The RSA NetWitness® Platform application is divided into five main functional areas, known as views, that are based on typical Security Operation Center (SOC) roles.
- RESPOND: This view is for Incident Responders, who can view a list of prioritized incidents to triage. These incidents come from sources such as ESA rules, NetWitness Endpoint, or ESA Analytics modules for Automated Threat Detection. You can also view all of the alerts received by NetWitness Platform here.
For legacy 10.6 users, this view was known as the Incident Management view. The Alerts List in the Respond view replaces the ESA 10.6 Alerts > Summary view.
- INVESTIGATE: This view is primarily for advanced Threat Hunters, who prefer to manually hunt for threats using NetWitness Platform metadata, raw event data, and event reconstruction and analysis. Incident Responders also use this view to get details about events associated with an incident being investigated. Both Threat Hunters and Incident Responders can use the forensic event reconstruction and event analysis features in this view.
- MONITOR: This view is for all users. You can view dashboards and reports on different areas of interest depending on your user permissions. NetWitness Platform opens to this view by default.
For legacy 10.6 users, this is the Dashboard view.
- CONFIGURE: This view is for Threat Intel personnel (Content Experts), who configure data sources and inputs to NetWitness Platform. Content Experts use this area to download and manage Live content. They can also create and manage incident and ESA rules.
For legacy 10.6 users, this view contains Live, Incidents > Configure, and Alerts > Configure from the previous version.
- ADMIN: This view is for System Administrators, who set up and maintain the overall application.
For legacy 10.6 users, this is the Administration view less the sections added to the Configure view.
Accessing Main Views
The options that open each of the main views are listed at the top of the browser window. With the appropriate permissions, you can access any of these views at the top of every browser window at any time.
Some views have secondary menus with additional views that you can select, which vary according to the tasks that you can complete. The following example shows the MONITOR menu.
In addition to the main views, there are additional options at the top of the browser window that are common to the entire application.
The following table describes these common options:
The following sections explain the main views.
The MONITOR view contains the NetWitness Platform dashboard. Monitor offers preconfigured dashboards and reports that you can use and you can also create your own.
The MONITOR menu has the following options:
- Overview: The Overview view enables you to view and manage your dashboards. You can select the following preconfigured dashboards:
- Operations - File Analysis
- Operations - Logs
- Operations - Network
- Operations - Protocol Analysis
- RSA SecurID
- Threat - Hunting
- Threat - Intrusion
- Threat - Malware Indicators
- Reports: The Reports view enables you to view and manage reports relevant to your SOC role according to your assigned permissions.
For legacy 10.6 users, this was the Dashboard view.
The Respond view presents analysts with a queue of incidents in severity order. When you take an incident from the queue, you receive relevant supporting data to help you investigate the incident. From there, you can determine the incident scope and escalate or remediate it as appropriate.
The RESPOND menu has the following options:
- Incidents: The Incidents List view contains a list of all incidents with basic information. The Incident Details view provides extensive details about the incident.
- Alerts: The Alerts List and Alert Details views provide information about all of the threat alerts and indicators received by NetWitness Platform in one location.
- Tasks: The Tasks List view enables you to create tasks and track them to completion.
The following figure shows the Respond view - Incident List view, which shows a list of prioritized incidents.
When using NetWitness Platform as your case management tool, you can also manage incidents from this view. New incidents appear at the top of the incident queue.
The following figure shows an example of the Respond view - Incident Details view, which shows details for a selected incident.
The Respond view is designed to make it easy to evaluate incidents, contextualize that data, collaborate with other analysts, and pivot to a deep-dive investigation as needed. The following figure shows an example of an event analysis in the Incident Details view.
The following figure shows a high-level Respond view workflow.
In the Respond view, analysts look at the prioritized list of incidents and determine which incidents require action. They click an incident for a clear picture of the incident with supporting details and they can investigate the incident further. Analysts can then determine how to respond to the threat, by escalating or remediating it.
The Investigate view presents seven different views into a set of data, allowing analysts to see metadata and raw data for endpoints, logs, and events, as well as potential indicators of compromise. In addition to investigating data on a specific service, you can pivot into Investigate from Respond, the Monitor view, an entry in a report generated by the Reporting Engine, or a properly configured third-party application. You can begin your investigation in any of the seven Investigate views, then continue the investigation in another Investigate view; the manner in which you proceed is determined by the question that needs to be answered. If you find an event that needs a response, you can create an incident in Respond where an incident responder will take further action. The NetWitness Investigate User Guide provides detailed information.
The INVESTIGATE menu has the following options:
- Navigate: The Navigate view provides a list of meta keys and meta values with a focus on metadata. You can drill into the data, open a selected event in the Events view or the Event Analysis view, view a reconstruction of an event, search for events, look up additional context from the Context Hub service, and configure Navigate view preferences.
- Events: The Events view provides a list of events with a focus on raw data. You can browse a simple list of events, a detailed list, and a log list. You can search for events, open a selected event in the Event Analysis view, view a reconstruction of the event, look up additional context from the Context Hub service, and configure Events view preferences.
- Event Analysis: The Event Analysis view provides a list of events with focus on metadata and raw data. You can view a reconstruction that offers helpful cues to identify points of interest in a reconstruction, pivot to standalone Endpoint, look up additional context from the Context Hub service (Version 11.2 and later), look up data in Live, and do external lookups.
- Hosts view: (Version 11.1 and later) The Hosts view lists all hosts with a NetWitness Endpoint Agent running. For every host, you can view scan details, tracking events related to alerts, anomalies, process details, and information related to logged-in users. From the Hosts view, you can go to the Navigate, Event Analysis, and Users views.
- Files view: (Version 11.1 and later) The Files view provides a holistic view of all files in your deployment. You can apply various filters, sort, and categorize files into different status to reduce the number of files for analysis, and identify suspicious or malicious files. From the Files view, you can go to the Navigate and Event Analysis views.
- Users view: (Version 11.2 and later) The Users view provides visibility into risky user behaviors across your enterprise with RSA NetWitness UEBA. You can view a list of high-risk users and a summary of the top alerts for risky behavior for your environment, and then select a user or an alert and view details about the risky behavior and a timeline during which the behaviors occurred.
- Malware Analysis: Malware Analysis is an automated malware analysis processor designed to analyze certain types of file objects (for example, Windows PE, PDF, and MS Office) to assess the likelihood that a file is malicious. Using Malware Analysis, you can prioritize the massive number of files captured in order to focus analysis efforts on the files that are most likely to be malicious.
The following figure shows the Navigate view.
The following figure shows the Event Analysis view.
The following figure shows the Hosts view - Host Details view.
The following figure shows the Users view.
The following figure shows the Malware Analysis Summary of Events.
The following figure depicts the type of investigation for each view in the top block. The lower block shows tasks that you can perform as part of an investigation.
The Configure view enables Threat Intel personnel (Content Experts) to configure data sources and inputs to NetWitness Platform in one convenient location.
The CONFIGURE menu has the following options:
- Live Content: (Live Services) The Live Content view enables you to search for and subscribe to Live Services resources. Live Services is the component of the NetWitness Platform that manages communication and synchronization between NetWitness Platform services and a library of Live content available to RSA NetWitness Platform customers. You can view, search, deploy, and subscribe to content from the RSA Live Content Management System (CMS) to NetWitness Platform services and software. When you subscribe to a resource, you agree to receive updates on a regular basis from RSA Live Services.
For Legacy 10.6 users, this was Live > Search.
- Incident Rules: The Incident Rules view enables you to create incident rules with various criteria to automatically create incidents. You can view prioritized incidents in the Respond view.
For Legacy 10.6 users, this was Incidents > Configure. In 11.1 and later, Aggregation Rules are known as Incident Rules.
- Respond Notifications: The Respond Notifications view enables you to automatically send email notifications to SOC Managers and the Analysts assigned to the incidents when incidents are created or updated.
- ESA Rules: The ESA Rules view enables you to manage the Event Stream Analysis (ESA) rules that specify criteria for problem behavior or threatening events in your network. When ESA detects a threat that matches the rule criteria, it generates an alert.
You can create ESA rules yourself or download them from Live Services. The Rule Library shows all ESA rules created or downloaded. To activate rules, you have to add them to a deployment. Deployments map rules from your rule library to the appropriate ESA services.
For Legacy 10.6 users, this was Alerts > Configure.
- Subscriptions: (Live Services) The Subscriptions view enables you manage the Live content that you subscribed to in the Live Content view. To set up Live Services on NetWitness Platform, you configure the connection and synchronization between the CMS server and NetWitness Platform.
For Legacy 10.6 users, this was Live > Configure.
- Custom Feeds: (Live Services) The Custom Feeds view streamlines the task of creating and managing custom feeds, as well as populating the feeds to selected Decoders and Log Decoders. You can set up and maintain custom and identity feeds.
NetWitness Platform uses feeds to create metadata based on externally defined metadata values. A feed is a list of data that is compared to sessions as they are captured or processed. For each match, additional metadata is created.
You can create custom feeds to provide extra metadata extraction, for example, to accommodate custom network applications.
For Legacy 10.6 users, this was Live > Feeds.
- Log Parser Rules: The Log Parser Rules tab displays information about individual log parsers, as well as the default, "parse all" parser that can parse logs that are not associated with a particular log parser. This tab contains the following information:
You can view the rules for a particular event source type, including the default parser.
You can view the Names, Literals, patterns, and meta for each configured log parser.
You can add log parsers.
You can add, edit, and delete custom rules for log parsers.
In the Admin view, administrators can manage network hosts and services; monitor the health and Wellness of NetWitness Platform; and manage system-level security. They can also configure global system resources and manage event sources.
The ADMIN menu has the following options:
- Hosts: The Hosts view is where you set up and maintain hosts. A host is the machine on which services run and a host can be a physical or virtual machine.
- Services: The Services view enables you to manage services, manage service users and roles, maintain service configuration files, and explore and edit service properties. A service performs a unique function, such as a Decoder service, which captures network data in packet form.
- Event Sources: The Event Sources view enables you to manage event sources and configure alerting policies for them. Organizations typically monitor event sources in groups based on the criticality of the event sources. You can create monitoring policies for each event source group and order them based on priority.
- Endpoint Sources: The Endpoint Sources view enables you to manage and update endpoint agent configurations through groups and manage the agents behavior using policies. You can either use the default policies or customize these policies.
- Health & Wellness: The Health & Wellness view enables you to monitor the health of the NetWitness Platform hosts and services in your network environment.
- System: The System view enables you to set global NetWitness Platform configurations. You can configure global audit logging, email, system logging, jobs, RSA Live Services, URL integration, Investigation, Event Stream Analysis (ESA), ESA Analytics, and advanced performance settings. In addition, you can manage NetWitness Platform versions and configure the local licensing server.
- Security: The Administration Security view provides the capability to manage user accounts, manage user roles, map external groups to NetWitness Platform roles, and modify other security-related system parameters. These apply to the NetWitness Platform system and are used in conjunction with the security settings for individual services.