Hosts View - Autoruns TabHosts View - Autoruns Tab
Note: The information in this topic applies to NetWitness Version 11.1 and later.
The Autoruns panel provides a list of autoruns, services, tasks, and cron jobs running on the host. To access this tab, select a host from the Hosts view and click the Autoruns tab.
What do you want to do?
|User Role||I want to ...||Show me how|
|Threat Hunter||review hosts with highest risk score*|
|Threat Hunter||analyze hosts*||Investigating Hosts|
|Threat Hunter||perform adhoc scan*|
|Threat Hunter||review host details|
|Threat Hunter||search on snapshot*|
|Threat Hunter||analyze processes|
|Threat Hunter||review reported anomalies|
|Threat Hunter||analyze risky users||Analyzing Risky Users|
|Threat Hunter||download files for deeper analysis*||Analyzing Downloaded Files|
|Threat Hunter||perform external lookups*||Launch an External Lookup for a File|
|Threat Hunter||change file status or remediate*||Changing File Status or Remediate|
|Threat Hunter||isolate host from network*||Isolating Hosts from Network|
|Threat Hunter||download MFT, system dump, or process dump*||Performing Host Forensics|
*You can perform this task in the current view.
- Focusing on Endpoint Analysis
- Investigating Hosts
- Analyzing Downloaded Files
- Changing File Status or Remediate
- Analyzing Events
- Performing Host Forensics
- Isolating Hosts from Network
Below is an example of the Autoruns tab:
Agent and Scan Details. You can view the following agent and scan details of the selected host:
Host name - Name of the host. For example, WIN-ABC.
Risk score - Risk score of the host.
Operating System - Operating system on which the agent is running (Linux, Windows, or Mac).
Agent Scan Status - Current status of the scan - Idle, Scanning, Starting Scan, or Stopping Scan. For more information, see Scan Hosts.
Agent Last Seen - Time when the agent last communicated with the Endpoint server.
Agent Version - Version of the agent. For example, 184.108.40.206.
More - Provides options to:
Snapshot Time - Lists scanned time stamps. To view the scan history, you can select the snapshot time from the drop-down menu.
Actions in the toolbar:
Change File Status - Provides capabilities to manage suspect and legitimate files and block malicious or infected file to prevent future execution of the file on any host. For more information, see Changing File Status or Remediate.
Analyze Events - Lets you investigate a particular host, IP address, username, filename, or hash to get the entire context of the activity. For more information, see Analyzing Events.
More Actions - Provides options to:
Note: You can perform some of the above actions from the right-click context menu.
|3||Search on Snapshots. Lets you search on all snapshots (file name, file path, and SHA-256 checksum). For more information, see Search Files on Host.|
Details Panel - Displays the following tabs:
|5||Show/Hide Right Panel - Displays the following properties in the right panel:
|6||Clicking a filename lets you navigate to the Files view for further analysis.|
|7||Filter Files. You can filter files by selecting the options in the Filters panel and create filters. For more information, see Filter Host Details.|
|8||Settings Menu. You can set Hosts view preferences by selecting columns from the Settings menu. For more information, see Set Hosts Preference.|