NW: NetWitness Suite Basic Navigation

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Sep 28, 2017
Version 4Show Document
  • View in full screen mode
  

The NetWitness Suite application is divided into five main functional areas, known as views, that are based on typical Security Operation Center (SOC) roles.

This image shows the NetWitness Suite log in dialog and the five top-level menu items: Respond, Investigate, Monitor, Configure, and Admin.

  • RESPOND: This view is for Incident Responders, who can view a list of prioritized incidents to triage. These incidents come from sources such as ESA rules, NetWitness Endpoint, or ESA Analytics modules for Automated Threat Detection. You can also view all of the alerts received by NetWitness Suite here.
    For legacy 10.6 users, this view was known as the Incident Management view. The Alerts List in the Respond view replaces the ESA 10.6 Alerts > Summary view.
  • INVESTIGATE: This view is primarily for advanced Threat Hunters, who prefer to manually hunt for threats using NetWitness Suite metadata, event analysis, and event reconstruction. Incident Responders also use this view to get details about events associated with an incident being investigated. Both Threat Hunters and Incident Responders can use the forensic event reconstruction and event analysis features in this view.
  • MONITOR: This view is for all users. You can view dashboards and reports on different areas of interest depending on your user permissions. NetWitness Suite opens to this view by default.
    For legacy 10.6 users, this is the Dashboard view.
  • CONFIGURE: This view is for Threat Intel (content) personnel, who configure data sources and inputs to NetWitness Suite. Threat Intel personnel use this area to download and manage Live content. They can also create and manage incident and ESA rules.
    For legacy 10.6 users, this view contains Live, Incidents > Configure, and Alerts > Configure from the previous version.
  • ADMIN: This view is for System Administrators, who set up and maintain the overall application.
    For legacy 10.6 users, this is the Administration view less the sections added to the Configure view.

Accessing Main Views

The options that open each of the main views are listed at the top of the browser window. With the appropriate permissions, you can access any of these views at the top of every browser window at any time.

This figure shows the NetWitness Suite main menu.

Secondary Menus

Some views have secondary menus with additional views that you can select, which vary according to the tasks that you can complete. The following example shows the MONITOR menu.

This figure shows the Monitor menu as an example of a secondary menu.

Additional Options

In addition to the main views, there are additional options at the top of the browser window that are common to the entire application.


This figure shows the common options available from a classic view. They are Notifications, Preferences, and Help.

The following table describes these common options:

                                      
Common OptionNameDescription

Jobs icon

Jobs

In the INVESTIGATE, MONITOR, CONFIGURE, and ADMIN views, click this icon to view and manage your jobs in the Jobs tray. Jobs are on-demand or scheduled tasks that take some time to complete in the NetWitness Suite application.

Notifications icon NotificationsClick this icon to view notifications from the application.
User Preferences icon showing username User PreferencesClick this icon to view your available user preference options. You can manage your user preferences and log out of NetWitness Suite.
User Profile menu options (Classic views only) User ProfileClick your user profile to view the available options. You can manage your user preferences, change your password, and log out of NetWitness Suite.
Help icon HelpClick this icon to view NetWitness Suite help topics.

Main Views

The following sections explain the main views.

MONITOR

The MONITOR view is the classic NetWitness Suite dashboard. Monitor offers preconfigured dashboards and reports that you can use or you can create your own.

This figure shows an example Monitor view showing the default dashboard.

MONITOR Menu

This figure shows the Monitor secondary menu: Overview, Reports, and Alerts.

The MONITOR menu has the following options:

  • Overview: The Overview view enables you to view and manage your dashboards. You can select the following preconfigured dashboards:
    • Default
    • Identity
    • Investigation
    • Operations - File Analysis
    • Operations - Logs
    • Operations - Network
    • Operations - Protocol Analysis
    • Overview
    • RSA SecurID
    • Threat - Hunting
    • Threat - Intrusion
    • Threat - Malware Indicators

    For Legacy 10.6 users, this was the Dashboard view.

  • Reports: The Reports view enables you to view and manage reports relevant to your SOC role according to your assigned permissions.
                                      
What can I do here?PathShow me how
Select a Dashboard

MONITOR > Overview

See Setting Up a Dashboard.

Create a DashboardMONITOR > Overview

See Setting Up a Dashboard.

Manage Dashboards

MONITOR > Overview

See Setting Up a Dashboard.

View a ReportMONITOR > Reports > ViewSee the Reporting Guide.

Manage Reports

MONITOR > Reports > Manage

See the Reporting Guide.

RESPOND

The Respond view presents analysts with a queue of incidents in severity order. When you take an incident from the queue, you receive relevant supporting data to help you investigate the incident. From there, you can determine the incident scope and escalate or remediate it as appropriate.

RESPOND Menu

Respond Menu

The RESPOND menu has the following options:

  • Incidents: The Incidents List view contains a list of all incidents with basic information. The Incident Details view provides extensive details about the incident.
  • Alerts: The Alerts List and Alert Details views provide information about all of the threat alerts and indicators received byNetWitness Suite in one location.
  • Tasks: The Tasks List view enables you to create tasks and track them to completion.

The following figure shows the Respond view - Incident List view.

Respond view - Incident Details view
The following figure shows an example of the Respond view - Incident Details view.

Respond view - Incident Details view

When using NetWitness Suite as your case management tool, you can also case manage incidents from this view. New incidents appear at the top of the incident queue in priority order and incidents in progress are below the new incidents.

The following figure shows a high level Respond view workflow.

This diagram shows a high-level Respond view workflow.

In the Respond view, analysts look at the prioritized list of incidents and determine which incidents require action. They click an incident for a clear picture of the incident with supporting details and they can investigate the incident further. Analysts can then determine how to respond to the threat, by escalating or remediating it.

                                      
What can I do here?PathShow me how

View prioritized incident lists

RESPOND > Incidents (Incident List view)

See the NetWitness Respond User Guide.

Determine which incidents require action
(Triage an incident)

RESPOND > Incidents (Incident Details view)

See the NetWitness Respond User Guide.

Investigate the incident

RESPOND > Incidents (Incident Details view)

See the NetWitness Respond User Guide. (You can also pivot to the Investigate view.)

Escalate or Remediate the IncidentRESPOND > Incidents (Incident Details view) and RESPOND > Tasks (Tasks List view)See the NetWitness Respond User Guide.

Review Alerts

RESPOND > Alerts (Alerts List and Alert Details views)

See the NetWitness Respond User Guide.

INVESTIGATE

The Investigate view presents three different views into a set of data, allowing analysts to see metadata, events, and potential indicators of compromise. This figure illustrates one of the views, the Navigate view, showing all data on a Concentrator being investigated.

example of the Navigate view

This is an example of the Events view.

Investigate Event view

Clicking the Event Analysis link for a specific event on the Events view opens the Event Details view.

Image of Event Details view for a network event

This is an example of the Malware Analysis Summary of Events.

an example of the Malware Analysis Summary of Events

INVESTIGATE Menu

This figure shows the Investigate secondary menu: Query Events, Navigate Classic, Events Classic, and Malware Analysis.

The INVESTIGATE menu has the following options:

  • Navigate: The Navigate view provides a toolbar for filtering and querying data along with a view of the metadata and a timeline visualization. Analysts can drill into the data, open selected events in the Events view, and look up additional context from the Context Hub service.
  • Events view: The Events view provides a toolbar to refine the data set and a list of events. Analysts can browse a simple list of events, a detailed list, and a log list. When an interesting event, is found, they can safely view a reconstruction of the event and conduct event analysis.
  • Malware Analysis: The Malware Analysis view enables analysts to analyze certain types of file objects to assess the likelihood that a file is malicious. Malware Analysis is an automated malware analysis processor designed to analyze certain types of file objects (for example, Windows PE, PDF, and MS Office) to assess the likelihood that a file is malicious. Using Malware Analysis, the malware analyst can prioritize the massive number of files captured in order to focus analysis efforts on the files that are most likely to be malicious. 

To work in Investigate, analysts begin by running a query to select a subset of the collected data. Analysts can browse the data in the Navigate view, create their own queries, refine the filters, and control the way the metadata is ordered and displayed. Upon finding an event of interest, analysts explore and inspect the event details for suspicious or malicious activity. Refer to the Investigation and Malware Analysis User Guide for detailed information.

The following figure shows a high level workflow of the Investigate view.

the basic workflow of an investigation

                            
What can I do here?PathShow me how
Query and view meta keys and values found in a set of dataINVESTIGATE viewSee "Conducting an Investigation" in the Investigation and Malware Analysis User Guide.
Examine, reconstruct, and analyze eventsINVESTIGATE view

See "Examine Events" in the Investigation and Malware Analysis User Guide.

Look for file objects that may contain malicious code

INVESTIGATE view

See "Conduct Malware Analysis" in the Investigation and Malware Analysis User Guide.

CONFIGURE

The Configure view enables Threat Intel (content) personnel to configure data sources and inputs to NetWitness Suite in one convenient location.

CONFIGURE Menu

This figure shows the Configure secondary menu: Live Content, Incident Rules, ESA Rules, Subscriptions, and Custom Feeds.

The CONFIGURE menu has the following options:

  • Live Content: (Live Services) The Live Content view enables you to search for and subscribe to Live Services resources. Live Services is the component of the NetWitness Suite that manages communication and synchronization between NetWitness Suite services and a library of Live content available to RSA NetWitness Suite customers. You can view, search, deploy, and subscribe to content from the RSA Live Content Management System (CMS) to NetWitness Suite services and software. When you subscribe to a resource, you agree to receive updates on a regular basis from RSA Live Services.
    For Legacy 10.6 users, this was Live > Search.
  • Incident Rules: The Incident Rules view enables you to create aggregation rules with various criteria to automatically create incidents. You can view prioritized incidents in the Respond view.
    For Legacy 10.6 users, this was Incidents > Configure.
  • ESA Rules: The ESA Rules view enables you to manage the Event Stream Analysis (ESA) rules that specify criteria for problem behavior or threatening events in your network. When ESA detects a threat that matches the rule criteria, it generates an alert.
    You can create ESA rules yourself or download them from Live Services. The Rule Library shows all ESA rules created or downloaded. To activate rules, you have to add them to a deployment. Deployments map rules from your rule library to the appropriate ESA services.
    For Legacy 10.6 users, this was Alerts > Configure.
  • Subscriptions: (Live Services) The Subscriptions view enables you manage the Live content that you subscribed to in the Live Content view. To set up Live Services on NetWitness Suite, you configure the connection and synchronization between the CMS server and NetWitness Suite.
    For Legacy 10.6 users, this was Live > Configure.
  • Custom Feeds: (Live Services) The Custom Feeds view streamlines the task of creating and managing custom feeds, as well as populating the feeds to selected Decoders and Log Decoders. You can set up and maintain custom and identity feeds.
    NetWitness Suite uses feeds to create metadata based on externally defined metadata values. A feed is a list of data that is compared to sessions as they are captured or processed. For each match, additional metadata is created.
    You can create custom feeds to provide extra metadata extraction, for example, to accommodate custom network applications.
    For Legacy 10.6 users, this was Live > Feeds.
                                           
What can I do here?PathShow me how

Create a Live Services account.

RSA Live Registration Portal:
https://cms.netwitness.com/registration/

See the Live Services Management Guide.

Find and deploy Live Services resources.CONFIGURE > Live ContentSee the Live Services Management Guide.
Create incidents automatically.CONFIGURE > Incident Rules

See the NetWitness Respond User Guide.

Configure alerts.

CONFIGURE > ESA Rules

See the Alerting Using ESA Guide.
Set up Live Services Services on NetWitness SuiteCONFIGURE > Subscription

See the Live Services Management Guide.

Set up and maintain custom and identity feeds.CONFIGURE > Custom FeedsSee the Live Services Management Guide.

ADMIN

In the Admin view, Administrators can manage network hosts and services; monitor the health and Wellness of NetWitness Suite; and manage system-level security. They can also configure global system resources and manage event sources.

ADMIN Menu

This figure shows the Admin secondary menu: Hosts, Services, Event Sources, Health & Wellness, System, and Security.

The ADMIN menu has the following options:

  • Hosts: The Hosts view is where you set up and maintain hosts. A host is the machine on which services run and a host can be a physical or virtual machine.
  • Services: The Services view enables you to manage services, manage service users and roles, maintain service configuration files, and explore and edit service properties. A service performs a unique function, such as a Decoder service, which captures network data in packet form.
  • Event Sources: The Event Sources view enables you to manage event sources and configure alerting policies for them. Organizations typically monitor event sources in groups based on the criticality of the event sources. You can create monitoring policies for each event source group and order them based on priority.
  • Health & Wellness: The Health & Wellness view enables you to monitor the health of the NetWitness Suite hosts and services in your network environment.
  • System: The System view enables you to set global NetWitness Suite configurations. You can configure global audit logging, email, system logging, jobs, RSA Live Services, URL integration, Investigation, Event Stream Analysis (ESA), ESA Analytics, and advanced performance settings. In addition, you can manage NetWitness Suite versions and configure the local licensing server.
  • Security: The Administration Security view provides the capability to manage user accounts, manage user roles, map external groups to NetWitness Suite roles, and modify other security-related system parameters. These apply to the NetWitness Suite system and are used in conjunction with the security settings for individual services.
                                                               
What can I do here?PathShow me how

Manage hosts.

ADMIN > Hosts

See the Host and Services Getting Started Guide.

Manage services including managing service user access and security.

ADMIN > Services

See the Host and Services Getting Started Guide.

Manage event sources and configure alerting policies for them.

ADMIN > Event Sources

See the Event Source Management Guide.

Set up and monitor alarms for the hosts and services in your NetWitness Suite domain.

ADMIN > Health & Wellness > Alarm

See the System Maintenance Guide.

Monitor statistics for the NetWitness Suite hosts and the services running on the hosts.

ADMIN > Health & Wellness > Monitoring

See the System Maintenance Guide.

Create and apply policies to your hosts and services to help you maintain the health and wellness of your NetWitness Suite domain.ADMIN > Health & Wellness > PoliciesSee the System Maintenance Guide.

Set global configurations for NetWitness Suite.

ADMIN > System

See the System Configuration Guide.

Configure Global Audit Logging.ADMIN > Systen > Global AuditingSee the System Configuration Guide.
Set up system security.ADMIN > Security

See the System Security and User Management Guide.

Manage system users with roles and permissions.

ADMIN > Security See the System Security and User Management Guide.
Previous Topic:NW: Identify Your Role
You are here
Table of Contents > NW: NetWitness Basic Navigation

Attachments

    Outcomes