Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Investigate: Investigate View

Document created by RSA Information Design and Development Employee on Mar 27, 2018Last modified by RSA Information Design and Development Employee on Apr 23, 2020
Version 13Show Document
  • View in full screen mode

The Investigate view is the primary entry point to NetWitness Investigate. The Investigate view has six submenus, which open different views that allow you to analyze events from different perspectives. The submenus are: Navigate, Legacy Events, Events (formerly Event Analysis), Hosts, Files, Entities (formerly Users), and Malware Analysis.

Note: The Legacy Events view was the original Events view (11.0 to 11.3.x.x). In Version 11.4 and later, the Legacy Events is no longer needed and it is hidden unless the administrator enables it. By default only the Events view appears in the menu, but when the Legacy Events view is enabled, both the Events view and the Legacy Events view are visible in the menu bar.


The figure below depicts the high-level tasks that you can perform in the Investigate view. This workflow has references to several views that were renamed in Version 11.4: the Event Analysis view became Events view, the Events view became Legacy Events view.

a high-level diagram showing all features available in the Investigate view

You can use the submenu options to move between the different views.

  • The Navigate view, Events view, and Legacy Events view offer linkages to each other to look at the current results from a different perspective, which provides some continuity for the investigation as you move between views.
  • The Hosts view and Files view integrate NetWitness Endpoint into Investigate, and provide a view of all hosts with a NetWitness Endpoint agent installed and a view of unique executable files found in the deployed environment.
  • The Entities view (formerly known as Users view) provides visibility into risky user behaviors across your enterprise using NetWitness UEBA. You can view a list of high-risk users and a summary of the top alerts for risky behavior for your environment, and then select a user or an alert and view details about the risky behavior and a timeline during which the behaviors occurred.
  • The Malware Analysis view provides the ability to scan files found in one of the other views or collected by continuous scanning of network traffic.

When you find an event or file of interest, you can perform different actions to continue the investigation on a deeper level: reconstruct and analyze events, export events and files, perform lookups with internal and external resources, and create incidents and alerts.

What do you want to do?

User RoleI want to ...Show me how
Threat Hunterbrowse event metadataBegin an Investigation in the Navigate or Legacy Events View
Threat Hunter browse raw events

Begin an Investigation in the Events View

Begin an Investigation in the Navigate or Legacy Events View

Threat Hunter

analyze raw events and metadata

Begin an Investigation in the Events View

Threat Hunterinvestigate endpoints (Version 11.1 and later)NetWitness Endpoint User Guide
Threat Hunterfind suspicious endpoint files (Version 11.1 and later) NetWitness Endpoint User Guide
Threat Hunterfind risky user behaviorsNetWitness UEBA User Guide
Threat Hunterscan files and events for malwareMalware Analysis User Guide

Related Topics

Quick Look

The Investigate view consists of six views, each representing a different approach to analyzing data. By default, Investigate opens to the Navigate view. You can change the default view to one of the other views as described in Configuring NetWitness Investigate Views and Preferences. See How NetWitness Investigate Works for an introduction to the uses for each view. The first figure below illustrates the submenus under Investigate in Version 11.4. The second figure illustrates the menu in prior versions.

Note: The Hosts, and Files submenus are available in Version 11.1 and later. The Entities (formerly Users) menu is available in Version 11.2 and later. Configured permissions per user role and user determine which submenus are displayed.

the 11.4 Investigate options

the Investigate view submenus

You are here
Table of Contents > Investigate Reference Materials > Investigate View