Investigate: Conducting an Investigation

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Oct 24, 2017
Version 8Show Document
  • View in full screen mode

You can begin an investigation in several ways in NetWitness Suite; for detailed procedures see Beginning an Investigation of a Service or Collection. After you begin an investigation, there is no specific order in which to conduct the investigation. Instead, NetWitness Suite offers various methods of displaying the data, filtering the data, querying the data, acting on a drill point, and inspecting specific events.

Analysts who use NetWitness Suite Investigation need to have the appropriate system roles and permissions set up for their user accounts. See Roles and Permissions for Malware Analysts. An administrator must configure roles and permissions.

Note: If you are investigating a 10.6 service from an 11.0 NetWitness Server, the download behavior varies for files, PCAPs, logs, payloads, and meta values. You may see an event payload on a 10.6 service to which you do not have permission, but you will not be able to download files or payloads.

To conduct an investigation, log in to NetWitness Suite, and go to INVESTIGATE. The Investigate view opens with the fields in which you select the service, time range, and an optional query for specific metadata. Select a service and click LoadValues.

the Navigate View, before data is loaded

These are the basic steps for conducting an investigation.

the basic steps to conduct an investigation

  1. Submit a query or pivot to Investigate from a Respond entity (see Beginning an Investigation of a Service or Collection).
  2. View query results in the Navigate view (see Refining Results Displayed in the Navigate View) and Events view (see Examining Events).
  3. Reconstruct an Event (see Reconstruct an Event) or view the interactive Event Analysis of an event (see Analyze Events in the Event Analysis View).
  4. Act on a drill point or an event (see Acting on a Drill Point in the Navigate View and Examining Events. For example, you can View Additional Context for a Data Point, Launch a Malware Analysis Scan from the Navigate View, or Add Events to an Incident for Response.
You are here
Table of Contents > Conducting an Investigation