This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NetWitness Endpoint Column and Meta Groups (11.1 Insights or 11.0/4.4 Meta Integration)

SeanEnnis1
New Contributor New Contributor
New Contributor
‎2018-04-25 10:44 AM

Here are a few column and meta groups to help get you started in NW 11.1 for either the free NW Endpoint Insights integration or the existing NW Endpoint 4.4 meta integration.  These are designed to help speed up analysis based on the category of endpoint data of interest.  It's also worth remembering that you have access to a lot of this data in a per-host context with the new 11.1 Investigate > Hosts view which is a handy way to get a snapshot of what is going on at a given point and time for a specific host, without (or prior to) querying the NWDB, eg:

 

pastedImage_19.png

 

When hunting or analyzing endpoint data across an entire environment, or in context with network and other log data for a specific host, you would then want to pivot into the more traditional Investigate > Navigate/Hosts view which is where you would apply the appropriate meta and column groups.

 

 

Meta Group (1) 

Top down organization of keys:

   - Host Information

   - Data Category (+Action for event tracking)

   - File/Process Keys

   - IPv4 Keys

   - User Keys

   - Service, Autoruns, Tasks

 

[NWEndpoint] Event and Scan Summary:

pastedImage_3.png

Column Groups (5)

When using column groups for analysis of NW Endpoint data, I like having both a generic column group that can show all event and scan data categories on the same page without too much clutter, as well as specific column groups mapped to individual categories (eg. Process Analysis, File Analysis, Autorun Analysis, etc.).  The NW 11.1 platform lets you toggle between these at will.  Also note that these will apply to both Event view and Event Analysis view.

 

Eg. [NWEndpoint] Event and Scan Summary (same keys as the Meta Group)

pastedImage_8.png

 

Eg. [NWEndpoint] Process Analysis

(Note: 'Process Event' category is only available with the full NW Endpoint Agent)

pastedImage_7.png

Eg. [NWEndpoint] File & DLL Analysis

pastedImage_6.png

 

Eg. [NWEndpoint] Service Analysis

pastedImage_15.png

 

Eg. [NWEndpoint] Autorun & Task Analysis

pastedImage_18.png

Installation

Investigation: Manage Column Groups in the Events View 

Investigate: Manage Meta Groups 

 

** NOTE:  The attached groups use the meta key 'param' to display "Launch Arguments".  11.1 out of box configuration maps this to the 'query' key instead.  'Param' will be the default as of the 11.1.0.1 patch, but in the mean time you can either update your table-map.xml/concentrator index manually, or switch the meta key referenced in the groups to 'query' which is the 11.1 out of box setting.

 

Process: Host GS: Maintain the Table Map Files  for the table-map.xml instructions, and Index Customization  for the concentrator index.

table-map-custom.xml addition:  <mapping envisionName="param" nwName="param" flags="None"/>

index-concentrator-custom addition:  <key description="Launch Arguments" level="IndexValues" name="param" format="Text" valueMax="100000" />

NWEndpointInsights_11-1_CustomColumnGroups.jsn.zip
NWEndpointInsights_11-1_MetaGroup.jsn.zip
NWEndpointInsights_11-1_CustomColumnGroups.jsn.zip
NWEndpointInsights_11-1_MetaGroup.jsn.zip
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.