Investigate: Hosts View - Overview Tab

Document created by RSA Information Design and Development on Mar 2, 2018Last modified by RSA Information Design and Development on Sep 11, 2018
Version 7Show Document
  • View in full screen mode

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.1 and later.

The Overview tab provides detailed scan results of the selected host. By default, the latest scan result is displayed. To access this view, go to INVESTIGATE > Hosts, and select a host from the Hosts view.


high-level Investigate workflow with Investigate Endpoints and associated actions highlighted

What do you want to do?

User RoleI want to ...Show me how
Threat Hunter

browse event metadata

Begin an Investigation in the Navigate or Events View

Threat Hunter

browse raw events

Begin an Investigation in the Navigate or Events View

Threat Hunter

analyze raw events and metadata

Begin an Investigation in the Event Analysis View

Threat Hunterinvestigate endpoints (Version 11.1)*Investigate Hosts

Threat Hunter

find suspicious endpoint files (Version 11.1)

Investigate Files

Threat Hunterscan files and events for malwareConducting Malware Analysis

Incident Responder

triage an incident in Investigate

NetWitness Respond User Guide

Threat Hunterview summary of the host* Investigate Hosts

*You can perform this task in the current view.

Related Topics

Quick Look

Below is an example of the Overview tab:


Agent and Scan Details. You can view the following agent and scan details of the selected host:

Host name - Name of the host. For example, WIN-ABC.
Operating System - Operating system on which the agent is running (Linux, Windows, or Mac).

Agent Scan Status - Current status of the scan - Idle, Scanning, Starting Scan, or Stopping Scan. For more information, see Investigate Hosts.

Agent Last Seen - Time when the agent last communicated with the server.

Last Scan Time - Last time the agent was scanned. The date and time is as per the time zone set in the User Preferences and is local to the server.

Agent Version - Version of the agent. For example,

2Actions in the toolbar:
Snapshot Time - Lists scanned time stamps. To view the scan history, select the snapshot time from the drop-down menu.
Start Scan - Starts scan for the selected hosts. For more information, see Investigate Hosts.
Export to CSV - Extracts host attributes to a CSV file. For more information, see Export Host Attributes.
Pivot to Endpoint - Lets you investigate the NetWitness Endpoint host (version or later). For more information, see Investigate NetWitness Endpoint or Later Hosts.
Export to JSON - Extracts host attributes and endpoint data to a JSON file of the selected snapshot.
3Search on Snapshots. Lets you search on all snapshots (file name, file path, and SHA-256 checksum). For more information, see Search on Snapshots.


Summary of the selected host. Displays the following fields:

IP Addresses - IP addresses associated with the host. For example,

Logged-in users - Users logged in to the host. For example, abc.

Security Configuration - Security configuration details on the host. For example, firewall disabled or enabled, smart screen filter disabled or enabled. This field is only applicable for Windows and Mac.

Note: The Agent Version, IP Addresses, Logged-in users, and Security Configuration may change for each scan.

5Host Properties Panel. Displays all properties of the selected host. It is grouped as follows:

Agent - Agent-related information, such as agent ID, driver error code, install time, and agent mode.

Operating System - Operating system version and build information.

Hardware - Information related to the architecture.

Network Interfaces - Network adapter information, such as Mac Address, Gateway.

User - Information related to the user.

Locale - Time zone and language that is local to the host.

Alerts - Alerts generated for the host.

Incidents - Incidents generated for the host.

You are here
Table of Contents > Investigate Reference Materials > Host View - Overview Tab