Analyzing Events

If you need to investigate a particular host, IP address, username, filename, or hash to look for related activity across a time range, you can pivot to Navigate view to get the entire context of the activity. By default, the time range is set to 7 days. You can change the time range.

Note: By default, the system detects the best data source to pivot to Navigate view. To change the data source, modify the investigate service ID under endpoint or investigate in the Explore view.

Analyze Events from Files View

To investigate a particular filename or hash (SHA256 and MD5):

  1. Go to Files.
  2. Select the file you want to analyze and do one of the following:

    • Right-click and select Analyze Events from the context menu.
    • Click Analyze Events in the toolbar.

    PvtInFl.png

    This opens the Navigate view with data related to the file. For more information on analyzing events in the Navigate and Events views, see the NetWitness Investigate User Guide.

Note: If the values are not indexed, the results take time to load. For more information, see Troubleshooting NetWitness Endpoint.

Analyze Events from Hosts View

To investigate a particular host, IP address (IPV4), or username:

  1. Go to Hosts.
  2. Do one of the following:

    • Right-click a host, select Analyze Events from the right-click context menu or in the toolbar, and select a specific event type (such as network events, file events) that you want to view.

    • Select the hostname to open the host details. Right-click a file or in the toolbar, select Analyze Events, and select a specific event type that you want to view.

      The following figure is an example of the Autoruns tab.

      autoruns_tab_col_2094x840.png

      This opens the Navigate view with data related to the file.

For more information on analyzing events in the Navigate and Events views, see the NetWitness Investigate User Guide.

Text Analysis for an Endpoint Event

You can view all Endpoint events in their original text format in the Events view Event List panel. When you click an event in the Event list panel, the adjacent panel shows the Text Analysis. Pagination controls add flexibility when paging through the reconstructed text of an event. The Text Analysis displays the following:

  • Event Header, which provides summary information about the event. (Version 11.5 and Later) The event header includes host name, process, and user name details in addition to other event details if the selected Endpoint event contains these metadata.
  • Options for exporting - log, csv, xml, and json formats.
  • Option to pivot to the Endpoint Thick Client to analyze the meta value.
  • Option to analyze process details associated with the event.
  • Option to view the host details for further analysis.

Below is an example of the Process event for Endpoint. The text in the Text Analysis panel explains that a source process WmiPrvSE.exe opened a browser process named chrome.exe. In the events, if there is a meta value that exceeds 255 characters, the value is displayed in the Large Meta Values panel.

netwitness_txtanlendp111_1368x425.png

Below is an example of the Network event:

netwitness_txtanlendp112_1363x364.png

For more information on Events view, see the NetWitness Investigate User Guide.