Endpoint: Hosts View - Downloads Tab

Document created by RSA Information Design and Development on Jan 31, 2020Last modified by RSA Information Design and Development on Feb 17, 2020
Version 14Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness Platform Version 11.4 and later.

The Downloads tab provides information about all downloads (MFT, files, system dump, and process dump) performed on the host. To access this tab, select a host from the Hosts view and click the Downloads tab.

Workflow

Workflow for Hosts

What do you want to do?

                                                                                   
User RoleI want to ...Show me how
Threat Hunterreview hosts with highest risk score

Analyze Hosts Using the Risk Score

Threat Hunteranalyze hosts Investigating Hosts
Threat Hunterperform adhoc scan

Scan Hosts

Threat Hunterreview host details

Analyze Host Details

Threat Huntersearch on snapshot

Search on Snapshots

Threat Hunteranalyze processes

Investigating a Process

Threat Hunterreview reported anomalies

Analyze Anomalies

Threat Hunteranalyze risky users Analyzing Risky Users

Threat Hunter

analyze events

Analyzing Events

Threat Hunterdownload files for deeper analysis Analyzing Downloaded Files
Threat Hunterperform external lookups Launch an External Lookup for a File
Threat Hunterchange file status or remediate Changing File Status or Remediate
Threat Hunterisolate host from network*Isolating Hosts from Network
Threat Hunterdownload MFT, system dump, or process dump*Performing Host Forensics

*You can perform this task in the current view.

Related Topics

Quick Look

Below is an example of the Downloads tab:

Download Tab

                     
1

Agent and Scan Details. You can view the following agent and scan details of the selected host:

Host name - Name of the host. For example, WIN-ABC.

Risk score - Risk score of the host.

Operating System - Operating system on which the agent is running (Linux, Windows, or Mac).

Agent Scan Status - Current status of the scan - Idle, Scanning, Starting Scan, or Stopping Scan. For more information, see Scan Hosts.

Agent Last Seen - Time when the agent last communicated with the Endpoint server.

Agent Version - Version of the agent. For example, 11.3.0.0.

More - Provides options to:

2Filter Files. You can filter downloaded files by selecting the options in the Filters panel and create filters. For more information, see Performing Host Forensics.
3

Actions in the toolbar:
Save a Local Copy - Lets you retrieve the downloaded MFT and save it to your local file system for further analysis.

Delete File - Deletes the downloaded MFT from the server.

For more information, see Performing Host Forensics.

4View MFT Details. Click the filename to view the MFT details. For more information, see MFT Viewer.

The table displays the following information:

                                   
ColumnDescription
File NameName of the file that is downloaded. For example, VGAuthService.exe.
TypeType of file downloaded - MFT, file, memory dump.
Downloaded

Status of the download:

Download successful - Download successful

Download is in progress - Processing the downloaded file

Download failed - Errors including download failed

SizeSize of the downloaded file.
Downloaded TimeTime when the MFT was downloaded.
SHA256

SHA256 of the file.

Note: This is applicable only for files.

MFT Viewer

You can analyze the downloaded MFT using the MFT Viewer. For more information, see Analyze Downloaded MFT

Below is an example of the MFT Viewer:

MFT Viewer

                 
1Filter Files. You can filter files by selecting the options in the Filters panel and create filters. For more information, see Filter MFT.
2

Folder Details. Lets you view the content of the MFT.

3Download File to Server. Downloads files to the server.

The table displays the following information:

                                                                                   
ColumnDescription
NameName of the file. For example, dtf.exe.
SizeSize of the file.
Creation Time ($FN)File Name ($FN) creation time.
Creation Time ($SI)Standard Information ($SI) creation time.

Modification time ($FN)

$FN modified time.
Modification time ($SI)$SI modified time.

Access time ($FN)

$FN access time.
Access time ($SI)$SI access time.

Update time ($FN)

$FN updated time.
Update time ($SI)$SI updated time.
Full Path

Path of the file.

Allocated SizeFile size on the disk.

Archive

Indicates if a file is archived.

CompressedIndicates if a file is compressed.

Encrypted

Indicates if a file is encrypted.

HiddenIndicates if a file is hidden.

Directory

Indicates if it is a directory.

ExtensionType of the file. For example, exe, pdf, txt.

You are here
Table of Contents > NetWitness Endpoint Reference Materials > Hosts View - Downloads Tab

Attachments

    Outcomes