Hosts View

Note: The information in this topic applies to NetWitness Version 11.1 and later.

The Hosts view provides a list of all hosts with an Endpoint agent installed. To access this view, go to Hosts. By default, hosts are sorted based on the risk score.

Workflow

netwitness_workflowhosts.png

What do you want to do?

User Role I want to ... Show me how
Threat Hunter review hosts with highest risk score*

Analyze Hosts Using the Risk Score

Threat Hunter analyze hosts* Investigating Hosts
Threat Hunter perform adhoc scan*

Scan Hosts

Threat Hunter review host details*

Analyze Host Details

Threat Hunter search on snapshot*

Search Files on Host

Threat Hunter analyze processes*

Investigating a Process

Threat Hunter review reported anomalies*

Analyze Anomalies

Threat Hunter analyze risky users* Analyzing Risky Users

Threat Hunter

analyze events*

Analyzing Events

Threat Hunter download files for deeper analysis* Analyzing Downloaded Files
Threat Hunter perform external lookups* Launch an External Lookup for a File
Threat Hunter change file status or remediate* Changing File Status or Remediate

Threat Hunter

filter files*

Filter Host Details

Threat Hunter isolate host from network* Isolating Hosts from Network
Threat Hunter download MFT*, system dump*, or process dump Performing Host Forensics

*You can perform this task in the current view.

Related Topics

Quick Look

Below is an example of the Hosts view:

HsVw_1115x413.png

1 Filter Hosts.You can filter the hosts by selecting the options in the Filters panel and create filters. For more information, see Filter Hosts.
2 Actions in the toolbar:

Server drop-down list - You can select the Endpoint server or Endpoint Broker server to view the hosts.

Analyze Events - Lets you investigate a particular host, IP address, username, filename, or hash to get the entire context of the activity. For more information, see Analyzing Events.

Start Scan - Starts a scan for the selected hosts.

Stop Scan - Stops a scan for the selected hosts.

More Actions - Provides options to:

Note: You can perform the above actions from the right-click context menu.

3

Sort Columns. Lets you sort on column titles.

4

Export to CSV - Extracts host attributes to a CSV file. For more information, see Export Host Attributes.

5

Settings Menu. You can set Hosts view preferences by selecting columns from the Settings menu. For more information, see Set Hosts Preference.

6

Show/Hide Host Properties Panel. Click a row to show or hide the Host Properties panel. It displays the following tabs:

Host details - Displays the host information such as Network Interfaces, operating system, hardware and others.

Risk details - Displays the distinct alerts associated with the risk score.

7

View Agent History - Displays the list of commands issued to the agent. For more information, see View Agent History.