Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Investigate: Launch a Lookup of a Meta Key

Document created by RSA Information Design and Development Employee on Sep 18, 2017Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 21Show Document
  • View in full screen mode
 

When you have found data of interest in the Navigate view, the Events view, or the Legacy Events view, you can do internal lookups to NetWitness Endpoint and RSA Live, as well as external lookups of meta values in community resources such as SANS IP History and ThreatExpert Search.

Analysts can use the external lookups to save time during investigations. The external lookups are available by right-clicking one of the these meta keys:  IP address (ip-src, ip-dst, ipv6-src, ipv6-dst, orig_ip)host (alias-host, domain.dst)client, and file-hash.

For all ip and host meta keys, the following lookups are built in to NetWitness Platform:

  • Google Malware: Opens a Google Malware search in a new tab.
  • SANS IP History: Opens a SANS IP History search in a new tab.
  • McAfee SiteAdvisor: Opens a McAfee SiteAdvisor search in a new tab.
  • Endpoint Thick Client Lookup: Opens a search in the NetWitness Endpoint Thick Client in a new tab.
  • BFK Passive DNS Collection:  Opens a BFK Passive DNS collection search in a new tab.
  • CentralOps Whois for IPs and Hostnames: Opens a CentralOps Whois search for IPs and hostnames in a new tab.
  • Malwaredomainlist.com Search: Opens a Malwaredomainlist.com search in a new tab
  • Robtex IP Search: Opens a RobtexIP search in a new tab.
  • ThreatExpert Search: Opens a ThreatExpert search in a new tab
  • IPVoidSearch: Opens a UrlVoid Search in a new tab n a new tab

For the file-hash and alias-host meta keys, the Google lookup opens a Google search in a new tab.

For the  client meta key, the NetWitness Endpoint Lookup option opens an Endpoint Thick Client in a new tab if the client is installed on the same system on which the browser is being used.

Administrators can add additional external lookups and other custom actions as described in "Add Custom Context Menu Actions" in the System Configuration Guide.

Launch an Endpoint Thick Client Lookup in the Events View

When viewing an endpoint event in the Text panel, you can pivot to analyze the same event in NetWitness Endpoint.

Note: Version 4.4.0.x of the NetWitness Endpoint (NWE) thick client must be installed on the same server, the NWE meta keys must exist in the table-map.xml file on the Log Decoder, and the NWE meta keys must exist in the index-concentrator-custom.xml file. The NWE thick client is a Windows only application. Complete setup instructions are provided in the NetWitness Endpoint User Guide for Version 4.4.

To open an event in NetWitness Endpoint:

  1. Starting from the Navigate view:
    1. In the Query drop-down, select Advanced, and enter one of the following queries: nwe.callback_id exists or device.type='nwendpoint'
      Endpoint data is displayed in the Values panel.
    2. Right-click an event, and select Events in the menu.
  2. (Version 11.1 and later) Go to INVESTIGATE > Events. In the Query drop-down, select Advanced, and enter one of the following queries: nwe.callback_id exists or device.type='nwendpoint'
    Endpoint data is displayed in the Events panel.
  3. Select an event.
    The Events view opens with the selected event displayed in the Text view.
    an endpoint event open in Text Analysis
  4. In the Event Header click Pivot to Endpoint.
    A new browser tab with the url ecatui://<id> opens and the NWE Thick Client is launched. If the NetWitness Endpoint Thick Client is not installed, no data is displayed and the following message is displayed: Applicable for hosts with 4.x Endpoint agents installed, please install the NetWitness Endpoint Thick Client.

Launch an Endpoint Thick Client Lookup in the Navigate View

To launch an Endpoint Thick Client lookup of data from the Navigate view:

  1. Right-click a meta value for one of the following meta keys: ip-src, ip-dst, ipv6-src, ipv6-dst, orig_ip, alias-host, domain.dst, or client.
  2. Select External Lookup in the context menu.
    A submenu of external lookup options is displayed.
    an example of the external lookup menu options
  3. Select Endpoint Thick Client Lookup.
    The Connect to Server dialog is displayed.
    RSA ECAT Configuration dialog
  4. Enter the user name and password required to log in to the Endpoint Thick Client, and click Connect.
    The drill point opens in NetWitness Endpoint.
    a drill point from Investigate opened in RSA ECAT

Perform Lookups of Meta Values in Events

In the Events view, you can further investigate meta values in an event by right-clicking certain meta values and using the options in a drop-down menu. Not all fields have right-click actions. To perform internal and external lookups:

  1. In the Events view, right-click a meta value in the Events List, the Event Meta panel, or the Event Header. Some meta values have a drop-down menu.
    Right click on meta values for further actions
  2. Select one of the following internal lookups:

    • Copy: Copies the meta value to the clipboard.
    • Refocus Investigation in New tab: Launches the another investigation in a new tab with the focus on the selected meta value.
    • Apply Drill in New Tab: Applies the drill and launches it in a new tab to drill the data in Navigate view.
    • Apply !EQUALS Drill in New Tab: Applies (!EQUALS) to the meta and launches a new tab, effectively excluding the meta value from the results.
    • Hosts Lookup: Looks up the value in the Investigate > Hosts view.
    • Endpoint Thick Client Lookup: Analyzes the meta value in the Endpoint Thick Client (for clients which have Endpoint Agent).
    • Live Lookup: Looks up a meta value on Live for further analysis.
  3. For an external lookup, hover over a meta value, right-click, and select External Lookup.
    External lookups from Event Analysis
  4. In the submenu select one of the available external lookups:

Launch Other External Lookups from the Navigate View

To launch an external lookup of data from the Navigate view (other than NetWitness Endpoint Thick Client Lookup): 

  1. Right-click a meta value for one of the following meta keys: ip-srcip-dstipv6-srcipv6-dstorig_ip, alias-host, domain.dst, or client.
  2. Select External Lookup in the context menu.
    A submenu of external lookup options is displayed.
    an example of the external lookup menu options
  3. Select one of the lookup options.
    The selected meta value opens in the selected lookup, for example, if you selected SANS IP History, the drill point information is displayed in SANS Internet Storm Center.
    SANS IP Lookup

You are here
Table of Contents > Reconstructing and Analyzing Events > Launch a Lookup of a Meta Key

Attachments

    Outcomes