Investigate: Investigate View

Document created by RSA Information Design and Development on Mar 27, 2018Last modified by RSA Information Design and Development on Sep 11, 2018
Version 4Show Document
  • View in full screen mode

The Investigate view ( INVESTIGATE ) is the primary entry point to NetWitness Investigate. The Investigate view has six submenus, which open different views that allow you to analyze events from different perspectives. The submenus are: Navigate, Events, Event Analysis, Hosts, Files, Users, and Malware Analysis.

Note: The Event Analysis, Hosts, and Files submenus are available in Version 11.1 and later. The Users menu is available in Version 11.2 and later. Configured permissions per user role and user determine which submenus are displayed .

You can use the submenu options to move between the different views.

  • The Navigate view, Events view, and Event Analysis view offer linkages to each other to look at the current results from a different perspective, which provides some continuity for the investigation as you move between views.
  • The Hosts view and Files view integrate NetWitness Endpoint into Investigate, and provide a view of all hosts with a NetWitness Endpoint agent installed and a view of unique executable files found in the deployed environment.
  • The Users view provides visibility into risky user behaviors across your enterprise using NetWitness UEBA. You can view a list of high-risk users and a summary of the top alerts for risky behavior for your environment, and then select a user or an alert and view details about the risky behavior and a timeline during which the behaviors occurred.
  • The Malware Analysis view provides the ability to scan files found in one of the other views or collected by continuous scanning of network traffic.


The workflow below depicts the high-level tasks when investigating events.

the high-level Investigate workflow

What do you want to do?

User RoleI want to ...Show me how
Threat Hunter

browse event metadata

Begin an Investigation in the Navigate or Events View

Threat Hunter

browse raw events*

Begin an Investigation in the Navigate or Events View

Threat Hunter

analyze raw events and metadata*

Begin an Investigation in the Event Analysis View

Threat Hunterinvestigate endpoints (Version 11.1)*Investigate Hosts

Threat Hunter

find suspicious endpoint files (Version 11.1)*

Investigate Files

Threat Hunterscan files and events for malware*Conducting Malware Analysis

*You can perform this task in the current view.

Related Topics

Quick Look

The Investigate view consists of six views, each representing a different approach to analyzing data. By default, Investigate opens to the Navigate view. You can change the default view to one of the other views. See How NetWitness Investigate Works for an introduction to the uses for each view. The following figure illustrates the submenus under INVESTIGATE.

the Investigate view submenus

Next Topic:Hosts View
You are here
Table of Contents > Investigate Reference Materials > Investigate View