Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

NW: NetWitness Platform Basic Navigation

Document created by RSA Information Design and Development Employee on Sep 18, 2017Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 14Show Document
  • View in full screen mode
 

The RSA NetWitness Platform application is divided into ten main functional areas, known as views, that are based on typical Security Operation Center (SOC) roles.

Note: On upgrade to version 11.5 or later, by default the Springboard is displayed if you have not configured the default landing page in previous versions.

This image shows the NetWitness Platform log in dialog and the 10 top-level menu items: Springboard, Investigate, Respond, Users, Hosts, Files, Dashboard, Reports, Configure, and Admin.

  • Springboard: Springboard presents Analysts with the platform-wide detections and signals in a single view to hunt and investigate faster than ever before. System Administrators set up and maintain the Springboard. You can view the Springboard at any time by clicking RSA in the main menu. For more information, see Managing the Springboard.
  • Investigate: This view is primarily for Threat Hunters, who prefer to manually hunt for threats using NetWitness Platform metadata, raw event data, and event reconstruction and analysis. Incident Responders also use this view to get details about events associated with an incident being investigated. Both Threat Hunters and Incident Responders can use the forensic event reconstruction and event analysis features in this view.
  • Respond: This view is for Incident Responders, who can view a list of prioritized incidents to triage. These incidents come from sources such as ESA rules, NetWitness Endpoint, or ESA Analytics modules for Automated Threat Detection. You can also view all of the alerts received by NetWitness Platform here.
  • Users: This view is for SOC Managers and Analysts to discover, investigate, and monitor risky behaviors across entities namely Users and Network in your environment.
  • Hosts: This view is for Analysts, who can investigate or perform analysis on hosts using attributes such as IP address, host name, Mac address, risk score, and so on.
  • Files: This view is for Analysts, who can investigate or perform analysis on files using attributes such as IP address, host name, Mac address, risk score, and so on
  • Dashboard: This view is for all users. You can view dashboards on different areas of interest depending on your user permissions.
  • Reports: This view is for all users. You can view reports on different areas of interest depending on your user permissions.
  • Configure view Configure: This view is for Threat Intel personnel (Content Experts), who configure data sources and inputs to NetWitness Platform. Content Experts use this area to download and manage Live content. They can also create and manage incident and ESA rules.
  • Admin view Admin: This view is for System Administrators, who set up and maintain the overall application.

Menu changes

The following table illustrates the top-level menu changes in the 11.5 version.

                               
Previous Version - 11.4 and earlier11.5 Version

N/A

Click to view Springbord page Click the RSA logo at the top left corner to view the Springboard.

Monitor > Dashboard

Monitor > Reports

Dashboard

Reports

Investigate > Hosts

Investigate > Files

Investigate > Entities

Hosts

Files

Users

Configure

Configure view

Admin

Admin view

Accessing Main Views

The options that open each of the main views are listed at the top of the browser window. With the appropriate permissions, you can access any of these views at the top of every UI at any time.

This figure shows the NetWitness Platform main menu

Secondary Menus

The main views have secondary menus with additional views that you can select, which vary according to the tasks that you can complete. The following example shows the Respond menu.

This figure shows the Respond menu as an example of a secondary menu.

Additional Options

In addition to the main views, there are additional options at the top of the UI that are common to the application.

The following table describes the common options.

                                      
Common OptionNameDescription

Jobs icon

JobsIn the Investigate, Dashboard, Reports, (Configure) , and (Admin) views, click this icon to view and manage your jobs in the Jobs tray. Jobs are on-demand or scheduled tasks that take some time to complete in the NetWitness Platform application.
Notifications icon NotificationsClick this icon to view notifications from the application.
User PreferencesClick this icon to view your available user preference options. You can manage your user preferences and log out of NetWitness Platform.
User Profile menu options User ProfileClick your user profile to view the available options. You can manage your user preferences, change your password, and log out of NetWitness Platform UI.
Help icon HelpClick this icon to view NetWitness Platform help topics.

Main Views

The following sections explain the main views:

Springboard

(From 11.5 and later) RSA NetWitness Platform Springboard is an easy-to-use landing page that presents platform-wide detections and signals in a single view to help analysts hunt and investigate faster than ever before.

Click the RSA logo at the top left corner to view the Springboard.

Springboard view

                  
What can I do here?PathShow me how

View out-of-the-box panels

Edit a panel

Refresh a panel

Select time range

View all incidents, alerts, users, files, and hosts

View details of selected incident, alert, user, file, and host

Manage Board (add, rearrange, and delete panels)

Springboard view

 

See Managing the Springboard.

Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.

Investigate

The Investigate view is the tool for SIEM, network, and endpoint data investigation, presenting different views into a set of data. Analysts can see metadata and raw data for endpoints, logs, and events, as well as potential indicators of compromise. In addition to investigating data on a specific service, you can pivot into Investigate from Respond, the Dashboard view, an entry in a report generated by the Reporting Engine, or a properly configured third-party application.

You can begin your investigation in any Investigate view, then continue the investigation seamlessly in another Investigate view. The manner in which you proceed is determined by the question that needs to be answered. If you find an event that needs a response, you can create an incident in Respond where an incident responder will take further action. The following figure depicts the high-level flow of an investigation. The NetWitness Investigate User Guide provides detailed information.

high-level workflow in Investigate

Investigate Menu

the Investigate menu with Legacy Events enabled

The Investigate menu has the following options:

  • Navigate: The Navigate view provides a list of meta keys and meta values with a focus on metadata. You can drill into the data, search for events, open a selected event in the Events view, and look up additional context from the Context Hub service.
    the Navigate view
  • Events: The Events view (formerly Event Analysis view) is the default user interface for interacting with events. It provides a sortable list of events with focus on metadata and raw data. You can search for events, view a reconstruction that offers helpful cues to identify points of interest, pivot to standalone Endpoint, look up additional context from the Context Hub service, look up data in Live, do external lookups, and create an incident for incident responders. By default only the Events view appears in the menu, but when the Legacy Events view is enabled, both the Events view and the Legacy Events view are visible in the menu bar.
    example of the Events view

  • Legacy Events: With major functionality added to the 11.3 Events view, the Legacy Events is no longer needed and it is hidden unless the administrator enables it. The Legacy Events view provides a list of events with a focus on raw data. You can browse a simple list of events, a detailed list, and a log list. You can search for events, view a reconstruction of an event, look up additional context from the Context Hub service, and create an incident for incident responders.
    the Legacy Events view
  • Malware Analysis: Malware Analysis is an automated malware analysis processor designed to analyze certain types of file objects (for example, Windows PE, PDF, and MS Office) to assess the likelihood that a file is malicious. Using Malware Analysis, you can prioritize the massive number of files captured in order to focus analysis efforts on the files that are most likely to be malicious. 
    the Malware Analysis view, Summary of Events
                                           
What can I do here?PathShow me how
Configure Investigate Views and PreferencesInvestigate viewSee "Configuring Investigate Views and Preferences" in the NetWitness Investigate User Guide.
Browse Event MetadataNavigate viewSee "Refining the Results Set" in the NetWitness Investigate User Guide.
Browse Raw EventsEvents viewSee "Refining the Results Set" in the NetWitness Investigate User Guide.
Analyze Raw Events and MetadataEvents viewSee "Reconstructing and Analyzing Events" in the NetWitness Investigate User Guide.
Scan Files and Events for MalwareMalware Analysis viewSee the Malware Analysis User Guide.
Triage an IncidentPivot from the Respond viewSee the NetWitness Respond User Guide.

Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.

Respond

The Respond view presents analysts with a queue of incidents in severity order. When you take an incident from the queue, you receive relevant supporting data to help you investigate the incident. From there, you can determine the incident scope and escalate or remediate it as appropriate.

Respond Menu

Respond Menu

The Respond menu has the following options:

  • Incidents: The Incidents List view contains a list of all incidents with basic information. The Incident Details view provides extensive details about the incident.
  • Alerts: The Alerts List and Alert Details views provide information about all of the threat alerts and indicators received by NetWitness Platform in one location.
  • Tasks: The Tasks List view enables you to create tasks and track them to completion.

The following figure shows the Respond view - Incidents List view, which shows a list of prioritized incidents.

Respond view - Incident List view

When using NetWitness Platform as your case management tool, you can also manage incidents from this view. New incidents appear at the top of the incident queue.

The following figure shows an example of the Respond view - Incident Details view, which shows details for a selected incident.

Respond view - Incident Details view

The Respond view is designed to make it easy to evaluate incidents, contextualize that data, collaborate with other analysts, and pivot to a deep-dive investigation as needed. The following figure shows an example of an event analysis in the Incident Details view.

Respond view - Incident Details view - Events panel

The following figure shows the high-level Respond workflow process.

NetWitness Respond High-Level Workflow Process

The following figure shows the high-level process that Incident Responders use to respond to incidents in the Respond view.

This diagram shows a high-level Respond view workflow.

In the Respond view, analysts look at the prioritized list of incidents and determine which incidents require action. They click an incident for a clear picture of the incident with supporting details and they can investigate the incident further. Analysts can then determine how to respond to the threat, by escalating or remediating it.

                                      
What can I do here?PathShow me how
View prioritized incident lists Respond > Incidents (Incidents List view)See the NetWitness Respond User Guide.
Determine which incidents require action
(Triage an incident)
Respond > Incidents (Incident Details view)See the NetWitness Respond User Guide.
Investigate the incidentRespond > Incidents (Incident Details view)See the NetWitness Respond User Guide. (You can also pivot to the Investigate view.)
Escalate or Remediate the IncidentRespond > Incidents (Incident Details view) and Respond > Tasks (Tasks List view)See the NetWitness Respond User Guide.
Review AlertsRespond > Alerts (Alerts List and Alert Details views)See the NetWitness Respond User Guide.

Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.

Users

The Users view provides visibility into risky user behaviors across your enterprise with RSA NetWitness UEBA. You can view a list of high-risk users and a summary of the top alerts for risky behavior for your environment. Then you can select a user or an alert and view details about the risky behavior and a timeline during which the behaviors occurred.

The Users menu has the following options:

  • Overview: It provides an initial view into the recent and most important user or network entity activities in the environment. Each panel shows either prioritized incidents for investigation or consolidated metrics reflecting potential risks to the enterprise.
  • Entities: It is a proactive threat hunting console. You can use behavioral filters to build use case driven target lists, and to continuously monitor the environment for specific risky behavior patterns.

Note: The Entities view is only available if you are assigned the role of Administrator or UEBA Analyst.

  • Alerts: It displays details about all the alerts in your environment. You can view forensic information about suspicious activity in your environment that is based on a specific timeframe.
                  
What can I do here?PathShow me how
Find Risky User BehaviorUsers viewSee the NetWitness UEBA User Guide.

Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.

Hosts

The Hosts view lists all hosts that have a NetWitness Endpoint agent running. You can filter hosts based on operating system, agent last seen, last scan time, risk score, and other factors. You can open a specific host to view events related to alerts, anomalies, process details, and information related to logged-in users.

Hosts view

                  
What can I do here?PathShow me how
Investigate EndpointsHosts viewSee the NetWitness Endpoint User Guide.

Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.

Files

The Files view provides a holistic view of all files in your deployment. You can apply filters, sort, and categorize files by status to reduce the number of files for analysis, and identify suspicious or malicious files.

Files view

                  
What can I do here?PathShow me how
Find Suspicious Endpoint FilesFiles viewSee the NetWitness Endpoint User Guide.

Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.

Dashboard

A dashboard is a group of dashlets that give you the ability to view data in one space, the key snapshots of the various components that you consider important. In RSA NetWitness Platform, you can compose dashboards to obtain high-level information and metrics that portray the overall picture of a NetWitness Platform deployment, displaying only the information that is most relevant to the day-to-day operations.

This figure shows an default dashboard.

NetWitness Platform has predefined dashboards that you can select in the Dashboard view depending on the tasks you perform:

You can select the following preconfigured dashboards:

    • Default
    • Identity
    • Investigation
    • Operations - File Analysis
    • Operations - Logs
    • Operations - Network
    • Operations - Protocol Analysis
    • Overview
    • RSA SecurID
    • Threat - Hunting
    • Threat - Intrusion
    • Threat - Malware Indicators
                            
What can I do here?PathShow me how
Select a DashboardDashboard viewSee Managing Dashboards.
Create a DashboardDashboard viewSee Managing Dashboards.
Manage DashboardsDashboard viewSee Managing Dashboards.

Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.

Reports

The Reports view enables you to view and manage reports relevant to your SOC role according to your assigned permissions.

Reports Menu

Reports view

The Reports menu has the following options:

  • Manage: This panel allows you to create or modify an rules, reports, charts, alerts, and lists as per the requirement.
  • View: You can view a report or list of all reports. You can also view the scheduled reports to know the state of the scheduled report. If the scheduled report is in a stop or disable state, you can start or enable the scheduled report.
                       
What can I do here?PathShow me how
View a ReportReports > ViewSee the Reporting User Guide.
Manage ReportsReports > ManageSee the Reporting User Guide.

Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.

Confifure view Configure

The Configure view enables Threat Intel personnel (Content Experts) to configure data sources and inputs to NetWitness Platform in one convenient location.

Configure Menu

This figure shows the Configure secondary menu: Live Content, Subscriptions, Capture Policies, Incident Rules, Incident Notifications, ESA Rules, Custom Feeds, and Log Parser Rules.

The Configure menu has the following options:

  • Live Content (Live Services): The Live Content view enables you to search for and subscribe to Live Services resources. Live Services is the component of the NetWitness Platform that manages communication and synchronization between NetWitness Platform services and a library of Live content available to RSA NetWitness Platform customers. You can view, search, deploy, and subscribe to content from the RSA Live Content Management System (CMS) to NetWitness Platform services and software. When you subscribe to a resource, you agree to receive updates on a regular basis from RSA Live Services.
  • Subscriptions (Live Services): The Subscriptions view enables you manage the Live content that you subscribed to, in the Live Content view. To set up Live Services on NetWitness Platform, you configure the connection and synchronize between the CMS server and NetWitness Platform.
  • Capture Policies: The Capture Policies view enables you to set up selective network data collection, which gives you the ability to apply centrally managed capture policies across your Network Decoders. This results in better use of service resources, including hard drive space, which leads to more predictable costs and lessens the burden of managing multiple services. You can determine which traffic is stored and how it is stored by using policies. Each policy contains a list of supported base protocols and definitions for handling any other protocols that are detected.
  • Incident Rules: The Incident Rules view enables you to create incident rules with various criteria to automatically create incidents. You can view prioritized incidents in the Respond view.
  • Incident Notifications: The Incident Notifications view enables you to automatically send email notifications to SOC Managers and the Analysts assigned to the incidents when incidents are created or updated.
  • ESA Rules: The ESA Rules view enables you to manage the Event Stream Analysis (ESA) rules that specify criteria for problematic behavior or threatening events in your network. When ESA detects a threat that matches the rule criteria, it generates an alert.
    You can create ESA rules yourself or download them from Live Services. The Rule Library shows all ESA rules created or downloaded. To activate rules, you have to add them to a deployment. Deployments map rules from your rule library to the appropriate ESA services.
  • Custom Feeds (Live Services): The Custom Feeds view streamlines the task of creating and managing custom feeds, as well as populating the feeds to selected Decoders and Log Decoders. You can set up and maintain custom and identity feeds.
    NetWitness Platform uses feeds to create metadata based on externally defined metadata values. A feed is a list of data that is compared to sessions as they are captured or processed. For each match, additional metadata is created.
    You can create custom feeds to provide extra metadata extraction, for example, to accommodate custom network applications.
  • Log Parser Rules: The Log Parser Rules tab displays information about individual log parsers, as well as the default, "parse all" parser that can parse logs that are not associated with a particular log parser. This tab contains the following information:
    • You can view the rules for a particular event source type, including the default parser.
    • You can view the names, literals, patterns, and metadata for each configured log parser.
    • You can add log parsers.
    • You can add, edit, and delete custom rules for log parsers.

    Note: The Log Parser Rules tab is available in the Configure menu in versions 11.2 and later. For earlier versions, it is located in Admin > Event Sources.

                                                          
What can I do here?PathShow me how
Create a Live Services account.RSA Live Registration Portal:
https://cms.netwitness.com/registration/
See the Live Services Management Guide.
Find and deploy Live Services resources. (Configure) > Live ContentSee the Live Services Management Guide.

Set up selective network data collection.

(Configure) > Capture Policies

See the Decoder Configuration Guide.

Set up Live Services Services on NetWitness Platform. (Configure) > SubscriptionsSee the Live Services Management Guide.
Create incidents automatically. (Configure) > Incident RulesSee the NetWitness Respond Configuration Guide.
Configure incident notifications. (Configure) > Incident NotificationsSee the NetWitness Respond Configuration Guide.
Configure alerts. (Configure) > ESA RulesSee the Alerting with ESA Correlation Rules User Guide.
Set up and maintain custom and identity feeds. (Configure) > Custom FeedsSee the Live Services Management Guide.
View and edit log parsers and log parser rules. (Configure) > Log Parser RulesSee the Log Parser Customization Guide.

Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.

Admin view Admin

In the Admin view, administrators can manage network hosts and services; monitor the health and wellness of NetWitness Platform; and manage system-level security. They can also configure global system resources and manage event sources.

Admin Menu

This figure shows the Admin secondary menu: Hosts, Services, Event Sources, Endpoint Sources, Health & Wellness, System, and Security.

The (Admin) menu has the following options:

  • Hosts: The Hosts view is where you set up and maintain hosts. A host is the machine on which services run and a host can be a physical or virtual machine.
  • Services: The Services view enables you to manage services, manage service users and roles, maintain service configuration files, and explore and edit service properties. A service performs a unique function, such as a Decoder service, which captures network data in packet form.
  • Event Sources: The Event Sources view enables you to manage event sources and configure alerting policies for them. Organizations typically monitor event sources in groups based on the criticality of the event sources. You can create monitoring policies for each event source group and order them based on priority.
  • Endpoint Sources: The Endpoint Sources view enables you to manage and update endpoint agent configurations through groups and manage the agents behavior using policies. You can either use the default policies or customize these policies.
  • Health & Wellness: The Health & Wellness view enables you to monitor the health of the NetWitness Platform hosts and services in your network environment.
  • System: The System view enables you to set global NetWitness Platform configurations. You can configure global audit logging, email, system logging, jobs, RSA Live Services, URL integration, Investigation, Event Stream Analysis (ESA), ESA Analytics, and advanced performance settings. In addition, you can manage NetWitness Platform versions and configure the local licensing server.
  • Security: The Admin Security view provides the capability to manage user accounts, manage user roles, map external groups to NetWitness Platform roles, and modify other security-related system parameters. These apply to the NetWitness Platform system and are used in conjunction with the security settings for individual services.

Note: For versions 11.2 and later, the Event Sources > Log Parser Rules tab can be found in the Configure view.

                                                                         
What can I do here?PathShow me how
Manage hosts. (Admin) > HostsSee the Host and Services Getting Started Guide.
Manage services including managing service user access and security. (Admin) > ServicesSee the Host and Services Getting Started Guide.
Manage event sources and configure alerting policies for them. (Admin) > Event SourcesSee the Event Source Management Guide.
Manage endpoint sources and configure alerting policies for them. (Admin) > Endpoint SourcesSee the Event Source Management Guide.
Set up and monitor alarms for the hosts and services in your NetWitness Platform domain. (Admin) > Health & Wellness > AlarmSee the System Maintenance Guide.
Monitor statistics for the NetWitness Platform hosts and the services running on the hosts. (Admin) > Health & Wellness > MonitoringSee the System Maintenance Guide.
Create and apply policies to your hosts and services to help you maintain the health and wellness of your NetWitness Platform domain. (Admin) > Health & Wellness > PoliciesSee the System Maintenance Guide.
Set global configurations for NetWitness Platform. (Admin) > SystemSee the System Configuration Guide.
Configure Global Audit Logging. (Admin) > System > Global AuditingSee the System Configuration Guide.
Set up system security. (Admin) > Security See the System Security and User Management Guide.
Manage system users with roles and permissions. (Admin) > Security See the System Security and User Management Guide.
Set up Public Key Infrastructure (PKI) authentication. PKI is available in NetWitness Platform 11.3 and later. (Admin) > SecuritySee the System Security and User Management Guide.

Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.

Previous Topic:Identifying Your Role
You are here
Table of Contents > NetWitness Platform Basic Navigation

Attachments

    Outcomes