Investigate: Launch an External Lookup of a Meta Key

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Sep 11, 2018
Version 15Show Document
  • View in full screen mode
 

This topic provides instructions for using out-of-the-box Investigate plugins to launch an external lookup of specific meta keys using tools external to NetWitness Platform while investigating data in the Navigate view or Events view.

Analysts can use out-of-the-box NetWitness Platform Investigate external lookups to save time during investigations. The out-of-the-box lookups are available by right-clicking one of the these meta keys:  IP address (ip-src, ip-dst, ipv6-src, ipv6-dst, orig_ip)host (alias-host, domain.dst)client, and file-hash.

For all IP and host meta keys, the following lookups are built in to NetWitness Platform:

  • Google Malware: Opens a Google Malware search in a new tab.
  • SANS IP History: Opens a SANS IP History search in a new tab.
  • McAfee SiteAdvisor: Opens a McAfee SiteAdvisor search in a new tab.
  • Endpoint Thick Client Lookup: Opens a search in the NetWitness Endpoint Thick Client in a new tab.
  • BFK Passive DNS Collection:  Opens a BFK Passive DNS collection search in a new tab.
  • CentralOps Whois for IPs and Hostnames: Opens a CentralOps Whois search for IPs and hostnames in a new tab.
  • Malwaredomainlist.com Search: Opens a Malwaredomainlist.com search in a new tab
  • Robtex IP Search: Opens a RobtexIP search in a new tab.
  • ThreatExpert Search: Opens a ThreatExpert search in a new tab
  • IPVoid Search: Opens a UrlVoid Search in a new tab n a new tab

For the file-hash and alias-host meta keys, the Google lookup opens a Google search in a new tab.

For the  client meta key, the NetWitness Endpoint Lookup option opens an Endpoint Thick Client in a new tab if the client is installed on the same system on which the browser is being used.

Administrators can add additional external lookups and other custom actions as described in "Add Custom Context Menu Actions" in the System Configuration Guide.

Launch an Endpoint Thick Client Lookup

To launch an Endpoint Thick Client lookup of data from the Navigate view:

  1. Right-click a meta value for one of the following meta keys: ip-src, ip-dst, ipv6-src, ipv6-dst, orig_ip, alias-host, domain.dst, client.
  2. Select External Lookup in the context menu.
    A submenu of external lookup options is displayed.
    External Lookup Menu
  3. Select Endpoint Thick Client Lookup.
    The Connect to Server dialog is displayed.
    RSA ECAT Configuration dialog
  4. Enter the user name and password required to log in to the Endpoint Thick Client, and click Connect.
    The drill point opens in NetWitness Endpoint.
    a drill point from Investigate opened in RSA ECAT

Lauch Other External Lookups

To launch an external lookup (other than NetWitness Endpoint Thick Client Lookup) of data from the Navigate view: 

  1. Right-click a meta value for one of the following meta keys: ip-src, ip-dst, ipv6-src, ipv6-dst, orig_ip, alias-host, domain.dstclient.
  2. Select External Lookup in the context menu.
    A submenu of external lookup options is displayed.
    the External Lookup Menu
  3. Select one of the lookup options.
    The selected meta value opens in the selected lookup, for example, if you selected SANS IP History, the drill point information is displayed in SANS Internet Storm Center.
    SANS IP Lookup
You are here
Table of Contents > Investigating Metadata in the Navigate View > Launch an External Lookup of a Meta Key

Attachments

    Outcomes