3 documentation. Both links provide the same documentation, in these two formats:

Use these links to access documentation that is not related to a particular version of the software:

Getting Started

The following tasks can be performed in any sequence and are for the entire SOC team.

DescriptionReferences

SOC Manager Incident Responder Threat Hunter System Administrator Content Expert (Threat Intelligence)

View information about product updates, improvements, and known issues

Release Notes for RSA NetWitness Platform 11.3

Understand how NetWitness Investigate works

"How NetWitness Investigate Works" in the NetWitness Investigate User Guide

Setup, Installation, or Upgrade

No special setup, installation, or upgrade tasks are required for Investigate; it is part of NetWitness Platform for Logs and Network. However, setup is required for several components with which NetWitness Investigate works if you plan to do this type of analysis. These tasks are for the Administrator, and the SOC Manager may want to understand the setup.

DescriptionReferences

SOC Manager System Administrator

Install and set up the Malware Analysis (standalone or service)

Malware Analysis Configuration Guide

Install and set up NetWitness Endpoint (standalone or service)

NetWitness Endpoint Quick Start Guide

Install and set up NetWitness UEBA (standalone or service)

NetWitness UEBA Quick Start Guide

System-Level Configuration

Administrators configure system-level preferences for NetWitness Investigate.The following tasks are for the administrator, and the tasks can be performed in any sequence. SOC Managers should understand the possible configuration options.

DescriptionReferences

SOC Manager System Administrator     

Configure role-based access control (RBAC) for analysts who will be using Investigate. These components have permissions related to investigate: investigate (Navigate view and Events view), investigate-server (Event Analysis view), Malware (Malware Analysis view), Endpoint-broker-server, and Endpoint-server.

"Role Permissions" in the System Security and User Management Guide

Configure Investigate to limit content available for different user roles (preQueries).

"Verify Query and Session Attributes per Role" in the System Security and User Management Guide

Configure default settings and limits for NetWitness Investigate on a system level.

"Configure Investigation Settings" in the System Configuration Guide

User Preference Configuration

The following tasks are for Threat Hunters, Content Experts, and Incident Responders, and SOC Managers. The tasks can be performed in any sequence.

DescriptionReferences

SOC Manager Incident Responder Threat Hunter Content Expert (Threat Intelligence)     

Configure Navigate view and Events view preferences.

"Configure the Navigate and Events View" in the NetWitness Investigate User Guide

Configure Event Analysis view preferences.

"Configure the Event Analysis View" in the NetWitness Investigate User Guide

Configure the Malware Analysis view preferences.

"Configure Malware Analysis" in the Malware Analysis User Guide

Investigation

Different types of investigation may be handled by analysts with different skill levels and goals.

  • Incident Responders (T1 Analysts) typically pivot to Investigate from NetWitness Respond to find detailed information about an incident so that they can respond to and remediate incidents.
  • Threat Hunters (T2/T3 Analysts) typically peruse events, metadata, and raw content so that they can recommend issues for remediation and remediate issues.
  • Content Experts (Threat Intelligence) typically peruse events, metadata, raw content, user and host data, and UEBA data so that they can investigate new threat intelligence, evaluate and create new feeds, and create correlation rules to flag indicators of compromise.
  • SOC Managers need to understand the use cases.
DescriptionReferences

SOC Manager Incident Responder Threat Hunter Content Expert (Threat Intelligence)     

Learn about practical use cases

"Sample Use Cases for NetWitness Investigate" in the NetWitness Investigate User Guide

Investigate metadata and raw events in logs and network traffic

"Beginning an Investigation" in the NetWitness Investigate User Guide

Investigate possible malware

Malware Analysis User Guide

Investigate endpoints

NetWitness Endpoint User Guide

Perform user and entity behavior analysis

NetWitness UEBA User Guide

Maintenance

The administrator can perform the following tasks in any sequence.

DescriptionReferences

System Administrator Content Expert (Threat Intelligence)    

Maintain the list of queries and analyze the query patterns of other users of the NetWitness Platform system.

"Maintaining Queries Using URL Integration" in the System Maintenance Guide

Fine tune system-level configuration settings to improve performance or limit access to data.

"Verify Query and Session Attributes per Role" in the System Security and User Management Guide

"Configure Investigation Settings" in the System Configuration Guide

 

You are here

What Is NetWitness Investigate

Attachments

    Outcomes