Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Investigate: Act on Data in the Event Analysis View

Document created by RSA Information Design and Development Employee on Mar 27, 2018Last modified by RSA Information Design and Development Employee on Jan 30, 2020
Version 10Show Document
  • View in full screen mode
 

When you have found data of interest in the Events view, you can do internal lookups to NetWitness Endpoint and RSA Live, as well as external lookups of meta values in community resources such as SANS IP History and ThreatExpert Search.

Open an Endpoint Event in the NetWitness Endpoint Thick Client

When viewing an endpoint event in the Text panel, you can pivot to analyze the same event in NetWitness Endpoint.

Note: Version 4.4.0.x of the NetWitness Endpoint (NWE) thick client must be installed on the same server, the NWE meta keys must exist in the table-map.xml file on the Log Decoder, and the NWE meta keys must exist in the index-concentrator-custom.xml file. The NWE thick client is a Windows only application. Complete setup instructions are provided in the NetWitness Endpoint User Guide for Version 4.4.

To open an event in NetWitness Endpoint:

  1. Starting from the Navigate view:
    1. In the Query drop-down, select Advanced, and enter one of the following queries: nwe.callback_id exists or device.type='nwendpoint'
      Endpoint data is displayed in the Values panel.
    2. Right-click an event, and select Events in the menu.
  2. (Version 11.1 and later) Go to INVESTIGATE > Events. In the Query drop-down, select Advanced, and enter one of the following queries: nwe.callback_id exists or device.type='nwendpoint'
    Endpoint data is displayed in the Events panel.
  3. Select an event.
    The Events view opens with the selected event displayed in the Text view.
    an endpoint event open in Text Analysis
  4. In the Event Header click Pivot to Endpoint.
    A new browser tab with the url ecatui://<id> opens and the NWE Thick Client is launched. If the NetWitness Endpoint Thick Client is not installed, no data is displayed and the following message is displayed: Applicable for hosts with 4.x Endpoint agents installed, please install the NetWitness Endpoint Thick Client.

Perform Lookups of Meta Values in Events

In the Events view, you can further investigate meta values in an event by right-clicking certain meta values and using the options in a drop-down menu. Not all fields have right-click actions. To perform internal and external lookups:

  1. In the Events view, right-click a meta value in the Events List, the Event Meta panel, or the Event Header. Some meta values have a drop-down menu.
    Right click on meta values for further actions
  2. Select one of the following internal lookups:

    • Copy: Copies the meta value to the clipboard.
    • Refocus Investigation in New tab: Launches the another investigation in a new tab with the focus on the selected meta value.
    • Apply Drill in New Tab: Applies the drill and launches it in a new tab to drill the data in Navigate view.
    • Apply !EQUALS Drill in New Tab: Applies (!EQUALS) to the meta and launches a new tab, effectively excluding the meta value from the results.
    • Hosts Lookup: Looks up the value in the Investigate > Hosts view.
    • Endpoint Thick Client Lookup: Analyzes the meta value in the Endpoint Thick Client (for clients which have Endpoint Agent).
    • Live Lookup: Looks up a meta value on Live for further analysis.
  3. For an external lookup, hover over a meta value, right-click and select External Lookup.
    External lookups from Event Analysis (NEED new screen capture)
  4. In the submenu select one of the available external lookups:

You are here
Table of Contents > Investigate: Act on Data in the Event Analysis View

Attachments

    Outcomes