Malware Analysis ViewMalware Analysis View
In NetWitness Investigate, the Malware Analysis view provides the user interface for conducting a malware analysis. The Malware Analysis view is in the form of a customizable dashboard, in which default dashlets in the initial view are based on the user role (Administration or Analyst) and user customizations. Initially, the Summary of Events dashlet is displayed in the Malware Analysis view. Additional dashlets present different visualizations of the events being viewed, and each representation is configurable to further refine your view as you search for Indicators of Compromise. The Malware Analysis dashlets available in the Dashboard are also available in the Malware view.
To access this view, select Investigate > Malware Analysis. If a default service has not been selected, the Select a Malware Analysis Service dialog is displayed. Select a service, then click View Continuous Mode.
WorkflowWorkflow
What do you want to do?What do you want to do?
| User Role | I want to ... | Show me how |
|---|---|---|
| Threat Hunter |
browse event metadata |
NetWitness Investigate User Guide |
| Threat Hunter |
browse raw events |
NetWitness Investigate User Guide |
| Threat Hunter |
analyze raw events and metadata |
NetWitness Investigate User Guide |
| Threat Hunter |
investigate endpoints (Version 11.1) |
NetWitness Investigate User Guide |
|
Threat Hunter |
find suspicious endpoint files (Version 11.1) |
NetWitness Investigate User Guide |
| Threat Hunter | scan files and events for malware* | Conducting Malware Analysis |
|
Incident Responder |
triage an incident in Investigate |
NetWitness Investigate User Guide |
| Threat Hunter | export events and Files* | Examine Scan Files and Events in List Form |
| Threat Hunter | perform external lookups* | View Detailed Malware Analysis of an Event |
*You can perform this task in the current view.
Related TopicsRelated Topics
- "How NetWitness Investigate Works" in the NetWitness Investigate User Guide
- "Launch a Malware Analysis Scan from the Navigate View" in the NetWitness Investigate User Guide
Quick LookQuick Look
Below is an example of the Malware Analysis view.
The Malware Analysis view consists of the Summary of Events panel and four dashlets unique to this view. Each of the unique dashlets have identical Options dialogs. The Malware Analysis dashlets in the MONITOR view are also available, and are described in the Dashlets topic in the NetWitness Content space.
Summary of Events PanelSummary of Events Panel
In the Summary of Events panel, you can select the service, the scan mode, and the time range. In addition, you can select a data point and view the events associated with the event.
The following table describes all features in the Summary of Events panel.
| Feature | Description |
|---|---|
|
Selects a service to display. |
| Scan Mode | Displays a drop-down list of available scan modes. |
| Time Range | Displays a drop-down list of time ranges to view events. |
| Start Date | When Time Range is set to custom, offers a calendar from which to choose the start date of the time range. |
| End Date | When Time Range is set to custom, offers a calendar from which to choose the end date of the time range. |
|
Displays a drop-down list of dashlets you can add to the view. |
|
Displays a drop-down list of actions you can perform in this view:
|
|
Refreshes the Malware Analysis view. |
Options DialogOptions Dialog
In the Options dialog, you can customize the results displayed in the dashlet. This dialog can be accessed by clicking the 
| Feature | Description |
|---|---|
| Title | Indicates whether the data shown is restricted to events flagged as high confidence or not. If the data is not restricted, this line will not be displayed. |
| Influenced By High Confidence Only | Indicates whether the data shown is restricted to events flagged as high confidence. |
| Static, Network, Community, Sandbox | Allows you to filter results based on the scores in the scoring modules. |
| Cancel | Closes the dialog without saving any changes. |
| Apply | Applies changes to the dashlet immediately and closes the dialog. |
Meta BreakdownsMeta Breakdowns
Meta Breakdowns presents events in the form of a pie chart, with each slice representing a meta value for the specified meta key. You can select the meta key and the count of meta values for that key to render in the chart, starting with the meta value having the most events. Hovering over an event displays the count.
The following table describes the options in the Meta Breakdowns dashlet.
| Feature | Description |
|---|---|
| High Confidence Only | Indicates whether the data shown is restricted to events flagged as high confidence or not. If the data is not restricted, this line will not be displayed. |
| Meta Key | Drop-down list of available meta keys. |
| Count | Drop-down list specifying how many of the top results are displayed. |
Meta TreemapMeta Treemap
Meta Treemap presents events in the form of a heat map. You can select the meta key and the count of meta values for that key to render in the chart, starting with the meta values having the most events. In addition, you can select the module that detected the meta value in the events: static, network community, or sandbox.
The following table describes the options in the Meta Treemap dashlet.
| Feature | Description |
|---|---|
| High Confidence Only | Indicates whether or not the results are restricted to events flagged as high confidence or not. If the results are not restricted, this line will not be displayed. |
| Meta Key | Drop-down list of available meta keys to select as a filter. |
| Count | Drop-down list specifying how many of the top results are displayed. |
| Module | Drop-down list specifying which module results will be pulled from. |
| Value | Drop-down list specifying what information will be displayed when the mouse is hovering over a result (for example, Average Score). |
Score WheelScore Wheel
The Score Wheel offers a view of events as concentric rings with colors representing scores for events based on Indicators of Compromise and the scoring module. You can arrange the position of the rings using the Up and Down arrows to obtain a view that highlights events that were detected by one scoring module (red) and not detected by other scoring modules.
The following table describes the features of the Score Wheel dashlet.
| Feature | Description |
|---|---|
|
High Confidence Only |
Indicates whether or not the results are restricted to events flagged as high confidence or not. If the results are not restricted, this line will not be displayed. |
|
Module Order grid |
Displays the order of the rings in Score Wheel, Ring 1 being the innermost ring and Ring 4 being the outermost ring. You can click the Up and Down buttons to reorder the modules, then click Update to apply the changes. |
Event TimelineEvent Timeline
The Event Timeline offers a view of events organized by the time of occurrence in a bar graph. Clicking and dragging to select a time range within the chart zooms in on the selected time.
The following table describes the features of the Event Timeline dashlet.
| Feature | Description |
|---|---|
|
High Confidence Only |
Indicates whether or not the results are restricted to events flagged as high confidence or not. If the results are not restricted, this line will not be displayed. |
|
View Events |
Displays the Investigate > Events view. |
