Based on the question you are attempting to answer, NetWitness Platform offers different starting points: Navigate view, Events view, Event Analysis view, Hosts view, Files view, Users view, and Malware Analysis view.
Focus on Metadata, Raw Events, and Event Analysis
To hunt for events that drive the incident response workflow and to do strategic analysis after another tool has generated an event, go to INVESTIGATE > Navigate, INVESTIGATE > Events, or INVESTIGATE > Event Analysis. You can investigate the metadata and raw events for a single Broker or Concentrator. In each of these views, you can execute a query and filter the results by narrowing the time range and querying metadata. These topics provide details about beginning an investigation:
- Begin an Investigation in the Navigate or Events View
- Begin an Investigation in the Event Analysis View
Focus on Hosts and Files
To hunt for information on hosts that have the Endpoint agent running, go to INVESTIGATE > Hosts. For every host, you can see processes, drivers, DLLs, files (executables), services, and autoruns that are running, and information related to logged-in users. To begin an investigation by looking at files in your deployment, go to INVESTIGATE > Files. (See the NetWitness Endpoint User Guide for detailed information.)
Focus on Risky User and Entity Behavior
To discover, investigate, and monitor risky behaviors across all users and entities in your network environment, go to INVESTIGATE > Users and NetWitness UEBA (User and Entity Behavior Analytics). You can detect malicious and rogue users, pinpoint, high-risk behaviors, discover attacks, and investigate emerging security threats. (See the NetWitness UEBA User Guide for detailed information.)
Focus on Scanning Files for Malware
To scan files for potential malware, or set up a continuous scan of a service, go to INVESTIGATE > Malware Analysis. Scan results are expressed as four types of analysis: network, static, community, and sandbox with an indicator of compromise (IOC) rating. There are several other ways to begin working in Malware Analysis:
- You can begin Malware Analysis from the Malware Analysis dashlets in the Monitor view to quickly see the riskiest potential threats.
- You can right-click a meta key in the Navigate view, and select Scan for Malware.
See the Malware Analysis User Guide for detailed information.