Investigate: Hosts View

Document created by RSA Information Design and Development on Mar 2, 2018Last modified by RSA Information Design and Development on Sep 11, 2018
Version 7Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.1 and later.

In NetWitness Investigate, the Hosts view provides a list of all hosts with an Endpoint agent installed. The table displays a set of default columns for the host. You can customize this view by setting the Hosts preferences. To access this view, go to INVESTIGATE > Hosts.

Workflow

The following figure shows the high-level Investigate workflow with Investigate Endpoints tasks highlighted.

high-level Investigate workflow with Investigate Endpoints and associated actions highlighted

What do you want to do?

                                                     
User RoleI want to ...Show me how
Threat Hunter

browse event metadata

Begin an Investigation in the Navigate or Events View

Threat Hunter

browse raw events

Begin an Investigation in the Navigate or Events View

Threat Hunter

analyze raw events and metadata

Begin an Investigation in the Event Analysis View

Threat Hunterinvestigate endpoints (Version 11.1)*Investigate Hosts

Threat Hunter

find suspicious endpoint files (Version 11.1)

Investigate Files

Threat Hunterscan files and events for malwareConducting Malware Analysis

Incident Responder

triage an incident in Investigate

NetWitness Respond User Guide

Threat Hunterexport host attributes and global files* Investigate Hosts

*You can perform this task in the current view.

Related Topics

Quick Look

In the Hosts view, you can export host attributes and global files, perform an on-demand scan, set host preferences, view a list of hosts, and investigate in the Navigate or Events view.

Below is an example of the Hosts view: s

Hosts view

                             
1Add Filter Drop-down Menu. You can filter the hosts by choosing an operating system (Windows, Linux, or Mac), saved filters, or by selecting the options in the Add Filters drop-down menu. For more information, see Filter Hosts.
2Saved Filters. The Saved Filters panel lists the saved filters. For more information, see Filter Hosts.

3

Sort Columns. Lets you sort on columns.

Note: Sorting on columns is case-sensitive. It sorts the number first, uppercase, and then the lowercase.
Sorting on Agent Scan Status and Agent Last Seen fields do not display the correct order.

 

4Actions in the toolbar:
Start Scan - Starts a scan for the selected hosts.
Stop Scan - Stops a scan for the selected hosts.
Export to CSV - Extracts host attributes to a CSV file. For more information, Export Host Attributes.
Pivot to Endpoint - Lets you investigate the NetWitness Endpoint host (version 4.4.0.2 or later). For more information, see Investigate NetWitness Endpoint 4.4.0.2 or Later Hosts.
Delete - Lets you delete hosts manually from the user interface. After deletion, the Endpoint server does not process any request from this host.

Note: Make sure that the agent is uninstalled from the host before deleting it from the user interface. For more information, see Delete a Host.

5Settings Menu. You can set Hosts view preferences by selecting columns from the Settings menu. For more information, see Set Hosts Preference.

6

Pivot to Navigate and Event Analysis views. To investigate a particular host, IP address, or username, you can pivot to both Navigate and Event Analysis views. For more information, see Pivot to the Navigate and Event Analysis Views.

Previous Topic:Investigate View
You are here
Table of Contents > Investigate Reference Materials > Hosts View

Attachments

    Outcomes