The NetWitness Suite application is divided into five main functional areas, known as views, that are based on typical Security Operation Center (SOC) roles.
- RESPOND: This view is for Incident Responders, who can view a list of prioritized incidents to triage. These incidents come from sources such as ESA rules, NetWitness Endpoint, or ESA Analytics modules for Automated Threat Detection. You can also view all of the alerts received by NetWitness Suite here.
For legacy 10.6 users, this view was known as the Incident Management view. The Alerts List in the Respond view replaces the ESA 10.6 Alerts > Summary view.
- INVESTIGATE: This view is primarily for advanced Threat Hunters, who prefer to manually hunt for threats using NetWitness Suite metadata, event analysis, and event reconstruction. Incident Responders also use this view to get details about events associated with an incident being investigated. Both Threat Hunters and Incident Responders can use the forensic event reconstruction and event analysis features in this view.
- MONITOR: This view is for all users. You can view dashboards and reports on different areas of interest depending on your user permissions. NetWitness Suite opens to this view by default.
For legacy 10.6 users, this is the Dashboard view.
- CONFIGURE: This view is for Threat Intel (content) personnel, who configure data sources and inputs to NetWitness Suite. Threat Intel personnel use this area to download and manage Live content. They can also create and manage incident and ESA rules.
For legacy 10.6 users, this view contains Live, Incidents > Configure, and Alerts > Configure from the previous version.
- ADMIN: This view is for System Administrators, who set up and maintain the overall application.
For legacy 10.6 users, this is the Administration view less the sections added to the Configure view.
Accessing Main Views
The options that open each of the main views are listed at the top of the browser window. With the appropriate permissions, you can access any of these views at the top of every browser window at any time.
Some views have secondary menus with additional views that you can select, which vary according to the tasks that you can complete. The following example shows the MONITOR menu.
In addition to the main views, there are additional options at the top of the browser window that are common to the entire application.
The following table describes these common options:
The following sections explain the main views.
The MONITOR view is the classic NetWitness Suite dashboard. Monitor offers preconfigured dashboards and reports that you can use or you can create your own.
The MONITOR menu has the following options:
- Overview: The Overview view enables you to view and manage your dashboards. You can select the following preconfigured dashboards:
- Operations - File Analysis
- Operations - Logs
- Operations - Network
- Operations - Protocol Analysis
- RSA SecurID
- Threat - Hunting
- Threat - Intrusion
- Threat - Malware Indicators
- Reports: The Reports view enables you to view and manage reports relevant to your SOC role according to your assigned permissions.
For Legacy 10.6 users, this was the Dashboard view.
The Respond view presents analysts with a queue of incidents in severity order. When you take an incident from the queue, you receive relevant supporting data to help you investigate the incident. From there, you can determine the incident scope and escalate or remediate it as appropriate.
The RESPOND menu has the following options:
- Incidents: The Incidents List view contains a list of all incidents with basic information. The Incident Details view provides extensive details about the incident.
- Alerts: The Alerts List and Alert Details views provide information about all of the threat alerts and indicators received byNetWitness Suite in one location.
- Tasks: The Tasks List view enables you to create tasks and track them to completion.
The following figure shows the Respond view - Incident List view.
When using NetWitness Suite as your case management tool, you can also case manage incidents from this view. New incidents appear at the top of the incident queue in priority order and incidents in progress are below the new incidents.
The following figure shows a high level Respond view workflow.
In the Respond view, analysts look at the prioritized list of incidents and determine which incidents require action. They click an incident for a clear picture of the incident with supporting details and they can investigate the incident further. Analysts can then determine how to respond to the threat, by escalating or remediating it.
The Investigate view presents three different views into a set of data, allowing analysts to see metadata, events, and potential indicators of compromise. This figure illustrates one of the views, the Navigate view, showing all data on a Concentrator being investigated.
This is an example of the Events view.
Clicking the Event Analysis link for a specific event on the Events view opens the Event Details view.
This is an example of the Malware Analysis Summary of Events.
The INVESTIGATE menu has the following options:
- Navigate: The Navigate view provides a toolbar for filtering and querying data along with a view of the metadata and a timeline visualization. Analysts can drill into the data, open selected events in the Events view, and look up additional context from the Context Hub service.
- Events view: The Events view provides a toolbar to refine the data set and a list of events. Analysts can browse a simple list of events, a detailed list, and a log list. When an interesting event, is found, they can safely view a reconstruction of the event and conduct event analysis.
- Malware Analysis: The Malware Analysis view enables analysts to analyze certain types of file objects to assess the likelihood that a file is malicious. Malware Analysis is an automated malware analysis processor designed to analyze certain types of file objects (for example, Windows PE, PDF, and MS Office) to assess the likelihood that a file is malicious. Using Malware Analysis, the malware analyst can prioritize the massive number of files captured in order to focus analysis efforts on the files that are most likely to be malicious.
To work in Investigate, analysts begin by running a query to select a subset of the collected data. Analysts can browse the data in the Navigate view, create their own queries, refine the filters, and control the way the metadata is ordered and displayed. Upon finding an event of interest, analysts explore and inspect the event details for suspicious or malicious activity. Refer to the Investigation and Malware Analysis User Guide for detailed information.
The following figure shows a high level workflow of the Investigate view.
The Configure view enables Threat Intel (content) personnel to configure data sources and inputs to NetWitness Suite in one convenient location.
The CONFIGURE menu has the following options:
- Live Content: (Live Services) The Live Content view enables you to search for and subscribe to Live Services resources. Live Services is the component of the NetWitness Suite that manages communication and synchronization between NetWitness Suite services and a library of Live content available to RSA NetWitness Suite customers. You can view, search, deploy, and subscribe to content from the RSA Live Content Management System (CMS) to NetWitness Suite services and software. When you subscribe to a resource, you agree to receive updates on a regular basis from RSA Live Services.
For Legacy 10.6 users, this was Live > Search.
- Incident Rules: The Incident Rules view enables you to create aggregation rules with various criteria to automatically create incidents. You can view prioritized incidents in the Respond view.
For Legacy 10.6 users, this was Incidents > Configure.
- ESA Rules: The ESA Rules view enables you to manage the Event Stream Analysis (ESA) rules that specify criteria for problem behavior or threatening events in your network. When ESA detects a threat that matches the rule criteria, it generates an alert.
You can create ESA rules yourself or download them from Live Services. The Rule Library shows all ESA rules created or downloaded. To activate rules, you have to add them to a deployment. Deployments map rules from your rule library to the appropriate ESA services.
For Legacy 10.6 users, this was Alerts > Configure.
- Subscriptions: (Live Services) The Subscriptions view enables you manage the Live content that you subscribed to in the Live Content view. To set up Live Services on NetWitness Suite, you configure the connection and synchronization between the CMS server and NetWitness Suite.
For Legacy 10.6 users, this was Live > Configure.
- Custom Feeds: (Live Services) The Custom Feeds view streamlines the task of creating and managing custom feeds, as well as populating the feeds to selected Decoders and Log Decoders. You can set up and maintain custom and identity feeds.
NetWitness Suite uses feeds to create metadata based on externally defined metadata values. A feed is a list of data that is compared to sessions as they are captured or processed. For each match, additional metadata is created.
You can create custom feeds to provide extra metadata extraction, for example, to accommodate custom network applications.
For Legacy 10.6 users, this was Live > Feeds.
In the Admin view, Administrators can manage network hosts and services; monitor the health and Wellness of NetWitness Suite; and manage system-level security. They can also configure global system resources and manage event sources.
The ADMIN menu has the following options:
- Hosts: The Hosts view is where you set up and maintain hosts. A host is the machine on which services run and a host can be a physical or virtual machine.
- Services: The Services view enables you to manage services, manage service users and roles, maintain service configuration files, and explore and edit service properties. A service performs a unique function, such as a Decoder service, which captures network data in packet form.
- Event Sources: The Event Sources view enables you to manage event sources and configure alerting policies for them. Organizations typically monitor event sources in groups based on the criticality of the event sources. You can create monitoring policies for each event source group and order them based on priority.
- Health & Wellness: The Health & Wellness view enables you to monitor the health of the NetWitness Suite hosts and services in your network environment.
- System: The System view enables you to set global NetWitness Suite configurations. You can configure global audit logging, email, system logging, jobs, RSA Live Services, URL integration, Investigation, Event Stream Analysis (ESA), ESA Analytics, and advanced performance settings. In addition, you can manage NetWitness Suite versions and configure the local licensing server.
- Security: The Administration Security view provides the capability to manage user accounts, manage user roles, map external groups to NetWitness Suite roles, and modify other security-related system parameters. These apply to the NetWitness Suite system and are used in conjunction with the security settings for individual services.