NW: NetWitness Platform Basic Navigation

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Sep 11, 2018
Version 7Show Document
  • View in full screen mode
 

The RSA NetWitness® Platform application is divided into five main functional areas, known as views, that are based on typical Security Operation Center (SOC) roles.

This image shows the NetWitness Platform log in dialog and the five top-level menu items: Respond, Investigate, Monitor, Configure, and Admin.

  • RESPOND: This view is for Incident Responders, who can view a list of prioritized incidents to triage. These incidents come from sources such as ESA rules, NetWitness Endpoint, or ESA Analytics modules for Automated Threat Detection. You can also view all of the alerts received by NetWitness Platform here.
    For legacy 10.6 users, this view was known as the Incident Management view. The Alerts List in the Respond view replaces the ESA 10.6 Alerts > Summary view.
  • INVESTIGATE: This view is primarily for advanced Threat Hunters, who prefer to manually hunt for threats using NetWitness Platform metadata, raw event data, and event reconstruction and analysis. Incident Responders also use this view to get details about events associated with an incident being investigated. Both Threat Hunters and Incident Responders can use the forensic event reconstruction and event analysis features in this view.
  • MONITOR: This view is for all users. You can view dashboards and reports on different areas of interest depending on your user permissions. NetWitness Platform opens to this view by default.
    For legacy 10.6 users, this is the Dashboard view.
  • CONFIGURE: This view is for Threat Intel personnel (Content Experts), who configure data sources and inputs to NetWitness Platform. Content Experts use this area to download and manage Live content. They can also create and manage incident and ESA rules.
    For legacy 10.6 users, this view contains Live, Incidents > Configure, and Alerts > Configure from the previous version.
  • ADMIN: This view is for System Administrators, who set up and maintain the overall application.
    For legacy 10.6 users, this is the Administration view less the sections added to the Configure view.

Accessing Main Views

The options that open each of the main views are listed at the top of the browser window. With the appropriate permissions, you can access any of these views at the top of every browser window at any time.

This figure shows the NetWitness Suite main menu.

Secondary Menus

Some views have secondary menus with additional views that you can select, which vary according to the tasks that you can complete. The following example shows the MONITOR menu.

This figure shows the Monitor menu as an example of a secondary menu.

Additional Options

In addition to the main views, there are additional options at the top of the browser window that are common to the entire application.


This figure shows the common options available from a classic view. They are Notifications, Preferences, and Help.

The following table describes these common options:

                                      
Common OptionNameDescription

Jobs icon

JobsIn the INVESTIGATE, MONITOR, CONFIGURE, and ADMIN views, click this icon to view and manage your jobs in the Jobs tray. Jobs are on-demand or scheduled tasks that take some time to complete in the NetWitness Platform application.
Notifications icon NotificationsClick this icon to view notifications from the application.
User Preferences icon showing username User PreferencesClick this icon to view your available user preference options. You can manage your user preferences and log out of NetWitness Platform.
User Profile menu options User ProfileClick your user profile to view the available options. You can manage your user preferences, change your password, and log out of NetWitness Platform.
Help icon HelpClick this icon to view NetWitness Platform help topics.

Main Views

The following sections explain the main views.

MONITOR

The MONITOR view contains the NetWitness Platform dashboard. Monitor offers preconfigured dashboards and reports that you can use and you can also create your own.

This figure shows an example Monitor view showing the default dashboard.

MONITOR Menu

This figure shows the Monitor secondary menu: Overview, Reports, and Alerts.

The MONITOR menu has the following options:

  • Overview: The Overview view enables you to view and manage your dashboards. You can select the following preconfigured dashboards:
    • Default
    • Identity
    • Investigation
    • Operations - File Analysis
    • Operations - Logs
    • Operations - Network
    • Operations - Protocol Analysis
    • Overview
    • RSA SecurID
    • Threat - Hunting
    • Threat - Intrusion
    • Threat - Malware Indicators

    For legacy 10.6 users, this was the Dashboard view.

  • Reports: The Reports view enables you to view and manage reports relevant to your SOC role according to your assigned permissions.
                                      
What can I do here?PathShow me how
Select a DashboardMONITOR > OverviewSee Managing Dashboards.
Create a DashboardMONITOR > OverviewSee Managing Dashboards.
Manage DashboardsMONITOR > OverviewSee Managing Dashboards.
View a ReportMONITOR > Reports > ViewSee the Reporting Guide.
Manage ReportsMONITOR > Reports > ManageSee the Reporting Guide.

RESPOND

The Respond view presents analysts with a queue of incidents in severity order. When you take an incident from the queue, you receive relevant supporting data to help you investigate the incident. From there, you can determine the incident scope and escalate or remediate it as appropriate.

RESPOND Menu

Respond Menu

The RESPOND menu has the following options:

  • Incidents: The Incidents List view contains a list of all incidents with basic information. The Incident Details view provides extensive details about the incident.
  • Alerts: The Alerts List and Alert Details views provide information about all of the threat alerts and indicators received by NetWitness Platform in one location.
  • Tasks: The Tasks List view enables you to create tasks and track them to completion.

The following figure shows the Respond view - Incident List view, which shows a list of prioritized incidents.

Respond view - Incident List view

When using NetWitness Platform as your case management tool, you can also manage incidents from this view. New incidents appear at the top of the incident queue.

The following figure shows an example of the Respond view - Incident Details view, which shows details for a selected incident.

Respond view - Incident Details view

The Respond view is designed to make it easy to evaluate incidents, contextualize that data, collaborate with other analysts, and pivot to a deep-dive investigation as needed. The following figure shows an example of an event analysis in the Incident Details view.

Respond view - Incident Details view - Event Analysis


The following figure shows a high-level Respond view workflow.

This diagram shows a high-level Respond view workflow.

In the Respond view, analysts look at the prioritized list of incidents and determine which incidents require action. They click an incident for a clear picture of the incident with supporting details and they can investigate the incident further. Analysts can then determine how to respond to the threat, by escalating or remediating it.

                                      
What can I do here?PathShow me how
View prioritized incident lists RESPOND > Incidents (Incident List view)See the NetWitness Respond User Guide.
Determine which incidents require action
(Triage an incident)
RESPOND > Incidents (Incident Details view)See the NetWitness Respond User Guide.
Investigate the incidentRESPOND > Incidents (Incident Details view)See the NetWitness Respond User Guide. (You can also pivot to the Investigate view.)
Escalate or Remediate the IncidentRESPOND > Incidents (Incident Details view) and RESPOND > Tasks (Tasks List view)See the NetWitness Respond User Guide.
Review AlertsRESPOND > Alerts (Alerts List and Alert Details views)See the NetWitness Respond User Guide.

INVESTIGATE

The Investigate view presents seven different views into a set of data, allowing analysts to see metadata and raw data for endpoints, logs, and events, as well as potential indicators of compromise. In addition to investigating data on a specific service, you can pivot into Investigate from Respond, the Monitor view, an entry in a report generated by the Reporting Engine, or a properly configured third-party application. You can begin your investigation in any of the seven Investigate views, then continue the investigation in another Investigate view; the manner in which you proceed is determined by the question that needs to be answered. If you find an event that needs a response, you can create an incident in Respond where an incident responder will take further action. The NetWitness Investigate User Guide provides detailed information.

INVESTIGATE Menu

Investigate submenus

The INVESTIGATE menu has the following options:

  • Navigate: The Navigate view provides a list of meta keys and meta values with a focus on metadata. You can drill into the data, open a selected event in the Events view or the Event Analysis view, view a reconstruction of an event, search for events, look up additional context from the Context Hub service, and configure Navigate view preferences.
  • Events: The Events view provides a list of events with a focus on raw data. You can browse a simple list of events, a detailed list, and a log list. You can search for events, open a selected event in the Event Analysis view, view a reconstruction of the event, look up additional context from the Context Hub service, and configure Events view preferences.
  • Event Analysis: The Event Analysis view provides a list of events with focus on metadata and raw data. You can view a reconstruction that offers helpful cues to identify points of interest in a reconstruction, jump to the Hosts view, pivot to standalone Endpoint, look up additional context from the Context Hub service (Version 11.2 and later), look up data in Live, and do external lookups.
  • Hosts view: (Version 11.1 and later) The Hosts view lists all hosts with a NetWitness Endpoint Insights Agent running. For every host, you can view processes, drivers, DLLs, files (executables), services, and autoruns that are running, and information related to logged-in users. From the Hosts view, you can go to the Navigate and Event Analysis views.
  • Files view: (Version 11.1 and later) If you have a NetWitness Endpoint Insights Agent running on a host, the Files view lists all unique files found in your deployment and their associated properties. For each file, you can view details such as file size, entropy, format, company name, signature, and checksum. From the Files view, you can go to the Navigate and Event Analysis views.
  • Users view: (Version 11.2 and later) The Users view provides visibility into risky user behaviors across your enterprise with RSA NetWitness UEBA. You can view a list of high-risk users and a summary of the top alerts for risky behavior for your environment, and then select a user or an alert and view details about the risky behavior and a timeline during which the behaviors occurred.
  • Note: The Users view is only available if you are assigned the role of Administrators or UEBA Analyst.

  • Malware Analysis: Malware Analysis is an automated malware analysis processor designed to analyze certain types of file objects (for example, Windows PE, PDF, and MS Office) to assess the likelihood that a file is malicious. Using Malware Analysis, you can prioritize the massive number of files captured in order to focus analysis efforts on the files that are most likely to be malicious. 

The following figure shows the Investigate view - Navigate view.

Navigate view

The following figure shows the Investigate view - Event Analysis view.

Investigate > Event Analysis view

The following figure shows the Hosts view - Host Details view.

Investigate - Hosts view Hosts Details view

The following figure shows the Users view.

The following figure shows the Malware Analysis Summary of Events.

Malware Analysis Summary of Events

The following figure shows a high-level workflow of the Investigate view.

High-Level Investigate Workflow

                                                
What can I do here?PathShow me how
Browse Event MetadataNavigate viewSee "Investigating Metadata in the Navigate View" in the NetWitness Investigate User Guide.
Browse Raw EventsEvents viewSee "Examining Raw Events in the Events View" in the NetWitness Investigate User Guide.
Analyze Raw Events and MetadataEvent Analysis viewSee "Examining Metadata and Raw Events in the Event Analysis View" in the NetWitness Investigate User Guide.
Investigate EndpointsHosts viewSee "Investigating Hosts and Files" in the NetWitness Investigate User Guide.
Find Suspicious Endpoint FilesFiles viewSee "Investigating Hosts and Files" in the NetWitness Investigate User Guide.
Scan Files and Events for MalwareMalware Analysis viewSee "Conducting Malware Analysis" in the NetWitness Investigate User Guide.
Detect Suspicious User BehaviorUsers viewSee the RSA NetWitness UEBA User Guide.

CONFIGURE

The Configure view enables Threat Intel personnel (Content Experts) to configure data sources and inputs to NetWitness Platform in one convenient location.

CONFIGURE Menu

This figure shows the Configure secondary menu: Live Content, Incident Rules, ESA Rules, Subscriptions, and Custom Feeds.

The CONFIGURE menu has the following options:

  • Live Content: (Live Services) The Live Content view enables you to search for and subscribe to Live Services resources. Live Services is the component of the NetWitness Platform that manages communication and synchronization between NetWitness Platform services and a library of Live content available to RSA NetWitness Platform customers. You can view, search, deploy, and subscribe to content from the RSA Live Content Management System (CMS) to NetWitness Platform services and software. When you subscribe to a resource, you agree to receive updates on a regular basis from RSA Live Services.
    For Legacy 10.6 users, this was Live > Search.
  • Incident Rules: The Incident Rules view enables you to create incident rules with various criteria to automatically create incidents. You can view prioritized incidents in the Respond view.
    For Legacy 10.6 users, this was Incidents > Configure. In 11.1 and later, Aggregation Rules are known as Incident Rules.
  • Respond Notifications: The Respond Notifications view enables you to automatically send email notifications to SOC Managers and the Analysts assigned to the incidents when incidents are created or updated.
  • ESA Rules: The ESA Rules view enables you to manage the Event Stream Analysis (ESA) rules that specify criteria for problem behavior or threatening events in your network. When ESA detects a threat that matches the rule criteria, it generates an alert.
    You can create ESA rules yourself or download them from Live Services. The Rule Library shows all ESA rules created or downloaded. To activate rules, you have to add them to a deployment. Deployments map rules from your rule library to the appropriate ESA services.
    For Legacy 10.6 users, this was Alerts > Configure.
  • Subscriptions: (Live Services) The Subscriptions view enables you manage the Live content that you subscribed to in the Live Content view. To set up Live Services on NetWitness Platform, you configure the connection and synchronization between the CMS server and NetWitness Platform.
    For Legacy 10.6 users, this was Live > Configure.
  • Custom Feeds: (Live Services) The Custom Feeds view streamlines the task of creating and managing custom feeds, as well as populating the feeds to selected Decoders and Log Decoders. You can set up and maintain custom and identity feeds.
    NetWitness Platform uses feeds to create metadata based on externally defined metadata values. A feed is a list of data that is compared to sessions as they are captured or processed. For each match, additional metadata is created.
    You can create custom feeds to provide extra metadata extraction, for example, to accommodate custom network applications.
    For Legacy 10.6 users, this was Live > Feeds.
  • Log Parser Rules: The Log Parser Rules tab displays information about individual log parsers, as well as the default, "parse all" parser that can parse logs that are not associated with a particular log parser. This tab contains the following information:
    • You can view the rules for a particular event source type, including the default parser.

    • You can view the Names, Literals, patterns, and meta for each configured log parser.

    • You can add log parsers.

    • You can add, edit, and delete custom rules for log parsers.

    Note: The Log Parser Rules tab is available in the Configure menu in versions 11.2 and later. For earlier versions, it is located in Admin > Event Sources.

                                                     
What can I do here?PathShow me how
Create a Live Services accountRSA Live Registration Portal:
https://cms.netwitness.com/registration/
See the Live Services Management Guide.
Find and deploy Live Services resources.CONFIGURE > Live ContentSee the Live Services Management Guide.
Create incidents automatically.CONFIGURE > Incident RulesSee the NetWitness Respond Configuration Guide.
Configure Respond notifications.CONFIGURE > Respond NotificationsSee the NetWitness Respond Configuration Guide.
Configure alerts.CONFIGURE > ESA RulesSee the Alerting with ESA Correlation Rules User Guide.
Set up Live Services Services on NetWitness PlatformCONFIGURE > SubscriptionSee the Live Services Management Guide.
Set up and maintain custom and identity feeds.CONFIGURE > Custom FeedsSee the Live Services Management Guide.
View and edit log parsers and log parser rules.CONFIGURE > Log Parser RulesSee the Log Parser Customization Guide.

ADMIN

In the Admin view, administrators can manage network hosts and services; monitor the health and Wellness of NetWitness Platform; and manage system-level security. They can also configure global system resources and manage event sources.

ADMIN Menu

This figure shows the Admin secondary menu: Hosts, Services, Event Sources, Health & Wellness, System, and Security.

The ADMIN menu has the following options:

  • Hosts: The Hosts view is where you set up and maintain hosts. A host is the machine on which services run and a host can be a physical or virtual machine.
  • Services: The Services view enables you to manage services, manage service users and roles, maintain service configuration files, and explore and edit service properties. A service performs a unique function, such as a Decoder service, which captures network data in packet form.
  • Event Sources: The Event Sources view enables you to manage event sources and configure alerting policies for them. Organizations typically monitor event sources in groups based on the criticality of the event sources. You can create monitoring policies for each event source group and order them based on priority.
  • Health & Wellness: The Health & Wellness view enables you to monitor the health of the NetWitness Platform hosts and services in your network environment.
  • System: The System view enables you to set global NetWitness Platform configurations. You can configure global audit logging, email, system logging, jobs, RSA Live Services, URL integration, Investigation, Event Stream Analysis (ESA), ESA Analytics, and advanced performance settings. In addition, you can manage NetWitness Platform versions and configure the local licensing server.
  • Security: The Administration Security view provides the capability to manage user accounts, manage user roles, map external groups to NetWitness Platform roles, and modify other security-related system parameters. These apply to the NetWitness Platform system and are used in conjunction with the security settings for individual services.

Note: For versions 11.2 and later, the Event Sources > Log Parser Rules tab can be found in the Configure view.

                                                               
What can I do here?PathShow me how
Manage hosts.ADMIN > HostsSee the Host and Services Getting Started Guide.
Manage services including managing service user access and security.ADMIN > ServicesSee the Host and Services Getting Started Guide.
Manage event sources and configure alerting policies for them.ADMIN > Event SourcesSee the Event Source Management Guide.
Set up and monitor alarms for the hosts and services in your NetWitness Platform domain.ADMIN > Health & Wellness > AlarmSee the System Maintenance Guide.
Monitor statistics for the NetWitness Platform hosts and the services running on the hosts.ADMIN > Health & Wellness > MonitoringSee the System Maintenance Guide.
Create and apply policies to your hosts and services to help you maintain the health and wellness of your NetWitness Platform domain.ADMIN > Health & Wellness > PoliciesSee the System Maintenance Guide.
Set global configurations for NetWitness Platform.ADMIN > SystemSee the System Configuration Guide.
Configure Global Audit Logging.ADMIN > System > Global AuditingSee the System Configuration Guide.
Set up system security.ADMIN > Security See the System Security and User Management Guide.
Manage system users with roles and permissions.ADMIN > Security See the System Security and User Management Guide.
Previous Topic:Identify Your Role
You are here
Table of Contents > NetWitness Platform Basic Navigation

Attachments

    Outcomes