NW: NetWitness Suite Basic Navigation

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Mar 27, 2018
Version 6Show Document
  • View in full screen mode
 

The NetWitness Suite application is divided into five main functional areas, known as views, that are based on typical Security Operation Center (SOC) roles.

This image shows the NetWitness Suite log in dialog and the five top-level menu items: Respond, Investigate, Monitor, Configure, and Admin.

  • RESPOND: This view is for Incident Responders, who can view a list of prioritized incidents to triage. These incidents come from sources such as ESA rules, NetWitness Endpoint, or ESA Analytics modules for Automated Threat Detection. You can also view all of the alerts received by NetWitness Suite here.
    For legacy 10.6 users, this view was known as the Incident Management view. The Alerts List in the Respond view replaces the ESA 10.6 Alerts > Summary view.
  • INVESTIGATE: This view is primarily for advanced Threat Hunters, who prefer to manually hunt for threats using NetWitness Suite metadata, raw event data, and event reconstruction and analysis. Incident Responders also use this view to get details about events associated with an incident being investigated. Both Threat Hunters and Incident Responders can use the forensic event reconstruction and event analysis features in this view.
  • MONITOR: This view is for all users. You can view dashboards and reports on different areas of interest depending on your user permissions. NetWitness Suite opens to this view by default.
    For legacy 10.6 users, this is the Dashboard view.
  • CONFIGURE: This view is for Threat Intel (content) personnel, who configure data sources and inputs to NetWitness Suite. Threat Intel personnel use this area to download and manage Live content. They can also create and manage incident and ESA rules.
    For legacy 10.6 users, this view contains Live, Incidents > Configure, and Alerts > Configure from the previous version.
  • ADMIN: This view is for System Administrators, who set up and maintain the overall application.
    For legacy 10.6 users, this is the Administration view less the sections added to the Configure view.

Accessing Main Views

The options that open each of the main views are listed at the top of the browser window. With the appropriate permissions, you can access any of these views at the top of every browser window at any time.

This figure shows the NetWitness Suite main menu.

Secondary Menus

Some views have secondary menus with additional views that you can select, which vary according to the tasks that you can complete. The following example shows the MONITOR menu.

This figure shows the Monitor menu as an example of a secondary menu.

Additional Options

In addition to the main views, there are additional options at the top of the browser window that are common to the entire application.


This figure shows the common options available from a classic view. They are Notifications, Preferences, and Help.

The following table describes these common options:

                                      
Common OptionNameDescription

Jobs icon

Jobs

In the INVESTIGATE, MONITOR, CONFIGURE, and ADMIN views, click this icon to view and manage your jobs in the Jobs tray. Jobs are on-demand or scheduled tasks that take some time to complete in the NetWitness Suite application.

Notifications icon NotificationsClick this icon to view notifications from the application.
User Preferences icon showing username User PreferencesClick this icon to view your available user preference options. You can manage your user preferences and log out of NetWitness Suite.
User Profile menu options (Classic views only) User ProfileClick your user profile to view the available options. You can manage your user preferences, change your password, and log out of NetWitness Suite.
Help icon HelpClick this icon to view NetWitness Suite help topics.

Main Views

The following sections explain the main views.

MONITOR

The MONITOR view contains the NetWitness Suite dashboard. Monitor offers preconfigured dashboards and reports that you can use or you can create your own.

This figure shows an example Monitor view showing the default dashboard.

MONITOR Menu

This figure shows the Monitor secondary menu: Overview, Reports, and Alerts.

The MONITOR menu has the following options:

  • Overview: The Overview view enables you to view and manage your dashboards. You can select the following preconfigured dashboards:
    • Default
    • Identity
    • Investigation
    • Operations - File Analysis
    • Operations - Logs
    • Operations - Network
    • Operations - Protocol Analysis
    • Overview
    • RSA SecurID
    • Threat - Hunting
    • Threat - Intrusion
    • Threat - Malware Indicators

    For legacy 10.6 users, this was the Dashboard view.

  • Reports: The Reports view enables you to view and manage reports relevant to your SOC role according to your assigned permissions.
                                      
What can I do here?PathShow me how
Select a Dashboard

MONITOR > Overview

See Setting Up a Dashboard.

Create a DashboardMONITOR > Overview

See Setting Up a Dashboard.

Manage Dashboards

MONITOR > Overview

See Setting Up a Dashboard.

View a ReportMONITOR > Reports > ViewSee the Reporting Guide.

Manage Reports

MONITOR > Reports > Manage

See the Reporting Guide.

RESPOND

The Respond view presents analysts with a queue of incidents in severity order. When you take an incident from the queue, you receive relevant supporting data to help you investigate the incident. From there, you can determine the incident scope and escalate or remediate it as appropriate.

RESPOND Menu

Respond Menu

The RESPOND menu has the following options:

  • Incidents: The Incidents List view contains a list of all incidents with basic information. The Incident Details view provides extensive details about the incident.
  • Alerts: The Alerts List and Alert Details views provide information about all of the threat alerts and indicators received byNetWitness Suite in one location.
  • Tasks: The Tasks List view enables you to create tasks and track them to completion.

The following figure shows the Respond view - Incident List view.

Respond view - Incident Details view

The following figure shows an example of the Respond view - Incident Details view.

Respond view - Incident Details view

When using NetWitness Suite as your case management tool, you can also case manage incidents from this view. New incidents appear at the top of the incident queue in priority order and incidents in progress are below the new incidents.

The following figure shows a high-level Respond view workflow.

This diagram shows a high-level Respond view workflow.

In the Respond view, analysts look at the prioritized list of incidents and determine which incidents require action. They click an incident for a clear picture of the incident with supporting details and they can investigate the incident further. Analysts can then determine how to respond to the threat, by escalating or remediating it.

                                      
What can I do here?PathShow me how

View prioritized incident lists

RESPOND > Incidents (Incident List view)

See the NetWitness Respond User Guide.

Determine which incidents require action
(Triage an incident)

RESPOND > Incidents (Incident Details view)

See the NetWitness Respond User Guide.

Investigate the incident

RESPOND > Incidents (Incident Details view)

See the NetWitness Respond User Guide. (You can also pivot to the Investigate view.)

Escalate or Remediate the IncidentRESPOND > Incidents (Incident Details view) and RESPOND > Tasks (Tasks List view)See the NetWitness Respond User Guide.

Review Alerts

RESPOND > Alerts (Alerts List and Alert Details views)

See the NetWitness Respond User Guide.

INVESTIGATE

The Investigate view presents six different views into a set of data, allowing analysts to see metadata, endpoint data, logs, events, and potential indicators of compromise. In addition to investigating data on a specific service, you can pivot into Investigate from Respond, the Monitor view, an entry in a report generated by the Reporting Engine, or a properly configured third-party application. You can begin your investigation in any of the six Investigate views, then continue the investigation in another Investigate view; the manner in which you proceed is determined by the question that needs to be answered. If you find an event that needs a response, you can create an incident in Respond where an incident responder will take further action. The NetWitness Investigate User Guide provides detailed information.

INVESTIGATE Menu

Investigate submenus

The INVESTIGATE menu has the following options:

  • Navigate: The Navigate view provides a list of meta keys and meta values with a focus on metadata. You can drill into the data, open a selected event in the Events view or the Event Analysis view, view a reconstruction of an event, search for events, look up additional context from the Context Hub service, and configure Navigate view preferences.
  • Events: The Events view provides a list of events with a focus on raw data. You can browse a simple list of events, a detailed list, and a log list. You can search for events, open a selected event in the Event Analysis view, view a reconstruction of the event, conduct event analysis, and configure Events view preferences.
  • Event Analysis: The Event Analysis view provides a list of events with focus on metadata and raw data. You can view a reconstruction that offers helpful cues to identify points of interest in a reconstruction, jump to the Hosts view, pivot to standalone Endpoint, look up data in Live, and do external lookups.
  • Hosts view: (Version 11.1 and later) The Hosts view lists all hosts with a NetWitness Endpoint Insights Agent running. For every host, you can view processes, drivers, DLLs, files (executables), services, and autoruns that are running, and information related to logged-in users. From the Hosts view, you can go to the Navigate and Event Analysis views.
  • Files view: (Version 11.1 and later) The Files view lists all unique files found in your deployment and their associated properties. For each file, you can view details such as file size, entropy, format, company name, signature, and checksum. From the Files view, you can go to the Navigate and Event Analysis views.
  • Malware Analysis: Malware Analysis is an automated malware analysis processor designed to analyze certain types of file objects (for example, Windows PE, PDF, and MS Office) to assess the likelihood that a file is malicious. Using Malware Analysis, you can prioritize the massive number of files captured in order to focus analysis efforts on the files that are most likely to be malicious. 

The following figure shows the Investigate view - Navigate view.

Navigate view

The following figure shows the Investigate view - Event Analysis view.

Investigate > Event Analysis view

The following figure shows the Hosts view - Host Details view.

Investigate - Hosts view Hosts Details view

The following figure shows the Malware Analysis Summary of Events.

the Malware Analysis Summary of Events

The following figure shows a high-level workflow of the Investigate view.

High-Level Investigate Workflow

                                           
What can I do here?PathShow me how
Browse Event MetadataNavigate viewSee "Investigating Metadata in the Navigate View" in the NetWitness Investigate User Guide.
Browse Raw EventsEvents view

See "Examining Raw Events in the Events View" in the NetWitness Investigate User Guide.

Analyze Raw Events and Metadata

Event Analysis viewSee "Examining Metadata and Raw Events in the Event Analysis View" in the NetWitness Investigate User Guide.

Investigate Endpoints

Hosts view

See "Investigating Hosts and Files" in the NetWitness Investigate User Guide.

Find Suspicious Endpoint FilesFiles viewSee "Investigating Hosts and Files" in the NetWitness Investigate User Guide

Scan Files and Events for Malware

Malware Analysis view

See "Conducting Malware Analysis" in the NetWitness Investigate User Guide

CONFIGURE

The Configure view enables Threat Intel (content) personnel to configure data sources and inputs to NetWitness Suite in one convenient location.

CONFIGURE Menu

This figure shows the Configure secondary menu: Live Content, Incident Rules, ESA Rules, Subscriptions, and Custom Feeds.

The CONFIGURE menu has the following options:

  • Live Content: (Live Services) The Live Content view enables you to search for and subscribe to Live Services resources. Live Services is the component of the NetWitness Suite that manages communication and synchronization between NetWitness Suite services and a library of Live content available to RSA NetWitness Suite customers. You can view, search, deploy, and subscribe to content from the RSA Live Content Management System (CMS) to NetWitness Suite services and software. When you subscribe to a resource, you agree to receive updates on a regular basis from RSA Live Services.
    For Legacy 10.6 users, this was Live > Search.
  • Incident Rules: The Incident Rules view enables you to create incident rules with various criteria to automatically create incidents. You can view prioritized incidents in the Respond view.
    For Legacy 10.6 users, this was Incidents > Configure. In 11.1 and later, Aggregation Rules are known as Incident Rules.
  • Respond Notifications: The Respond Notifications view enables you to automatically send email notifications to SOC Managers and the Analysts assigned to the incidents when incidents are created or updated.
  • ESA Rules: The ESA Rules view enables you to manage the Event Stream Analysis (ESA) rules that specify criteria for problem behavior or threatening events in your network. When ESA detects a threat that matches the rule criteria, it generates an alert.
    You can create ESA rules yourself or download them from Live Services. The Rule Library shows all ESA rules created or downloaded. To activate rules, you have to add them to a deployment. Deployments map rules from your rule library to the appropriate ESA services.
    For Legacy 10.6 users, this was Alerts > Configure.
  • Subscriptions: (Live Services) The Subscriptions view enables you manage the Live content that you subscribed to in the Live Content view. To set up Live Services on NetWitness Suite, you configure the connection and synchronization between the CMS server and NetWitness Suite.
    For Legacy 10.6 users, this was Live > Configure.
  • Custom Feeds: (Live Services) The Custom Feeds view streamlines the task of creating and managing custom feeds, as well as populating the feeds to selected Decoders and Log Decoders. You can set up and maintain custom and identity feeds.
    NetWitness Suite uses feeds to create metadata based on externally defined metadata values. A feed is a list of data that is compared to sessions as they are captured or processed. For each match, additional metadata is created.
    You can create custom feeds to provide extra metadata extraction, for example, to accommodate custom network applications.
    For Legacy 10.6 users, this was Live > Feeds.
                                                
What can I do here?PathShow me how

Create a Live Services account.

RSA Live Registration Portal:
https://cms.netwitness.com/registration/

See the Live Services Management Guide.

Find and deploy Live Services resources.CONFIGURE > Live ContentSee the Live Services Management Guide.
Create incidents automatically.CONFIGURE > Incident Rules

See the NetWitness Respond Configuration Guide.

Configure Respond notifications.CONFIGURE > Respond NotificationsSee the NetWitness Respond Configuration Guide.

Configure alerts.

CONFIGURE > ESA Rules

See the Alerting with ESA Correlation Rules User Guide.
Set up Live Services Services on NetWitness SuiteCONFIGURE > Subscription

See the Live Services Management Guide.

Set up and maintain custom and identity feeds.CONFIGURE > Custom FeedsSee the Live Services Management Guide.

ADMIN

In the Admin view, Administrators can manage network hosts and services; monitor the health and Wellness of NetWitness Suite; and manage system-level security. They can also configure global system resources and manage event sources.

ADMIN Menu

This figure shows the Admin secondary menu: Hosts, Services, Event Sources, Health & Wellness, System, and Security.

The ADMIN menu has the following options:

  • Hosts: The Hosts view is where you set up and maintain hosts. A host is the machine on which services run and a host can be a physical or virtual machine.
  • Services: The Services view enables you to manage services, manage service users and roles, maintain service configuration files, and explore and edit service properties. A service performs a unique function, such as a Decoder service, which captures network data in packet form.
  • Event Sources: The Event Sources view enables you to manage event sources and configure alerting policies for them. Organizations typically monitor event sources in groups based on the criticality of the event sources. You can create monitoring policies for each event source group and order them based on priority.
  • Health & Wellness: The Health & Wellness view enables you to monitor the health of the NetWitness Suite hosts and services in your network environment.
  • System: The System view enables you to set global NetWitness Suite configurations. You can configure global audit logging, email, system logging, jobs, RSA Live Services, URL integration, Investigation, Event Stream Analysis (ESA), ESA Analytics, and advanced performance settings. In addition, you can manage NetWitness Suite versions and configure the local licensing server.
  • Security: The Administration Security view provides the capability to manage user accounts, manage user roles, map external groups to NetWitness Suite roles, and modify other security-related system parameters. These apply to the NetWitness Suite system and are used in conjunction with the security settings for individual services.
                                                               
What can I do here?PathShow me how

Manage hosts.

ADMIN > Hosts

See the Host and Services Getting Started Guide.

Manage services including managing service user access and security.

ADMIN > Services

See the Host and Services Getting Started Guide.

Manage event sources and configure alerting policies for them.

ADMIN > Event Sources

See the Event Source Management Guide.

Set up and monitor alarms for the hosts and services in your NetWitness Suite domain.

ADMIN > Health & Wellness > Alarm

See the System Maintenance Guide.

Monitor statistics for the NetWitness Suite hosts and the services running on the hosts.

ADMIN > Health & Wellness > Monitoring

See the System Maintenance Guide.

Create and apply policies to your hosts and services to help you maintain the health and wellness of your NetWitness Suite domain.ADMIN > Health & Wellness > Policies

See the System Maintenance Guide.

Set global configurations for NetWitness Suite.

ADMIN > System

See the System Configuration Guide.

Configure Global Audit Logging.ADMIN > Systen > Global Auditing

See the System Configuration Guide.

Set up system security.ADMIN > Security

See the System Security and User Management Guide.

Manage system users with roles and permissions.

ADMIN > Security

See the System Security and User Management Guide.

Previous Topic:Identify Your Role
You are here
Table of Contents > NetWitness Suite Basic Navigation

Attachments

    Outcomes