Beginning an Investigation

Based on the question you are attempting to answer, NetWitness Investigate offers different starting points: Navigate view (Version 11.5 and earlier), Events view, Legacy Events view (Version 11.3 and earlier), Hosts view, Files view, Users (Entities) view, and Malware Analysis view.

Specific user roles and permissions are required for a user to conduct investigations in NetWitness. If you cannot perform a task or see a view, the administrator may need to adjust the roles and permissions configured for you.

Note:
- The Files and Hosts views are available in Version 11.1 and later (refer to the NetWitness Endpoint Quick Start Guide and NetWitness Endpoint User Guide for details). Before Version 11.5, these views were submenu of Investigate.
- The Users view is available in Version 11.2 and later (refer to the NetWitness UEBA Quick Start Guide and the NetWitness UEBA User Guide for details); in Version 11.4 it is labeled Entities view. Before Version 11.5, it was submenu of Investigate.
- By default, the Legacy Events view is disabled in Version 11.4, but can be enabled by an administrator as described in the System Configuration Guide.
- By default, the Navigate view is disabled in Version 11.6 as the Filter Events Panel in the Events view provides this functionality. To enable the Navigate view, see Configure the Navigate View and Legacy Events View.
- Specific user roles and permissions are required for a user to conduct investigations and malware analysis in NetWitness. If you cannot see a view, the administrator may need to adjust the roles and permissions configured for you.
- The 11.4 Events view is the default view for investigating events. The default workflow for analysts interacting with events is optimized to limit the need to transition from one view to another. By combining capabilities that were previously in two distinct workflows, known as Event Analysis and Events, the analyst has a single workflow for analyzing events. With the new functionality added to the Events view, the Legacy Events view is no longer needed. By default the previous workflow is not in the Investigate menu, but an administrator can re-enable it as described in "Configure Investigation Settings" in the System Configuration Guide.

Focus on Metadata, Raw Events, and Event Analysis

To hunt for events that drive the incident response workflow and to do strategic analysis after another tool has generated an event, go to Investigate > Navigate, Investigate > Events, or Investigate > Legacy Events. You can investigate the metadata and raw events for a single Broker or Concentrator. In each of these views, you can execute a query and filter the results by narrowing the time range and querying metadata. These topics provide details about beginning an investigation:

Focus on Hosts and Files

To hunt for information on hosts that have the Endpoint agent running, go to Hosts (Version 11.5) or Investigate > Hosts (Version 11.4). For every host, you can see processes, drivers, DLLs, files (executables), services, and autoruns that are running, and information related to logged-in users. To begin an investigation by looking at files in your deployment, go to Investigate > Files. (See the NetWitness Endpoint User Guide for detailed information.)

Focus on Risky User and Entity Behavior

To discover, investigate, and monitor risky behaviors across all users and entities in your network environment, go to Users (Version 11.5), Investigate > Entities (Version 11.4), or NetWitness UEBA (User and Entity Behavior Analytics) . In versions 11.3 and earlier, the menu option is Investigate > Users. You can detect malicious and rogue users, pinpoint, high-risk behaviors, discover attacks, and investigate emerging security threats. (See the UEBA User Guide for NetWitness Platform XDR 12.1 for detailed information.)

Focus on Scanning Files for Malware

To scan files for potential malware, or set up a continuous scan of a service, go to Investigate > Malware Analysis. Scan results are expressed as four types of analysis: network, static, community, and sandbox with an indicator of compromise (IOC) rating. There are several other ways to begin working in Malware Analysis:

  • You can begin Malware Analysis from the Malware Analysis dashlets in the Monitor view to quickly see the riskiest potential threats.
  • You can right-click a meta key in the Navigate view, and select Scan for Malware.

See the Malware Analysis User Guide for detailed information.