Investigate: Act on Data in the Event Analysis View

Document created by RSA Information Design and Development on Mar 27, 2018Last modified by RSA Information Design and Development on May 8, 2018
Version 3Show Document
  • View in full screen mode
 

When you have found data of interest in the Event Analysis view, you can do internal lookups to NetWitness Endpoint and RSA Live, as well as external lookups of meta values in community resources such as SANS IP History and ThreatExpert Search.

Open an Endpoint Event in the NetWitness Endpoint Thick Client

When viewing an endpoint event in the Text Analysis panel, you can pivot to analyze the same event in NetWitness Endpoint. The NWE thick client offers additional features beyond the built-inbcapabilities in NetWitness Endpoint Insights.

Note: Version 4.4 of the NetWitness Endpoint (NWE) thick client must be installed on the same server, the NWE meta keys must exist in the table-map.xml file on the Log Decoder, and the NWE meta keys must exist in the index-concentrator-custom.xml file. The NWE thick client is a Windows only application. Complete setup instructions are provided in the NetWitness Endpoint User Guide for Version 4.4.

To open an event in NetWitness Endpoint:

  1. Starting from the Navigate view:
    1. In the Query drop-down, select Advanced, and enter one of the following queries: nwe.callback_id exists or device.type='nwendpoint'
      Endpoint data is displayed in the Values panel.
    2. Right-click an event, and select Event Analysis in the menu.
  2. (Version 11.1 and later) Go to INVESTIGATE > Events Analysis. In Query drop-down, select Advanced, and enter one of the following queries: nwe.callback_id exists or device.type='nwendpoint'
    Endpoint data is displayed in the Events panel.
  3. Select an event.
    The Event Analysis opens with the selected event displayed in the Text Analysis.
    an endpoint event open in Text Analysis
  4. In the Event Header click Pivot to Endpoint.
    A new browser tab with the url ecatui://<id> opens and the NWE Thick Client is launched . If the NetWitness Endpoint Thick Client is not installed, no data is displayed and the following message is displayed: Applicable for hosts with 4.x Endpoint agents installed, please install the NetWitness Endpoint Thick Client.

Perform Lookups of Meta Values in Event Analysis

In the Event Analysis view you can further investigate meta values in an event by right-clicking certain meta values and using the options in a drop-down menu. Not all fields have right-click actions. To perform internal and external lookups:

  1. In the Event Analysis view, right-click a meta value in the Events List, the Event Meta panel, or the Event Header. Some meta values have a drop-down menu.
    Right click on meta values for further actions
  2. Select one of the following internal lookups:
    Copy: Copies the meta value to the clipboard.
    Refocus Investigation in New tab: Launches the another investigation in a new tab with the focus on the selected meta value.
    Apply Drill in New Tab: Applies the drill and launches it in a new tab to drill the data in Navigate view.
    Apply !EQUALS Drill in New Tab: Applies (!EQUALS) to the meta and launches a new tab, effectively excluding the meta value from the results.
    Hosts Lookup: Looks up the value in the Investigate > Hosts view.
    Endpoint Thick Client Lookup: Analyzes the meta value in the Endpoint Thick Client (for clients which have Endpoint Agent).
    Live Lookup: Looks up a meta value on Live for further analysis.
  3. For an external lookup, hover over a meta value, right-click and select External Lookup.
    External lookups from Event Analysis
  4. In the submenu select one of the available external lookups:
    Google: Looks up a meta value on Google.com
    SANS IP History: Looks up a meta value on SANS IP History, domain = http://isc.sans.org/ipinfo.html?ip=ipaddress
    CentralOps Whois for IPs and Hostnames: Looks up a meta value on CentralOps Whois for IPs and Hostnames, domain = http://centralops.net/co/DomainDossier.aspx?addr=domain&dom_whois=true&dom_dns=true&net_whois=true
    Robtex IP Search: Looks up a meta value on Robtext IP Search, domain = https://www.robtex.com/cidr/domain.ipaddress
    IPVoid: Looks up a meta value on IPVoid, domain = http://www.ipvoid.com/scan/domain/
    URLVoid: Looks up a meta value on URLVoid, domain = http://www.urlvoid.com/scan/ipaddress/
    ThreatExpert Search: Looks up an IP meta value on ThreatExpert Search, domain = http://www.threatexpert.com/reports.aspx?find=IP address
You are here
Table of Contents > Analyzing Raw Events and Meta Data in the Event Analysis View > Act on Data in the Events Analysis View

Attachments

    Outcomes