Investigate: Files View

Document created by RSA Information Design and Development on Mar 2, 2018Last modified by RSA Information Design and Development on May 8, 2018
Version 6Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness® Suite Version 11.1 and later.

In the Files view, a list of unique executable files found in the deployment is available. To access this view, go to INVESTIGATE > Files. By default, the Files view displays 100 files. To display more files, click Load More at the bottom of the page.

Workflow

high-level Investigate workflow wiht Find Suspicious Endpoint Files and the associated action highlighted

What do you want to do?

                                                     
User RoleI want to ...11.1 Documentation
Threat Hunter

browse event metadata

Begin an Investigation in the Navigate or Events View

Threat Hunter

browse raw events

Begin an Investigation in the Navigate or Events View

Threat Hunter

analyze raw events and metadata

Begin an Investigation in the Event Analysis View

Threat Hunterinvestigate endpoints (Version 11.1) Investigate Hosts

Threat Hunter

find suspicious endpoint files (Version 11.1)*

Investigate Files

Threat Hunterscan files and events for malwareConducting Malware Analysis

Incident Responder

triage an incident in Investigate

NetWitness Respond User Guide

Threat Hunterexport host attributes and global files* Investigate Files

*You can perform this task in the current view

Related Topics

Quick Look

Below is an example of the Files view:

Files View

                             
1Add Filter Drop-down Menu. You can filter the files by choosing an operating system (Windows, Linux, or Mac), saved filters, or by selecting the options in the Add Filters drop-down menu. For more information, see Filter Files.
2Saved Filters. The Saved Filters panel lists the saved filters. For more information, see Filter Files.
3

Sort Columns. You can sort the list by:

Filename - Name of the file.

First Seen Time - First time the hash was seen in the host.

Signature - Indicates if the file is signed or unsigned, valid or invalid, and provides signatory information.

Size - Size of the file.

Entropy - Determines if the contents are compressed or encrypted.

Format - Format of the file - Windows (PE), Linux (ELF and scripts), and Mac (Macho).

PE.Resources.Company - Company name.

4Settings Menu. You can set Files view preferences by selecting columns from the Settings menu. For more information, see Set Files Preference.
5Export to CSV - Extracts global files to a CSV file. For more information, see Investigate Files.

6

Pivot to Navigate and Event Analysis views. To investigate a particular filename or hash (SHA256 and MD5), you can pivot to both Navigate and Event Analysis views. For more information, see Pivot to Navigate and Event Analysis Views.

Previous Topic:Events View
You are here
Table of Contents > Investigate Reference Materials > Files View

Attachments

    Outcomes