Drilling into NetWitness Investigator from Web IP addresses and Hostnames

Document created by rob.davis on Apr 9, 2013
Version 1Show Document
  • View in full screen mode

This post is primarily for customers of RSA NetWitness (Security Analytics), although it may be interesting to security practitioners that conduct security investigations.  We describe how to use the the Threat Analytics Chrome Extension (http://www.criticalstart.com/2013/01/threat-analytics-search-extension-for-chrome/) to open a NetWitness Investigator drill from a Chrome browser.  This is similar to the SIEMLink tool but doesn't require any software to be installed.  This could also be used to create custom REST API queries.



Many people use security tools that have a web interface in conjunction with NetWitness Investigator.

You will need:

  1. Chrome Browser with Threat Analytics Extension installed (available on Chrome Store at http://www.criticalstart.com/2013/01/threat-analytics-search-extension-for-chrome/)
  2. IP address and port of NetWitness concentrator/broker you will be using with Investigator
  3. Investigator collection name you want to use
  4. NetWitness Investigator must be installed on same machine as the Chrome browser


The easiest way to find the last two items is to “Copy URL” from Investigator and paste into a text editor.



You will get something like:



The IP address and port is highlighted in yellow.  The collection name is highlighted in green.  Your information should be different than the example shown.


We will manually add three different search providers to the Chrome Extensions (in Chrome use Tools > Extensions – Options).  You will need to modify the examples below in a text editor by replacing the IP address and collection information with your specific information obtained in the steps above.


NW DST IP < 24


NW IP SRC < 24


NW Alias.Host < 24


Example of adding a search provider in the Chrome Extension:


Example of using extension to drill into destination IP address in Investigator.


Any feedback let me know.