Launch a Lookup of a Meta Key

When you have found data of interest in the Navigate view, the Events view, or the Legacy Events view, you can do internal lookups to NetWitness Endpoint and RSA Live, as well as external lookups of meta values in community resources such as SANS IP History and ThreatExpert Search.

Analysts can use the external lookups to save time during investigations. The external lookups are available by right-clicking one of the these meta keys: IP address (ip-src, ip-dst, ipv6-src, ipv6-dst, orig_ip), host (alias-host, domain.dst), client, and file-hash.

For all ip and host meta keys, the following lookups are built in to NetWitness:

• Google Malware: Opens a Google Malware search in a new tab.
• SANS IP History: Opens a SANS IP History search in a new tab.
• McAfee SiteAdvisor: Opens a McAfee SiteAdvisor search in a new tab.
• Endpoint Thick Client Lookup: Opens a search in the NetWitness Endpoint Thick Client in a new tab.
• BFK Passive DNS Collection: Opens a BFK Passive DNS collection search in a new tab.
• CentralOps Whois for IPs and Hostnames: Opens a CentralOps Whois search for IPs and hostnames in a new tab.
• Malwaredomainlist.com Search: Opens a Malwaredomainlist.com search in a new tab
• Robtex IP Search: Opens a RobtexIP search in a new tab.
• ThreatExpert Search: Opens a ThreatExpert search in a new tab
• IPVoidSearch: Opens a UrlVoid Search in a new tab n a new tab

For the file-hash and alias-host meta keys, the Google lookup opens a Google search in a new tab.

For the client meta key, the NetWitness Endpoint Lookup option opens an Endpoint Thick Client in a new tab if the client is installed on the same system on which the browser is being used.

Administrators can add additional external lookups and other custom actions as described in "Add Custom Context Menu Actions" in the System Configuration Guide.

Launch an Endpoint Thick Client Lookup in the Events View

When viewing an endpoint event in the Text panel, you can pivot to analyze the same event in NetWitness Endpoint.

Note: Version 4.4.0.x of the NetWitness Endpoint (NWE) thick client must be installed on the same server, the NWE meta keys must exist in the table-map.xml file on the Log Decoder, and the NWE meta keys must exist in the index-concentrator-custom.xml file. The NWE thick client is a Windows only application. Complete setup instructions are provided in the NetWitness Endpoint User Guide for Version 4.4.

To open an event in NetWitness Endpoint:

1. Starting from the Navigate view:
   1. In the Query drop-down, select Advanced, and enter one of the following queries: nwe.callback_id exists or device.type='nwendpoint'
      Endpoint data is displayed in the Values panel.
   2. Right-click an event, and select Events in the menu.
2. (Version 11.1 and later) Go to Investigate > Events. In the Query drop-down, select Advanced, and enter one of the following queries: nwe.callback_id exists or device.type='nwendpoint'
   Endpoint data is displayed in the Events panel.
3. Select an event.
   The Events view opens with the selected event displayed in the Text view.
   
4. In the Event Header click Pivot to Endpoint.
   A new browser tab with the url ecatui://<id> opens and the NWE Thick Client is launched. If the NetWitness Endpoint Thick Client is not installed, no data is displayed and the following message is displayed: Applicable for hosts with 4.x Endpoint agents installed, please install the NetWitness Endpoint Thick Client.

Launch an Endpoint Thick Client Lookup in the Navigate View

To launch an Endpoint Thick Client lookup of data from the Navigate view:

1. Right-click a meta value for one of the following meta keys: ip-src, ip-dst, ipv6-src, ipv6-dst, orig_ip, alias-host, domain.dst, or client.
2. Select External Lookup in the context menu.
   A submenu of external lookup options is displayed.
   
3. Select Endpoint Thick Client Lookup.
   The Connect to Server dialog is displayed.
   
4. Enter the user name and password required to log in to the Endpoint Thick Client, and click Connect.
   The drill point opens in NetWitness Endpoint.
   

Perform Lookups of Meta Values in Events

In the Events view, you can further investigate meta values in an event by lift or right-clicking certain meta values and using the options in a drop-down menu. To perform internal and external lookups:

1. In the Events view, left or right-click a meta value in the Events List, the Event Meta panel, or the Overview panel. Some meta values have a drop-down menu.
   

2. Select one of the following internal lookups:

   • Copy Value: Copies the meta value to the clipboard.
   • Refocus Investigation in New tab: Launches the another investigation in a new tab with the focus on the selected meta value.
   • Apply Drill in New Tab: Applies the drill and launches it in a new tab to drill the data in Navigate view.
   • Apply !EQUALS Drill in New Tab: Applies (!EQUALS) to the meta and launches a new tab, effectively excluding the meta value from the results.
   • Hosts Lookup: Looks up the value in the Investigate > Hosts view.
   • Endpoint Thick Client Lookup: Analyzes the meta value in the Endpoint Thick Client (for clients which have Endpoint Agent).
   • Live Lookup: Looks up a meta value on Live for further analysis.
3. For an external lookup, left or right-click on a selected meta, and click External Lookup.
   

4. In the submenu select one of the available external lookups:

   • Google: Looks up a meta value on Google.com
   • SANS IP History: Looks up a meta value on SANS IP History, domain = http://isc.sans.org/ipinfo.html?ip=ipaddress
   • CentralOps Whois for IPs and Hostnames: Looks up a meta value on CentralOps Whois for IPs and Hostnames, domain = http://centralops.net/co/DomainDossier.aspx?addr=domain&amp;dom_whois=true&amp;dom_dns=true&amp;net_whois=true
   • Robtex IP Search: Looks up a meta value on Robtext IP Search, domain = https://www.robtex.com/cidr/domain.ipaddress
   • IPVoid: Looks up a meta value on IPVoid, domain = http://www.ipvoid.com/scan/domain/
   • URLVoid: Looks up a meta value on URLVoid, domain = http://www.urlvoid.com/scan/ipaddress/
   • ThreatExpert Search: Looks up an IP meta value on ThreatExpert Search, domain = http://www.threatexpert.com/reports.aspx?find=IP address

5. For a VirusTotal Lookup:

   • In the Events view, left or right-click a meta value having checksum in the Events List, Filter Events Panel or the Event Meta panel.

     The Context Highlights dialog is displayed.

   • Click External Lookup > VirusTotal Lookup.

     This looks up the hash value on the VirusTotal for rapid lookup and analysis.

   

    

MITRE ATT&CK© Lookup in Events Reconstruction View

With the 12.4 version, the ATTACK.TACTIC and ATTACK.TECHNIQUE meta keys in the Event Metadata panel and Event Reconstruction view will now include the MITRE ATT&CK© Lookup option for analysts to obtain more information regarding the MITRE Tactic and Technique associated with a particular event.

IMPORTANT: Both MITRE ATT&CK® and ATT&CK® are registered trademarks of the MITRE Corporation. © 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

To perform MITRE ATT&CK© Lookup on Meta keys

1. Log in to the NetWitness Platform.

2. Go to Investigate > Events.

3. Create a query that consists of one or more filters that contain a meta key. For example, (attack.all exists).

4. Click an event in the Events panel to open the Events Reconstruction panel.

5. In the Event Metadata panel, left or right-click either an ATTACK.TACTIC or ATTACK.TECHNIQUE meta keys.

   

6. Click the MITRE ATT&CK© Lookup option to open the ATT&CK© Explorer panel.

   

   The ATT&CK© Explorer panel opens from the right side of the browser window. The ATT&CK© Explorer panel is populated with the information from the MITRE ATT&CK as it becomes available.

   

   For more information on the ATT&CK© Explorer panel, see the topic ATT&CK© Explorer Panel in the NetWitness Respond User Guide.

Launch Other External Lookups from the Navigate View

To launch an external lookup of data from the Navigate view (other than NetWitness Endpoint Thick Client Lookup):

1. Right-click a meta value for one of the following meta keys: ip-src, ip-dst, ipv6-src, ipv6-dst, orig_ip, alias-host, domain.dst, or client.
2. Select External Lookup in the context menu.
   A submenu of external lookup options is displayed.
   
3. Select one of the lookup options.
   The selected meta value opens in the selected lookup, for example, if you selected SANS IP History, the drill point information is displayed in SANS Internet Storm Center.