When you have found data of interest in the Events view, you can do internal lookups to NetWitness Endpoint and RSA Live, as well as external lookups of meta values in community resources such as SANS IP History and ThreatExpert Search.
Open an Endpoint Event in the NetWitness Endpoint Thick Client
When viewing an endpoint event in the Text panel, you can pivot to analyze the same event in NetWitness Endpoint.
注： Version 4.4.0.x of the NetWitness Endpoint (NWE) thick client must be installed on the same server, the NWE meta keys must exist in the table-map.xml file on the Log Decoder, and the NWE meta keys must exist in the index-concentrator-custom.xml file. The NWE thick client is a Windows only application. Complete setup instructions are provided in the NetWitness Endpoint User Guide for Version 4.4.
To open an event in NetWitness Endpoint:
Starting from the Navigate view:
In the Query drop-down, select Advanced, and enter one of the following queries: nwe.callback_id exists or device.type='nwendpoint' Endpoint data is displayed in the Values panel.
Right-click an event, and select Events in the menu.
(Version 11.1 and later) Go to INVESTIGATE > Events. In the Query drop-down, select Advanced, and enter one of the following queries: nwe.callback_id exists or device.type='nwendpoint' Endpoint data is displayed in the Events panel.
Select an event. The Events view opens with the selected event displayed in the Text view.
In the Event Header click Pivot to Endpoint. A new browser tab with the url ecatui://<id> opens and the NWE Thick Client is launched. If the NetWitness Endpoint Thick Client is not installed, no data is displayed and the following message is displayed: Applicable for hosts with 4.x Endpoint agents installed, please install the NetWitness Endpoint Thick Client.
Perform Lookups of Meta Values in Events
In the Events view, you can further investigate meta values in an event by right-clicking certain meta values and using the options in a drop-down menu. Not all fields have right-click actions. To perform internal and external lookups:
In the Events view, right-click a meta value in the Events List, the Event Meta panel, or the Event Header. Some meta values have a drop-down menu.
Select one of the following internal lookups:
Copy: Copies the meta value to the clipboard.
Refocus Investigation in New tab: Launches the another investigation in a new tab with the focus on the selected meta value.
Apply Drill in New Tab: Applies the drill and launches it in a new tab to drill the data in Navigate view.
Apply !EQUALS Drill in New Tab: Applies (!EQUALS) to the meta and launches a new tab, effectively excluding the meta value from the results.
Hosts Lookup: Looks up the value in the Investigate > Hosts view.
Endpoint Thick Client Lookup: Analyzes the meta value in the Endpoint Thick Client (for clients which have Endpoint Agent).
Live Lookup: Looks up a meta value on Live for further analysis.
For an external lookup, hover over a meta value, right-click and select External Lookup. (NEED new screen capture)
In the submenu select one of the available external lookups:
Google: Looks up a meta value on Google.com
SANS IP History: Looks up a meta value on SANS IP History, domain = http://isc.sans.org/ipinfo.html?ip=ipaddress
CentralOps Whois for IPs and Hostnames: Looks up a meta value on CentralOps Whois for IPs and Hostnames, domain = http://centralops.net/co/DomainDossier.aspx?addr=domain&dom_whois=true&dom_dns=true&net_whois=true
Robtex IP Search: Looks up a meta value on Robtext IP Search, domain = https://www.robtex.com/cidr/domain.ipaddress
IPVoid: Looks up a meta value on IPVoid, domain = http://www.ipvoid.com/scan/domain/
URLVoid: Looks up a meta value on URLVoid, domain = http://www.urlvoid.com/scan/ipaddress/
ThreatExpert Search: Looks up an IP meta value on ThreatExpert Search, domain = http://www.threatexpert.com/reports.aspx?find=IP address