Investigate: Investigate Hosts

Document created by RSA Information Design and Development on Mar 27, 2018Last modified by RSA Information Design and Development on Sep 11, 2018
Version 4Show Document
  • View in full screen mode

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.1 and later.

To conduct an investigation on hosts:

  1. Go to INVESTIGATE > Hosts.
    A list of hosts with an Endpoint agent installed is displayed.

  2. Select the hosts that you want to scan and click Start Scan. For more information, see Scan Hosts.

  3. After completing the process of scanning the hosts, click the host name to investigate the scan results. For more information, see Investigate Host Details.

Note: To investigate NetWitness Endpoint 4.4 hosts, see Investigate NetWitness Endpoint or Later Hosts.

Filter Hosts

You can filter hosts on the operating system or select the fields in the Add Filter drop-down menu.

Note: While filtering a large amount of data, use at least one indexed field with the Equals operator for better performance. The following fields are indexed in the database - Hostname, IPV4, Operating System, and Last Scan Time.


To search multiple values within a field, set the filter option to Equals, and use || as a separator.

These are examples:

  • Using Equals operator for multiple IPV4 values with a separator ||.
    Example with equals operator
  • Using IN operator for Last Scan Time to filter agents that are scanned in the last 6 hours.
    Example using IN operator

Click Save to save the search and provide a name (up to 250 alphanumeric characters). The filter is added to the Saved Filters panel on the left. To delete a filter, hover over the name and click Delete.

Note: Special characters are not allowed except underscore (_) and hyphen (-) while saving the filter.

Scan Hosts

You can either perform an on-demand scan or schedule a scan to run daily or weekly. For information on scheduling a scan, see Endpoint Insights Configuration Guide.

Note: You cannot perform a scan for the NetWitness Endpoint 4.4 agents from NetWitness Platform user interface.

On-demand Scan

You may want to perform an on-demand scan if:

  • A file in the Global Files section is found to be malicious.
  • A malicious file is present on different hosts in the network.
  • You want to investigate a host that is infected.
  • You want to get the latest snapshot of the host.

When the hosts are scanned, the Endpoint Agent retrieves the following data that can be used for investigation:

  • Drivers, processes, DLLs, files (executables), services, and autoruns running on the host.
  • Host file entries and scheduled tasks.
  • System information such as network share, installed Windows patches, Windows tasks, logged-in users, bash history, and security products installed.

To start a scan:

  1. Go to INVESTIGATE > Hosts.
  2. Select one or more hosts (up to 100) at a time for on-demand scan, and click Start Scan.
  3. Click Start Scan in the dialog.
    This performs a quick scan of all executable modules loaded in memory. It takes approximately 10 minutes.

The following are the scan statuses:

IdleNo scan is in progress.
  • Scan is in progress.
  • Starting Scan
  • Scan request is sent to the server but the agent will receive the request the next time it communicates with the server.
  • Stopping ScanStop request is sent to the server but the agent will receive the request the next time it communicates with the server.

    Pivot to the Navigate and Event Analysis Views

    If you need to investigate a particular host, IP address (IPV4), or username to look for related activity across a time range, you can pivot to both the Navigate and Event Analysis views to get the entire context of the activity. By default the time range is set to 1 day. You can change the time range.

    Note: Pivoting to the Navigate or Event Analysis view is not supported for IPV6.

    To pivot to the Navigate or Event Analysis view:

    1. Go to INVESTIGATE > Hosts or INVESTIGATE > Files.
    2. Click Pivot to Investigate beside the Hostname.
      Pivot to Navigate or Event Analysis view
      Alternately, in the Overview tab, you can right-click on host name, IP address (IPV4), or logged-in users to pivot.
      Pivot to Investigate
    1. In the Select Service dialog, select any of the services required for investigation.
    2. Click Navigate or Event Analysis to analyze the data.

    Investigate Host Details

    To look for suspicious files on a host, click the host name and view the details of the host, or start an on-demand scan to get the most recent information.

    Investigate Host Details

    Search on Snapshots

    To investigate a host or to check if it is infected with a known malware, you can search for occurrences of the file name, file path, or SHA-256 checksum.

    Note: To search for a SHA-256 checksum, provide the entire hash string in the search box.

    The result displays details, such as file name, signature information, along with its interaction with the system (ran as process, library, autorun, service, task, or driver). To view more details for these results, click on the category.

    For example, a user has clicked and executed a malicious attachment through a phishing email, and downloaded it to C:\Users. To investigate this file:

    1. Go to INVESTIGATE > Hosts.
    2. Select the host that you want to investigate.
    3. In the Overview tab, enter the file path C:\Users in the search box.
      The search displays all the executables in this folder. In this example, the file NWEMalware.exe, is an unsigned file that might be malicious.
      Search on snapshots
  •         This file has run as a Process.
    1. To view details of this file, click Process in the result.
      This opens the Process tab where you can view the process details.
      Search Result

    Analyze Processes

    In the Hosts view, select the Process tab. You can view the processes that were running for the selected host at the time of scan. The process name and process ID (PID) columns are displayed either as a:

    • Tree view - You can drill down to each process and view the child or parent process associated with it.
    • List view - You can sort the process name and PID columns.

    Click Tree view to switch the views.

    The following is an example of the tree view:

    Tree View

    When reviewing processes, it is important to see the Launch Arguments. Even legitimate files can be used for malicious purposes, so it is important to view all of them to determine if there is any malicious activity.

    For example,

    • rundll32.exe is a legitimate Windows executable that is categorized as a good file. However, an adversary may use this executable to load a malicious DLL. Therefore, when viewing processes, you must view the arguments of the rundll32.exe file.
    • LSASS.EXE is a child to WININIT.EXE. It should not have child processes. Often malware use this executable to dump passwords or mimic to hide on a system (lass.exe, lssass.exe, lsasss.exe, and so on).

    • Most legitimate user applications like Adobe, Web browsers, and so on do not spawn child processes like cmd.exe. If you encounter this, investigate the processes.

    Analyze Autoruns

    In the Hosts view, select the Autoruns tab. You can view the autoruns, services, tasks, and cron jobs that are running for the selected host.

    For example, in the Services tab, you can look for the file creation time. The compile time is found within each portable executable (PE) file in the PE header. The time stamp is rarely tampered with, even though an adversary can easily change it before deploying to a victim's endpoint. This time stamp can indicate if a new file is introduced. You can compare the time stamp of the file against the created time on the system to find the difference. If a file was compiled a few days ago, but the time stamp of this file on the system shows that it was created a few years ago, it indicates that the file is tampered.

    Analyze Files

    In the Hosts view, select the Files tab. You can view the list of files scanned on the host at the time of scan. By default, the table displays 100 files. To display more files, click Load More at the bottom of the page.

    For example, many trojans write random filenames when dropping their payloads to prevent an easy search across the endpoints in the network based on the filename. If a file is named svch0st.exe, scvhost.exe, or svchosts.exe, it indicates that the legitimate Windows file named svchost.exe is being mimicked.

    Analyze Libraries

    In the Hosts view, select the Libraries tab. You can view the list of libraries loaded at the time of scan.

    For example, a file with high entropy gets flagged as packed. A packed file means that it is compressed to reduce its size (or to obfuscate malicious strings and configuration information).

    Analyze Drivers

    In the Hosts view, select the Drivers tab. You can view the list of drivers running on the host at the time of scan.

    For example, using this panel, you can check if the file is signed or unsigned. A file that is signed by a trusted vendor such as Microsoft and Apple, with the term valid, indicates that it is a good file.

    Analyze System Information

    In the Hosts view, select the System Information tab. This panel lists the agent system information. For Windows operating system, the panel displays the host file entries and network shares of that host.

    For example, malware might use host file entries to block antivirus updates.

    Delete a Host

    To delete hosts manually from the UI:

    1. Go to INVESTIGATE > Hosts.
    2. Select the hosts that you want to delete from the Hosts view and click Delete.
      This deletes all the collected Endpoint data for the selected hosts.

    Note: If you accidentally delete a host from the Hosts view, the Endpoint Server forbids all requests from this agent. The agent must be uninstalled manually from the host and reinstalled for it to appear on the Hosts view.

    Set Hosts Preference

    By default, the Hosts view displays a few columns and the hosts are sorted based on the last scan time. If you want to view specific columns and sort data on a specific field:

    1. Go to INVESTIGATE > Hosts view.
    2. Select the columns by clicking Settings in the right-hand corner. The following example shows the screen displayed while adding columns:
      Select Columns for Hosts
    3. Sort the data on the required column.

    Note: This is set as your default view every time you log in to the Hosts view.

    Export Host Attributes

    You can export up to 100,000 host attributes at a time. To extract the host attributes to a comma-separate values (csv) file.

    1. Go to INVESTIGATE > Hosts.
    2. Filter the hosts by selecting the required filter options.
    3. Add columns by clicking Settings in the right-hand corner.
    4. Click Export to CSV.

    You can either save or open the csv file.

    You are here
    Table of Contents > Investigating Hosts and Files > Investigate Hosts