NW: Setting up Your Opening View by SOC Role

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Sep 11, 2018
Version 7Show Document
  • View in full screen mode
 

After logging in to RSA NetWitness® Platform, you can make navigating the application easier by setting up your default view based on your Security Operations (SOC) role. You set your default view, also known as a landing page, in your user preferences.

The following figure shows the main NetWitness Platform views.

Main Menu icons: Respond, Investigate, Monitor, Configure, and Admin

  • Respond: This view is for Incident Responders, who can view a list of incidents to triage and alerts. For legacy 10.6 users, this view was known as the Incident Management view and the Respond > Alerts view replaces the ESA 10.6 Alerts > Summary view.
    Respond is the default opening view. If you do not have permission to see the Respond view, you will have Monitor as your default view.
  • Investigate: This view is for Threat Hunters, who investigate and hunt for advanced threats.
  • Monitor: This view is for all users and it is the classic view for previous application versions. You can view dashboards and reports on different areas of interest depending on your user permissions. You have the option to select a preconfigured dashboard, import a dashboard, or create your own custom dashboard.
  • Configure: This view is for Threat Intel personnel (Content Experts), who configure data sources and inputs to NetWitness Platform. Content Experts use this area to download and manage Live content. They can also create and manage incident and ESA rules.
    For legacy 10.6 users, this view was Live, Incidents > Configure, and Alerts > Configure.
  • Admin: This view is for System Administrators, who set up and maintain the overall application.

You can select any of the main NetWitness Platform views as your default view. In addition to the main views, NetWitness Platform has predefined dashboards that you can select in the Monitor view depending on the tasks you perform:

  • Default Dashboard

  • Identity Dashboard

  • Operations - Logs Dashboard

  • Operations - Network Dashboard
  • Overview Dashboard
  • Threat - Indicators Dashboard

  • Threat - Intrusion Dashboard

The following table shows typical SOC roles and the available views you can select as your landing page in your user preferences based on your SOC role. If you have more than one role, select the view that is most appropriate for you to start with when you log in to NetWitness Platform.

                                           
SOC RolesRole DescriptionConsider this Default Landing Page

Incident Responder
(Tier 1 Analyst)

Addresses incidents and alerts queued for them to review and mitigate.

RESPOND

Threat Hunter
(Tier 2/Tier 3 Analyst)

Investigates and hunts for advanced threats.

INVESTIGATE
For information on selecting the default Investigate view, see the NetWitness Investigate User Guide.

SOC Manager (SOC Management and Reporting)

Manages SOC readiness and responds to incidents and data breaches.

MONITOR (Dashboard is in the MONITOR view.) When you log in, select the appropriate predefined dashboard for your SOC role. You can also import a dashboard or create your own dashboard.)

Content Expert
(Threat Intelligence)

Configures data sources and inputs to NetWitness Platform.

MONITOR or CONFIGURE (Dashboard is in the MONITOR view. When you log in, select the appropriate predefined dashboard for your SOC role. You can also import a dashboard or create your own dashboard. If you choose MONITOR as your default view, you can navigate to the CONFIGURE view from the main menu.)

Data Privacy Officer
(DPO)

Similar to an Administrator, but a DPO monitors and protects privacy-sensitive information.

MONITOR (Dashboard is in the MONITOR view. When you log in, select the appropriate predefined dashboard for your SOC role. You can also import a dashboard or create your own dashboard.)

System Administrator

Focuses on the configuration and stability of the overall application. Manages user access.

ADMIN

Setting Your Default View

  1. (Respond view and some Investigate views) On the main menu bar, select Profile icon .

    The User Preferences dialog shows your current preferences.

    User Preferences dialog accessed from the Respond and Investigate views

  2. In the Default Landing Page field, select the default view that you would like to see when you log in to NetWitness Platform. Use the above table to make your selection based on your SOC role. For example, if you are an Incident Responder, you can select Respond and if you are a Threat Hunter, you can select Investigate.

    Your preferences become effective immediately. You can change your default landing page at any time. For information on other preferences, see Setting User Preferences.

  3. To verify that you can see the correct default view, click Sign Out to log out and then log back in to NetWitness Platform.

Basic Troubleshooting Tips for User Setup

The following table provides basic troubleshooting tips that may be helpful for user setup in NetWitness Platform.

                               
ProblemTroubleshooting Tip

When I log in to NetWitness Platform, I see the wrong default view.

Verify that the correct default view is set in the Default Landing Page field in your user preferences. If you select the MONITOR view, you can select the predefined dashboard that is most appropriate for your SOC role. You can also import or create your own dashboard.

I see the correct view, but the metadata does not load.

Make sure that you are using the latest version of the browser. If that does not work, try using another browser. For example, if you are using Safari, try using Firefox or Chrome.

I am using Internet Explorer 10 and I get the following error:
The page can't be displayed.

NetWitness Platform supports modern (or current) versions of the latest browsers. Try installing a newer browser version. If you cannot upgrade your browser, you can try enabling the TLS 1.2 protocol in your browser:
Navigate to Internet options > Advanced > Settings > Security. In addition to your other protocols, ensure that the TLS 1.2 protocol is enabled. Click Apply. Reload the page.

When I log in, I cannot see anything.

See your administrator, you may need a user role assigned to your account or additional troubleshooting.

I can't see where to change my default landing page.

Go to the User Preferences in the Respond view or see your administrator.

You are here
Table of Contents > Setting up Your Default View by SOC Role

Attachments

    Outcomes