Files View

Note: The information in this topic applies to NetWitness Version 11.1 and later.

The Files view provides a holistic view of all files in your deployment. To access this view, go to Files. By default, the Files view displays 100 files. To display more files, click Load More at the bottom of the page.

You can either view files specific to an Endpoint server or view all files from multiple Endpoint servers by selecting the Endpoint Broker.

Workflow

netwitness_workflowfiles_1053x285.png

What do you want to do?

User Role I want to ... Show me how

Threat Hunter

whitelist files and certificates signed by known good vendors*

Analyze Certificates

Threat Hunter

create filter to identify files for investigation*

Filter Files

Threat Hunter analyze files*

Investigating Files

Threat Hunter

analyze events*

Analyzing Events

Threat Hunter download files for deeper analysis* Analyzing Downloaded Files
Threat Hunter perform external lookups* Launch an External Lookup for a File
Threat Hunter change file status or remediate* Changing File Status or Remediate

*You can perform this task in the current view

Related Topics

Quick Look

Below is an example of the Files view:

files_view_new_1350x661.png

1 Filter Files. You can filter the files by selecting the options in the Filters panel and create filters. For more information, see Filter Files.
2 Actions in the toolbar:

Server drop-down list - You can select the Endpoint server or Endpoint Broker server to view the hosts.

Manage - You can select any of the following drop-down options in the Manage drop-down list.

Change File Status - Provides capabilities to manage suspect and legitimate files and block malicious or infected files to prevent future execution of the file on any host. For more information, see Changing File Status or Remediate.

Analyze Events - Lets you investigate a particular host, IP address, username, filename, or hash to get the entire context of the activity. For more information, see Analyzing Events.

More Actions - Provides options to:

  • Perform external lookups.
  • Download files to server, save a local copy, and analyze files for deeper analysis.
  • Reset risk score.

Note: You can perform the above actions from the right-click context menu.

 

3

Sort Columns. Lets you sort on column titles.

4 Settings Menu. You can set Files view preferences by selecting columns from the Settings menu. For more information, see Set Files Preference.
5

Show/Hide File Properties Panel. Click a row to show or hide the File Properties panel. It displays the following tabs:

File Details - Displays the file information.

Risk details - Displays the distinct alerts associated with the risk score.

Hosts - Displays the top 100 hosts based on the risk score on which the file is present. For more information, see Analyze Hosts with File Activity.

6 Export to CSV - Extracts global files to a CSV file. For more information, see Export Global Files.

File Details View

To access this view, go to Files, and select a file. Below is an example of the File Details view:

filedetails.png

1

Agent and Scan Details. You can view the following agent and scan details of the selected host:

Host name - Name of the host. For example, WIN-ABC.

Risk score - Risk score of the host.

Operating System - Operating system on which the agent is running (Linux, Windows, or Mac).

Analyze Events - Lets you investigate a particular host, IP address, username, filename, or hash to get the entire context of the activity. For more information, see Analyzing Events.

More - Provides options to perform external lookups.

On Hosts - Indicates the number of hosts on which a file exist.

Signature - Provides signatory information.

Size - Size of the file.

File Status - Status of the file. For example, Neutral.

2

Alerts Severity tab - Displays list of distinct alerts, such as Critical, High, Medium and All, along with the total number of events associated with the alert.

Analysis tab - Provides detailed information about a downloaded file. For more information, see Analyzing Downloaded Files.

3 Displays events for an alert and metadata associated with a specific event.
4

Show/Hide File Properties Panel. Click a row to show or hide the File Properties panel. It displays the following tabs:

File Details - Displays the file information.

Hosts - Displays the hosts on which file activities are present. For more information, see Analyze Hosts with File Activity.