Investigate: Beginning an Investigation

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Sep 11, 2018
Version 15Show Document
  • View in full screen mode

NetWitness Platform offers different starting points based on the question you are attempting to answer: Navigate view, Events view, Event Analysis view, Hosts view, Files view, and Malware Analysis view.

Note: Specific user roles and permissions are required for a user to conduct investigations in NetWitness Platform. If you cannot perform an analysis task or see a view, the administrator may need to adjust the roles and permissions configured for you. The Hosts view and Files view are available in Version 11.1 and above. The Event Analysis view was available in Version 11.0, but the method of accessing it was through the Events view. In Version 11.1 and later, the Event Analysis view is accessible directly.

Focus on Metadata, Raw Events, and Event Analysis

To hunt for events that drive the incident response workflow and to do strategic analysis after another tool has generated an event, you should begin in the Navigate view, Events view, or Events Analysis view. You investigate the metadata for a single Broker or Concentrator. In each of these views, you start the investigation by opening the view, where you can execute a query and filter the results by narrowing the time range and querying metadata. These topics provide details about beginning an investigation in each view:

Focus on Hosts and Files

To hunt for information on hosts that have the agent running, begin the investigation in the Hosts view (Investigate > Hosts). For every host, you can see processes, drivers, DLLs, files (executables), services, and autoruns that are running, and information related to logged-in users. (See Investigate Hosts)

You can begin the investigation on files in your deployment in the Files view (Investigate > Files). (See Investigate Files.)

Note: To load the Hosts and Files view, you must have the endpoint-server.filter.manage permission.

Focus on Scanning Files for Malware

To scan files for potential malware, or set up a continuous scan of a service, you begin in the Malware Analysis view. Results are expressed as four types of analysis: network, static, community, and sandbox with an indicator of compromise (IOC) rating. There are several ways to begin working in Malware Analysis:

  • You can begin Malware Analysis from the Malware Analysis dashlets in the Monitor view to quickly see the riskiest potential threats.
  • You can go to Investigate > Malware Analysis to opne the Malware Analysis Summary of Events.
  • You can right-click a meta key in the Navigate view, and select Scan for Malware.

See Conducting Malware Analysis for details on working in the Malware Analysis view.

You are here
Table of Contents > Beginning an Investigation