NetWitness Community

(From 12.5 and later) NetWitness introduces a new Home page menu that consists of Admin, Analyst, and Manager views. Each home page is comprised of multiple widgets. Administrators, Analysts, and SOC Managers can access the respective widgets that display certain data in graphical form. The data can be associated with Endpoints, Users, Assets, Content, Incidents, Alerts, MITRE ATT&CK, Retention, and many more.

 

 

 

Access Home Page

Log into the NetWitness platform and click the Home page.

From NetWitness 12.5 and later, the Home page will be the default landing page for users installing the NetWitness Platform for the first time and you can click the Home Page to view the new widgets from the Admin, Analyst, and Manager views.

On the default home page, in the top left corner, a greeting to the user is displayed. If available, the user's name is shown following the greeting.

For example: Good Afternoon, Norm

If the username is not available, then only the greeting will be displayed.

Note: The full name of a NetWitness user is displayed. NetWitness will only display the name of users created within it. Users who have been created through Single Sign-On, Active Directory, or any other type of user will not have their names displayed.

Customize the Dashboard Layout

The widgets for the Home page are arranged in a predefined layout for the various roles (analyst, manager, and admin). These layouts can be customized to suit your individual needs. Altering the layout of a dashboard is restricted to the Edit Layout mode, which is activated by clicking the Edit Layout button on the upper right of the screen.

The following actions can be performed while in Edit Layout mode:

• Addition of widgets to the dashboard.

• Deletion of widgets from the dashboard.

• Rearrangement and resizing of widgets to achieve a desired layout.

• Reset the Dashboard Layout to its default view.

Add a Widget

Users have the liberty to add widgets to their dashboard. There is no restriction on the number of widgets that can be added.

To add a widget to the dashboard

1. Log in to the NetWitness Platform and navigate to the Home page.

2. From the drop-down menu in the upper right-hand corner of the Home page, users should select the view they want to modify (Admin, Analyst, or Manager).

3. Click the Edit Layout button in the upper right corner. The Add Widget panel displays all the widgets that are available. Note: To quickly locate a widget, use the Search field by entering its name. The widgets will be filtered as the user types, displaying only matching results.
   • Click the X icon in the upper right corner to close the Add Widget panel.

4. To add a widget, follow either of the steps below:

   1. Hover the cursor over the desired widget, triggering a + (add) icon to appear in its upper-left corner. Click on the + icon to add the widget. This will add the widget to the bottom of the layout.

   2. Alternatively, click and drag a widget to the desired location on the dashboard. As the user drags the widget, the dashboard will indicate the target position.

      

5. To save the changes to the dashboard layout, click Save Layout.

   When the user clicks the Cancel button, any unsaved changes made to their dashboard layout are discarded, and the panel is closed.

   Modifications to a layout are applicable only to the user who made them.

Rearrange and Resize Widgets

Users have the flexibility to adjust the dashboard layout according to their preferences. Widgets can be resized and rearranged to emphasize content deemed critical.

Note: The MITRE ATT&CK Overview and Overview widgets have a fixed position and size on the dashboard and thus cannot be rearranged or resized.

• To rearrange a widget, simply select and drag it to the desired location within the layout. Adjacent widgets will adjust automatically to accommodate the change.

• For resizing, an arrow appears at the bottom right corner of all widgets upon hover. Click and drag it to adjust the dimensions. Horizontal dragging alters width, vertical dragging modifies height, and diagonal dragging adjusts both dimensions proportionally

Note: Each widget possesses default dimensions that can be modified within certain limits. Minimum and maximum size constraints are enforced.

Delete Widgets

Users can delete one or more widgets. However, users can only delete widgets for which they have the required permissions.

To delete a widget from the dashboard

1. Click the Delete icon located at the upper right corner of the widget. A confirmation message will appear.

2. Click Delete to permanently remove the widget from the dashboard. The remaining widgets will be adjusted to fill the vacated space if possible.

Reset the Dashboard Layout

Users can reset the dashboard to clear any dashboard customizations and restore the dashboard to the current default configuration.

To Reset the Dashboard Layout

1. Click the Edit Layout button in the upper right corner and click Reset. A confirmation message will appear.

   Note: Resetting the dashboard will remove any customizations users have made and revert the dashboard layout to its default view.

   

2. Click Reset. The page refreshes and reverts to the default view.

Admin View

The Admin dashboard consists of several out-of-the-box widgets that display different aspects of the data, such as:

• Overview 

• Resource Usage per Content Type
• Logs vs Entitlement 
• Packets vs Entitlement 

• NetWitness Hosts/Devices 

• Users Logged into NetWitness

• Global Retention 

• Content Available

• Mean Time to Detect (MTTD) 

• Mean Time to Resolve (MTTR) 

• Alert Trend Over Time  

• False Positives (Incidents) 

• Incident Overview 

Overview

This Overview Bar is displayed as the top most widget in the Admin view and it consists of the following 5 cards.

• Mean Time to Detect: This card displays the mean time to detect incidents in Respond.

• Mean Time to Resolve: This card displays the mean time to resolve incidents in Respond.

• Incidents: This card displays the total number of incidents created in the last 24 hours.

• New Incidents: This card displays the total number of incidents which are still in the New state for the last 24 hours.

• Closed Incidents: This card displays the total number of incidents which are closed in the last 24 hours.

To Reset the Dashboard Layout

1. Click the three-dot () icon in the widget's upper-right corner and click Configuration.
   The Overview Configuration dialog is displayed.

   

2. Select the required cards from the Overview Cards drop-down menu.
3. Click Save to persist the changes made to the configuration.
4. Click X to close the Configuration dialog.

Resource Usage per Content Type

This widget shows various content deployed on the selected decoder, including the memory and usage details. It enables analysts to make informed decisions based on the available decoders' content details. In this widget, content details are available for multiple decoders. Users can switch between multiple decoders by clicking the drop-down on the upper right. For a single host, the host drop-down option is disabled, and the available host is displayed. By default, the last 24 hours of data is displayed.

Note: This widget is available by default only in Admin view.

Note:
To allow other users role to view widget metrics, an administrator must grant specific permissions on both the source server and core services.
• Source Server Permissions Required:
- source-server.contentstats.read
- source-server.policy.read
- source-server.policy.manage
For more information, see the Source-server section in the "Role Permissions" topic in the System Security and User Management Guide.
• Core Services Permissions Required:
For each core service (Log Decoders and Packet Decoders) deployed in the environment, the administrator must add the following permissions to the other user's role. However, if the required user role is not available, you need to create a new user role and then assign the necessary permissions.
- parsers.manage
- rules.manage
For more information, on adding the user role to the service and assigning permission, see the Add a User Role to a Service section in the "Hosts and Services Maintenance Procedures" topic in the Hosts and Services Getting Started Guide.

The content types are App Rules, Network Rules, Feeds, Lua Parsers, and Native Parsers. Under the content type, the content available in Live, the content deployed to the services, the content's timestamp (date and time), memory usage, and feed usage are displayed. Also, a table below the content type shows the content name, bundle, miter tag, usage, and memory usage related to the content.

Note: The statistics displayed vary based on the content type selected. Also, if the content deployed is 0, then the content is not available on Live.

The widget information is paginated. On the bottom right, click the < > or << >> pagination icons to navigate and view the data for other available content.

Logs vs Entitlement

This widget assists system administrators in tracking the volume of log data processed, facilitating a comparison with the allocated licensing quota. It enables administrators to make informed decisions regarding adjustments to their licensing levels, whether to increase or decrease them as necessary.

Note:
• This widget is available by default in Admin and Manager views.
• To allow other users to view the widget metrics, an administrator must enable license-server.license.read permission on the license server. For more information, see the License-server section in the "Role Permissions" topic in the System Security and User Management Guide.

A stacked bar graph visually presents the dataset. By default, it showcases the values for the top 5 Decoders processing the highest volume of data. However, users have the option to configure the widget to display data for up to 10 Decoders. Each bar segment in the chart is color-coded to represent a specific Decoder, as indicated by the chart legend. The bar segments are arranged such that the Decoder processing the largest amount of data occupies the top position, followed by others in descending order. The lowest segment represents the aggregated data of all Decoders beyond the configured limit.

Note: The bottom segment may be larger than the other if there are many decoders in the environment.

The vertical axis delineates the quantity of data processed, while the horizontal axis displays the dates within the designated time range. Placing the cursor over a graph bar will display a tooltip allowing the user to view the exact values for each Decoder represented. The entitlement line indicates the volume of Log data permitted for processing based on the licensing quota.

Users can edit the existing widget at any time to change its name, time range, or decoder limit, allowing them to customize it according to their preferences.

To edit the Logs vs Entitlement widget

1. Click the three-dot ( ) icon in the widget's upper-right corner and click Configuration.

   The Logs vs Entitlement Configuration dialog is displayed.

   

2.  Configure the following options based on your preference:

   • Selected View: Select either Packets Analyzed or Packets on Disk option from the drop-down menu.

   • Time Range: Select a specific timeframe from the drop-down menu to display data for that period. Available ranges are 3 Months, 6 Months, and 9 Months. By default, 3 months of data are displayed.

   • Decoder Limit: Specify the number of decoders to be displayed in the chart. Users can configure a range from 1 to 10 Decoders.

3. Click Save to persist the changes made to the configuration.

4. Click X to close the Configuration dialog.

Packets vs Entitlement

This widget assists system administrators in tracking the volume of packets processed and packets on disk, facilitating comparison with the allocated licensing quota. It enables administrators to make informed decisions regarding adjustments to their licensing levels, whether to increase or decrease them as necessary. An analysis can be performed based on the volume of packets analyzed, or the physical storage requirements of the packets on disk.

Note :
• This widget is available by default in Admin and Manager views.
• To allow other users to view the widget metrics, an administrator must enable license-server.license.read permission on the license server. For more information, see the License-server section in the "Role Permissions" topic in the System Security and User Management Guide.

A stacked bar graph visually presents the dataset. By default, it showcases the values for the top 5 Decoders processing the highest volume of data. However, users have the option to configure the widget to display data for up to 10 Decoders. Each bar segment in the chart is color-coded to represent a specific Decoder, as indicated by the chart legend. The bar segments are arranged such that the Decoder processing the largest amount of data occupies the top position, followed by others in descending order. The lowest segment represents the aggregated data of all Decoders beyond the configured limit.

Note: The bottom segment may be larger than the other if there are many decoders in the environment.

The vertical axis delineates the quantity of data processed or the physical storage used, while the horizontal axis displays the dates within the designated time range. Placing the cursor over a graph bar will display a tooltip allowing the user to view the exact values for each Decoder represented. The entitlement line indicates the volume of Packet data permitted for processing based on the licensing quota.

Users can edit the existing widget at any time to change its view, time range, or decoder limit, allowing them to customize it according to their preferences.

To edit the Packets vs Entitlement widget

1. Click the three-dot ( ) icon in the widget's upper-right corner and click Configuration.

   The Packets vs Entitlement Configuration dialog is displayed.

   

2. Configure the following options based on your preference:

   • Selected View: Select either Packets Analyzed or Packets on Disk option from the drop-down menu.

   • Time Range: Select a specific timeframe from the drop-down menu to display data for that period. Available ranges are 3 Months, 6 Months, and 9 Months. By default, 3 months of data are displayed.

   • Decoder Limit: Specify the number of decoders to be displayed in the chart. Users can configure a range from 1 to 10 Decoders.

3. Click Save to persist the changes made to the configuration.

4. Click X to close the Configuration dialog.

NetWitness Hosts/Devices

This widget shows the hosts connected to the Netwitness Platform and its CPU and memory utilization. It also displays the uptime from when the host is available and any associated active alerts. A sparkline shows the historical data and a donut chart shows the most recent data point. Also, a warning message is displayed below the uptime. Click the up-arrow button to see the detailed warning message description.

Note :
• This widget is available by default only in Admin view.
• To allow other users to view the widget metrics, an administrator must enable admin-server.monitoring.read permission on the admin server. For more information, see the Admin-server section in the "Role Permissions" topic in the System Security and User Management Guide.

IMPORTANT:

• Ensure that the SMS service of the Admin Server remains always online in case the SMS service goes offline, troubleshoot, and restore the service immediately. For more information on troubleshooting the SMS service, see the Troubleshooting Health & Wellness topic in the System Maintenance Guide.
• If there is insufficient data available for a device, such as having only one historical CPU or memory data point, the graph for that device will not be displayed.

By default, the widget shows the first three Hosts/Devices. The Hosts/Devices CPU and Memory usage and trends over time, active Services status, and active alerts, if applicable, are displayed in this widget. This extended data visibility enables effective analysis of trends and informed security decisions.

Click on the hostname to navigate to its location in the NetWitness Platform and take any remediation action if needed. The Widget interacts with the hostname, which links to the Admin > Health & Wellness > Monitoring. The Widget periodically updates the data without any manual intervention.

The default view shows panels with hosts with problems first. Only the permitted data is visible. A warning message is displayed for restricted data.

To edit the NetWitness Hosts/Devices widget

1. Click the three-dot () icon in the widget's upper-right corner and click Configuration.

   The NetWitness Hosts/Devices Configuration dialog is displayed.

   

2. Select the required devices from the Select Devices drop-down menu. Users can select all the devices available in the environment at once.

3. Click Save to persist the changes made to the configuration.

4. Click X to close the Configuration dialog.

Users Logged into NetWitness

This widget helps SOC managers and administrators monitor the daily login count and usage trends. It displays the number of unique users who have accessed NetWitness using the UI or NW shell within a specific period. For example, SOC managers can analyze the number of users who logged in to NetWitness within the last three months or the last year, allowing them to make informed decisions about user access and security.

Note:
• This widget is available by default in Admin and Manager views.
• To allow other users to view the widget metrics, an administrator must enable admin-server.userloginhistory.read and security-server.userloginhistory.read permissions on the admin server and security server. For more information, see the Admin-server and Security-server section in the "Role Permissions" topic in the System Security and User Management Guide.

A bar chart visually presents the dataset. The vertical axis in the chart represents the count of distinct users logged into NetWitness, while the horizontal axis represents the usage trend for the period. By default, the chart displays the data for the last three months. However, users have the option to customize the widget to show data for different available time periods. The representing data is periodically updated, and when users hover their cursor over the vertical bars in the chart, a tooltip will be displayed, allowing users to view the exact names and their usage counts. The full name of the user is displayed, and if that is not available, the username will be displayed. This is only valid if they have set up their users using NetWitness. If they use Active Directory, SSO, PAM, etc., only the userIDs will be displayed.

Note:
• User logins are tracked each day by recording only one login by each user. This means that regardless of how many times a user logs in and out during a day, it will only be counted as one login for that day.
• Consider a scenario where the user has logged in three distinct days a week. When the user moves the cursor over the vertical bar, a tooltip appears that shows the number three for this user.
• The data for all the logins from the previous day will be available the following day.

IMPORTANT: If the user sets the time range to 12 and 9 months with a Weekly interval, the data will be displayed for each week. However, the x-axis labels (Usage Trend) on the chart will be shown alternately. To display all labels on the x-axis, the user can increase the widget sizes. For more information on resizing the widgets, see Rearrange and Resize Widgets section in the topic Customize the Dashboard Layout.

Users can edit the existing widget at any time to change the time range or modify the time interval used by the widget, allowing users to customize it according to their preferences.

To edit the Users Logged into NetWitness widget

1. Click the three-dot ( ) icon in the widget's upper-right corner and click Configuration.

   The Users Logged into NetWitness Configuration dialog is displayed.

   

2. Configure the following options based on your preference:

   • Time Range: Select a specific timeframe from the drop-down menu to display data for that period. Available ranges are 3 Months, 6 Months, 9 Months, and 12 Months. By default, 3 months of data are displayed.

   • Time Interval: Select the required time interval, either Weekly or Monthly, from the drop-down menu. Based on the selected time interval, NetWitness collects and aggregates login data for different users.

3. Click Save to persist the changes made to the configuration.

4. Click X to close the Configuration dialog.

Global Retention

The Global Retention widget provides a comprehensive summary of the maximum retention period available for queries related to meta, logs, or packets. This widget enables analysts to avoid missing any data in their queries by indicating the lowest retention among the decoders. For example, if one decoder has 25 days of retention while the others have 30 days, the global retention would be 25 days.

Note: If you have both Log and Packet Decoders, you will see information for both packets and logs; otherwise, you will only see information for the decoder you have installed.

Note: This widget is available by default in Admin and Analyst views.

You can see the following information on the Global Retention widget:

• Raw Available: Displays the raw data available for the device with the least amount of retention data among all your devices in your environment.

• Meta Available: Displays the metadata available for the device with the least amount of retention data among all your Concentrators in your environment.

• Packets : Displays the least amount of retention (meta data) among all packet decoders.

• Logs: Displays the least amount of retention (raw data) among all log decoders.

  

  To view the retention details of all devices, click the All link. The Retention on All Devices dialog is displayed.

  By default, the Meta Data option is selected. To switch to Raw Data, use the toggle button.

  

  Note: The Raw Data is available only for decoders.

You can see the following information for each device in the dialog:

• Device: Displays the installed device type, such as Concentrator, Packet Decoder, Archiver, and Log Decoder.

• Meta: Displays the retention period available for metadata collected and processed for each device. For example, 227 days.

• Packets: Displays the retention period available for packets that have been processed for each device. For example, 115 days.

• Logs: Displays the retention period available for logs data for each device. For example, 225 days

  You can view the meta information of each device in the Meta Data option and the packets and logs in the Raw Data option.

• Click Export to download the data in .csv format for further analysis.

• Click X to close the dialog.

Content Available

This widget displays the number of content available across content types such as 'Bundles', Application Rules', 'Feed', 'Event Stream Analysis', 'NetWitness Report', 'LUA Parser', 'NetWitness List', 'Log Device' and 'Log Collector'.

Note: This widget is available by default only in Admin view.

The Widget displays the lists containing the top 9 content types.

 

Click All Live Content to view the all the live content in the Configure > Live Content page.

 

Mean Time to Detect (MTTD)

This widget is available by default in Admin and Manager views. For more information on the widget, see Mean Time to Detect (MTTD) section in the Manager view.
 

Mean Time to Detect (MTTR)

This widget is available by default in Admin and Manager views. For more information on the widget, see Mean Time to Resolve (MTTR) section in the Manager view.

 

Alert Trend Over Time

This widget is available by default in Admin and Manager views. For more information on the widget, see Alert Trend Over Time section in the Manager view.

 

False Positives (Incidents)

This widget is available by default in Admin and Manager views. For more information on the widget, see False Positives (Incidents) section in the Manager view.

 

Incident Overview

This widget is available by default in Admin and Manager views. For more information on the widget, see Incident Overview Section in the Manager view.

Analyst View

The Analyst Dashboard provides a high-level overview of the current threat landscape in your environment, presenting platform-wide detections and indicators generated by the NetWitness Platform. Analysts can use the dashboard to monitor the severity and frequency of security events, identify potential threats, and drill down into the details for further investigation. The analyst view consists of several out-of-the-box widgets that display different aspects of the data, such as:

• Overview 

• MITRE ATT&CK Overview 

• Top Suspicious Endpoints  

• Top Suspicious Files

• Events

• Global Retention

• Top Suspicious Users

• Top Discovered Assets

• FirstWatch Threat Logic & Live Content Updates

• FirstWatch Blogs

• Incidents and Alerts

The Analyst dashboard is updated frequently and shows the most recent data. You can also customize the dashboard by rearranging the widgets according to your preferences.

Overview

This Overview widget is displayed as the topmost widget in the Analyst view, and it consists of the following 5 default cards.

• Incidents: This card displays the total number of incidents created in the last 24 hours.

• New Incidents: This card displays the total number of incidents which are still in the New state for the last 24 hours.

• Closed Incidents: This card displays the total number of incidents which are closed in the last 24 hours.

• Alerts: This card displays the total number of alerts created in the last 24 hours.

• Critical Alerts: This card displays the total number of critical alerts created in the last 24 hours.

By default, this widget displays the last 24 hours data when you log in to the NetWitness Platform.

You can edit the Overview widget at any time and add additional cards. However, you can have a maximum of 5 cards displayed at once.

To edit the Overview Widget

1. Click the three-dot ( ) icon in the widget's upper-right corner and click Configuration.

   The Overview Configuration dialog is displayed.

2.  Select the required cards from the Overview Cards drop-down menu.

3. Click Save to persist the changes made to the configuration.

4. Click X to close the Configuration dialog.

Mitre ATT&CK Overview

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. This dashboard includes the tactics and techniques to describe adversarial actions and behaviors. Techniques refer to specific actions an attacker might take, while tactics refer to the different phases of attacker behavior.

From NetWitness 12.5 or later, NetWitness introduces the new MITRE ATT&CK Overview widget, which considers the data such as log, endpoint, and packet and active content deployed in your environment, such as Application rules and ESA rules to help you view relevant MITRE ATT&CK content for these rules and shows the complete coverage. This MITRE ATT&CK Overview helps analysts to view detailed information on the Tactics, Techniques, and Sub-Techniques associated with content in one place, not only can you filter on specific techniques to see how well you are covered for each, but you can also filter on specific source data type to see the coverage they give you. Thus eliminating the need to visit Mitre’s website for ATT&CK information.

IMPORTANT: MITRE ATT&CK Overview coverage is based on the rules available in CCM. If CCM is not enabled, you cannot view content coverage on the MITRE ATT&CK Overview widget. For more information, see Centralized Content Management for NetWitness.

IMPORTANT: Both MITRE ATT&CK® and ATT&CK® are registered trademarks of the MITRE Corporation. © 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

To access the MITRE ATT&CK Overview

1. On the top-right corner, select either Analyst View or Manager View from the drop-down menu.

   The MITRE ATT&CK Overview widget is displayed.

   

The tactics, techniques, and sub-techniques information displayed are from the MITRE ATT&CK framework.

For example, In the Execution tactic, out of the 14 techniques available. NetWitness covers 8 techniques and does not cover 6 techniques.

Tactic and Technique available states

• Deployed - Technique and sub-techniques have content and are deployed on services. These contents are identified by the green color. The technique and sub-technique contents are in a Deployed state in the following scenarios:

  There is no content in the technique, and all sub-techniques are deployed on services.

  • Both the technique and sub-techniques having contents are deployed.

  • The technique has content and is deployed but its sub-techniques do not have any content available.

• Partially Deployed - All techniques and sub-techniques have content, but only a few are deployed on services. These contents are identified by the teal color. The technique and sub-technique contents are in a Partially Deployed state in the following scenarios:

  • The technique has content available and is deployed, and all sub-techniques or only a few sub-techniques are deployed to services.

  • The technique has content available and is deployed, and only a few sub-techniques have content available.

  • There is content available but not deployed for a given technique, and only a few or all related sub-techniques are deployed on services.

• Not Deployed - Content is available for a given technique or sub-technique but is currently not deployed on the services. These contents are identified by the yellow color. The technique and sub-technique contents are in a Not Deployed state in the following scenarios:

  There is no content in the technique, and all sub-techniques are deployed on services.

  • The technique has no content, and all sub-techniques or a few sub-techniques have content.

  • There is content available for the technique, and some or all of its sub-techniques also have content.

  • Technique has content, and sub-techniques have no content.

• Unavailable - If there are no contents available for a given technique or sub-technique. These contents are identified by the orange color. The technique and sub-technique contents are in a Unavailable state in the following scenarios:

  • Both techniques and sub-techniques have no content available.

• • The Mitre ATT&CK Overview widget is frequently updated with the most recent data. To view the recent data, you must log out of the UI and log in again.

    1. To view the sub-techniques, click  (down arrow) button, which expands and shows the number of sub-techniques associated with a particular technique. For example, for the technique of Active Scanning, the related sub-techniques Scanning IP Blocks, Vulnerability Scanning, and Wordlist Scanning are displayed.

    2. Click on any technique for example, Process Injection. A pop-up window is displayed, which shows the following information:

       • Displays the name of the Technique

       • Displays the Mitre Technique ID associated.
       • Displays a brief description of the technique.
       • Displays the type of medium for the technique. For example, endpoint, log.
       • Displays the number of available contents. For example, the Application Rule.
       • Displays the number of deployed contents.
       • Displays the sub-techniques associated with the particular technique. Clicking on the sub-technique will open another pop-up window with related information.
       • Click X to close the pop-up window.

    3. Click on any sub-technique. A pop-up window is displayed, which shows the following information:

       • Displays the name of the sub-technique.

       • Displays the Mitre sub-technique ID.

       • Displays a brief description of the sub-technique.

       • Displays the type of medium for the technique. For example, log and packet.

       • Displays the number of available contents. For example, the Application Rule.

       • Displays the number of deployed contents.

       • Displays the associated technique. Clicking on the technique name will show the related technique panel with all the information.

       • Click X to close the pop-up window. 

    4. Select the data from the Medium drop-down menu to filter by the data type from which the metadata is generated. By default, All is selected, and you can select either Log, Packet, Endpoint, or Log and Endpoint based on your coverage.

    5. Select the content from the Content Type drop-down menu to filter by content type. By default, All is selected, but based on your coverage, you can select either the Application Rule or Event Stream Analysis Rule.

    6. Select the Expand All Sub Techniques checkbox to view all the sub-techniques available at once.

       

    Top Suspicious Endpoints

    The Top Suspicious Endpoints Widget presents a list of the top 10 suspicious endpoints based on the highest risk score and Operating system (Windows, Linux, and Mac).

    Note:
    - This widget is available by default in Analyst view.
    - To allow other users to view the widget metrics, an administrator must enable endpoint-server.agent.read and endpoint-server.agent.manage permissions on the endpoint server and endpoint-broker-server.agent.read and endpoint-broker-server.agent.manage permissions on the endpoint broker. For more information, see the Endpoint-server and Endpoint-broker-server sections in the "Role Permissions" topic in the System Security and User Management Guide.

    

    Each Endpoint is displayed with the following information:

    • Risk Score: Displays the risk score of the endpoint based on the severity and frequency of the alerts generated by the endpoint. The risk score ranges from 0 to 100, with higher scores indicating higher risk. The endpoints are sorted in descending order by their risk scores.

    • Host Name: Displays the name of the host as it appears on the network. Clicking on a specific Hostname takes you to the Hosts Details view, where you can see all the events and alerts generated for this host.

    • Operating System: Displays the Operating system on which the agent is running (Linux, Windows, or Mac).

    • IP Address: Displays the IP address of the endpoint.

    • Last Active User: Displays the name of the user who logged in to the endpoint most recently.

    • Location: Displays the geographic location of the endpoint based on its IP address. For example, United States.

    • Click the All option to view all the risky endpoints on the Hosts > Endpoints view.

    • Use the pagination options to navigate and view the Endpoints data seamlessly.

    To edit the Top Suspicious Endpoints widget

    1. Click the three-dot ( ) icon in the widget's upper-right corner and click Configuration.

       The Top Suspicious Endpoint Configuration dialog is displayed.

       

    2. Configure the following options based on your preference:

       • Datasource: Select the required Endpoint Server or Endpoint Broker Server from the drop-down menu.

       • Number of Results: Select the required number of results from the drop-down menu. Available number of results are 25, 50, 75, and 100. By default, 25 number of results are displayed.

         Based on the selected datasource and number of results, NetWitness displays the top suspicious endpoint data.

    3. Click Save to persist the changes made to the configuration.

    4. Click X to close the Configuration dialog.

    For more information on Hosts, see NetWitness Endpoint User Guide for 12.5.

    Top Suspicious Files

    The Top Suspicious Files widget lists the top 10 suspicious risky files with the highest risk score detected in your endpoint.

    Note:
    - This widget is available by default in Analyst view.
    - To allow other users to view the widget metrics, an administrator must enable endpoint-server.agent.read and endpoint-server.agent.manage permissions on the endpoint server and endpoint-broker-server.agent.read and endpoint-broker-server.agent.manage permissions on the endpoint broker. For more information, see the Endpoint-server and Endpoint-broker-server sections in the "Role Permissions" topic in the System Security and User Management Guide.

    

    Each File is displayed with the following information:

    • Displays the file type and number of hosts affected by the suspicious file. Clicking on a specific file link navigates you to the Files Details view, where you can see all the events and alerts generated for this file.

    • Displays the risk score for each file and is based on the file analysis results. The risk score ranges from 0 to 100, with higher scores indicating higher risk. The files are sorted in descending order by their risk scores.

    • Click the All option to view all the risky files on the Files view.

    To edit the Top Suspicious Files widget

    1. Click the three-dot () icon in the widget's upper-right corner and click Configuration.

       The Top Suspicious Files Configuration dialog is displayed.

       

    2. Datasource: Select the required Endpoint Server or Endpoint Broker Server from the drop-down menu.

       Based on the selected datasource, NetWitness displays the top suspicious files data.

    3. Click Save to persist the changes made to the configuration.

    4. Click X to close the Configuration dialog.

    For more information on Files, see NetWitness Endpoint User Guide for 12.5.

    Events

    The Behavior of Compromise Events widget displays the top events that occurred for a particular meta query at a specific time in your environment. This widget helps analysts quickly identify and prioritize the most relevant and suspicious events and drill down into the details of each event.

    Note:
    - This widget is available by default in the Analyst view.
    - To allow other users to view the widget metrics, an administrator must enable these combination of permissions investigate-server.* and accessInvestigationModule or investigate-server.predicate.read, investigate-server.event.read, and accessInvestigationModule permissions on the investigate server. For more information, see the Investigate-server section in the "Role Permissions" topic in the System Security and User Management Guide.

    

    The vertical axis in the chart represents the session count, while the horizontal axis represents the Behavior of Compromise Meta value, which can be configured based on user preference. By default, the chart displays the data for the last 24 hours. However, users have the option to customize the widget to show data for different available time periods.

    Note: If the data for the Meta value is not available for the specified time range, no data will be displayed on the chart.

    The Events widget displays the following information:

    • Displays the events for a meta query, boc exists, which indicates possible malicious activities. For example, Behaviors of Compromise (BOC).

    • Displays the Events data in a Bar or Donut chart. The specific meta value and related session count are displayed when you hover over a bar or donut chart.

    • Displays the number of sessions available for each meta.

      

    Analysts can perform the following actions:

    • Click on a specific meta value link in the table (for example, attack) that navigates you to Investigate > Events view, where the boc exists And boc = ‘attack’ query filter is applied to display all the events associated with the query in the events table.

    • Click the All link to navigate to the Investigate > Events view with a boc exists query filter applied. This will display all the related events available in the events table.

    • You can sort either by meta values or session count. By default, events are sorted with meta values with high session counts in descending order.

    • Use the vertical scroll bar to view various meta values.

    • You can navigate between pages using the page navigation options and view all the Events data seamlessly.

    You can edit the existing widget at any time to update its preferences, change the meta key, or modify the query used by the widget, allowing users to customize it according to their preferences.

    To Edit the Events Configuration widget

    1. Click the three-dot () icon located in the upper-right corner of the widget and click Configuration.

       The Events Configuration dialog is displayed.

       

    2. Configure the following options in the Events Configuration dialog:

       • Name: Enter a unique name for the widget. The name can include alphabets, numbers, spaces, and special characters, such as _ - ( ) [ ].

         Note: The text Events will be appended to the widget's title. For example, if you enter the name behavior of compromise, the widget’s title will be displayed as Events - Behavior of Compromise.

       • Time Range: Select a specific timeframe from the drop-down menu to display data for that period. You can select any time range from Last 5 Minutes to Last 7 Days. By default, 24 hours of data are displayed.

         Note: The time range will be displayed next to the widget's title based on the configured time frame.

       • Number of Results: Select the number of required results from the drop-down menu. The available results are 25, 50, 75, and 100. By default, 25 results are selected.

       • Data Source: Select the source of the data to use for the widget. You can use either Broker or Concentrator from the drop-down list.

       • Meta Key: Select the required Meta Key available for the service from the drop-down list. For example, boc – Behaviors of Compromise.

       • Query: Enter a valid query to filter for results in the Events view. For example, boc exists.

         Note: You can increase the text area size by placing the cursor in the bottom corner of the text box on the right-hand side and dragging the box.

       • Visualization Type: Select the required visualization type from the drop-down menu. You can select either a Bar or a Donut chart.

    3. Click Save to persist the changes made to the configuration.

    4. Click X to close the Configuration dialog.

    Global Retention

    For more information, see Global Retention Widget in Admin view section.

    Top Suspicious Users

    The Top Suspicious Users widget lists the top 5 Suspicious users sorted by highest risk scores. This widget provides visibility into user behavior patterns across an organization. This data helps you to identify, track, and alert on anomalous user behavior that may indicate malicious activity, such as abnormal login time or performed unauthorized actions.

    

    Note:
    - The Top Suspicious Users widget only displays data from your on-premises UEBA server, which must be installed and configured. For more information on installation, see Installation Tasks in the NetWitness UEBA Standalone Installation Guide for 12.5.

  • 
    - The user must contain both the Analyst and UEBA Analyst roles to access the widget metrics.The user must contain both the Analyst and UEBA Analyst roles to access the widget metrics. For more information, see "Assign User Access to UEBA" topic in the NetWitness UEBA Configuration Guide for 12.5.

  •  

    You can see the following information in the Top Suspicious Users widget:

    • View the top suspicious users sorted by highest risk scores in descending order.

    • Click on a specific user link, for example, Jack Smith which will navigate you to the user's details view, where you can see all the alerts and modeled behaviors associated with the user.

    • Each user is assigned a specific color code.

    • The chart shows the distribution of users by their risk level, which is indicated by a color code. You can see the behavior pattern for each user weekly and track how each user's risk level has changed over time.

    • Click the All link option to view all the users listed on the Users > Entities view.

      

    To Edit the Top Suspicious Users widget

    1. Click the three-dot ( ) icon located in the upper-right corner of the widget and click Configuration.

       The Top Suspicious Users Configuration dialog is displayed.

       

    2. Configure the following options based on your preference:

       • Datasource: Select an UEBA Server from the drop-down menu.

       • Time Range: Select the required time range from the drop-down menu. Select Last 24 Hours to view the daily trend of suspicious users and select Last 7 Days to view the weekly trend of suspicious users.

         Based on the selected datasource and time range, NetWitness displays the top suspicious users for different datasource.

    3. Click Save to persist the changes made to the configuration.

    4. Click X to close the Configuration dialog.

    Top Discovered Assets

    The Top Discovered Assets widget lists the top 10 risky assets detected in your environment based on their enterprise network exposure rank. This enables the analysts to gain a comprehensive understanding of an asset’s significance within the enterprise network and identify potential risks and threats associated with the asset that require immediate action.

    Note: An Insight sensor and Cloud Connector sensor must be installed and configured in your environment to receive the asset's data. For more information on installing the sensors, see topics Install Insight Sensor and Install the Cloud Connector Sensor.

    Note:
    - This widget is available by default in Analyst view.
    - To allow other users to view the widget metrics, an administrator must enable cloud-connector-server.networkasset.read and cloud-connector-server.query.read permissions on the Cloud-connector-server. For more information, see the Cloud Connector-Server section in the "Role Permissions" topic in the System Security and User Management Guide.

    You can see the following information in the Top Discovered Assets widget:

  • The Asset IPs are sorted by higher enterprise network exposure rank in descending order. You can sort them in either ascending or descending order.

  • Displays the timestamp when the asset was first observed.

  • Click the All link in the assets widget to view all the assets listed in the Hosts > Assets view. This view provides other important information for the asset, such as asset type, peer network exposure, etc.

  • The donut chart gives the breakdown of the asset category type. You can hover over the donut chart to see the asset category type. For example, unknown,dns, ntp, etc.

  • Use the vertical scroll bar to view various Asset IPs.

  • When you click on any asset IP address link, it takes you to the Hosts > Assets view in a new tab using the asset IP address as the filter, sorted in descending order by time.

  • Use the pagination options to navigate and view the assets data seamlessly.

    

    To Edit the Top Discovered Assets widget

    1. Click the three-dot ( ) icon located in the upper-right corner of the widget and click Configuration.

       The Top Discovered Assets Configuration dialog is displayed.

       

    2. Configure the following options based on your preference:

       • Number of Results: Select the required number of results from the drop-down menu. Available number of results are 25, 50, 75, and 100. By default, 25 number of results are displayed.

       • Visualization Type: Select a visualization type either Donut or Bar from the drop-down menu.

         Based on the selected visualization type and number of results, NetWitness Insight displays the top discovered assets data.

    3. Click Save to persist the changes made to the configuration.

    4. Click X to close the Configuration dialog.

    FirstWatch Threat Logic & Live Content Updates

    This widget lists the latest content uploaded by NetWitness and the Community.

    The FirstWatch Threat Logic & Live Content Updates widget lists the latest 12 content uploaded by NetWitness and Community. The list is sorted based on the content uploaded date. Each content is displayed with an icon along with a tag to indicate if it is a Community or NetWitness content, content updated time and name of the content.

    Note: NetWitness content and Community content will have different icons.

    

    You can perform following actions on the widget:

    • A link to the content details is provided through the title of the content. Click the link to view the details of the content.

    • Click All to view all the uploaded content in the Configure > Live Content page.

    FirstWatch Blogs

    The FirstWatch Blogs widget that lists the latest 10 blogs uploaded to the NetWitness Community portal. The list is sorted based on blog creation date. Each blog is displayed with icon along with title and paragraph of the blog.

    

    You can perform following actions on the widget:

    • A link to the blog details is provided through the title of the blog. Click the link to view the details of the blog.

    • Click All to view all the blogs in the NetWitness Community portal.Incidents and Alerts

      Incidents and Alerts

      For more information, see Incident Overview widget in Manager view sectio

     

Manager View

This view shows the widgets and associated data that only Managers and Administrators can access.

The Manager dashboard consists of several out-of-the-box widgets that display different aspects of the data, such as:

• Top Bar

• MITRE Overview

• Mean Time to Detect (MTTD)

• Mean Time to Resolve (MTTR)

• Incident Trend Over Time

• Alert Trend Over Time

• Incident SLAS

• Incident Status by Priority

• False Positives (Incidents)

• Incident Flow

• Team Workload

• Incident Overview by Owner

• Incident Overview

Top Bar

This widget is displayed as the topmost widget in the Manager view and it consists of the following 5 sections (also known as cards):

• Mean Time to Detect: This section displays the mean time to detect incidents in Respond.

• Mean Time to Resolve: This section displays the mean time to resolve incidents in Respond.

• Incidents: This section displays the total number of incidents created in the last 24 hours.

• New Incidents: This section displays the total number of incidents which are still in the New state for the last 24 hours.

• Closed Incidents: This section displays the total number of incidents which are closed in the last 24 hours.

  

  By default, this widget displays the last 24 hours data when you log in to the NetWitness Platform.

MITRE Overview

For more information on the MITRE Overview widget, see Widgets Displayed in the Analyst view.

Mean Time to Detect (MTTD)

This widget displays the mean/average time to detect incidents in Respond. The time passed between the assignment of an incident and the closure of the incident is calculated and displayed. It enables the Managers to make informed decisions regarding the incidents detected, time taken by analysts to resolve the incidents, and how the platform performs over time.

A stacked bar graph visually presents the dataset. By default, it showcases the values for MTTD of incidents over a time range of 30 days on a weekly trend basis. However, users have the option to configure the widget to display the data for a maximum of 90 days. Each bar segment in the chart is color-coded to represent a specific Priority, as indicated by the chart legend. Users have the option to configure the Priority. The bar segments are arranged such that the mean time to detect values of critical incidents occupies the first position, followed by others in descending order. Users can also set the Time Unit based on Minutes, Hours, or Days.

Placing the cursor over a graph bar will display a tooltip allowing the user to view the exact values of MTTD for each incident priority represented.

To edit the Mean Time to Detect (MTTD) widget

1. Click the three-dot ( ) icon in the widget's upper-right corner and click Configuration.

   The Mean Time to Detect (MTTD) Configuration dialog is displayed.

   

2. Configure the following options based on your preference:

   • ­Time Range: This option sets the date range. Options include Last 30 Days or Last 90 Days.

   • Time Unit: This option sets the time unit. Options include Minutes, Hours, and Days.

   • ­Priority: This option sets the priority. Options include Low, Medium, High, and Critical. Based on the selected Priority, the chart displays the mean time taken to detect.

3. Click Save to persist the changes made to the configuration.
4. Click X to close the Configuration dialog.

Mean Time to Resolve (MTTR)

This widget displays the mean/average time to resolve incidents in Respond. The time taken to resolve/close an incident since it was created is calculated and displayed. It enables the Managers to respond to an incident, of varying priorities and see the how effective the incident response process is performing over time.

A stacked bar graph visually presents the dataset. By default, it showcases the values for MTTR of critical incidents over a time range of 30 days on a weekly trend. However, users have the option to configure the widget to display the data for a maximum of 90 days. Each bar segment in the chart is color-coded to represent a specific Priority, as indicated by the chart legend. Users have the option to configure the Priority. The bar segments are arranged such that the mean time to resolve values of critical incidents occupies the first position, followed by others in descending order. Users can also set the Time Unit based on Minutes, Hours, or Days.

Placing the cursor over a graph bar will display a tooltip allowing the user to view the exact values of MTTR for each incident priority represented.

To edit the Mean Time to Resolve (MTTR) widget

1. Click the three-dot ( ) icon in the widget's upper-right corner and click Configuration.

   The Mean Time to Resolve (MTTR) Configuration dialog is displayed.

   

2. Configure the following options based on your preference:

   • ­Time Range: This option sets the date range. Options include Last 30 Days or Last 90 Days.

   • ­Time Unit: This option sets the time unit. Options include Minutes, Hours, and Days.

   • ­Priority: This option sets the priority. Options include Low, Medium, High, and Critical. Based on the selected Priority, the chart displays the mean time taken to resolve.

3. Click Save to persist the changes made to the configuration.

4. Click X to close the Configuration dialog.

Incident Trend Over Time

This widget displays the average number of incidents created each week based on their priority. The default settings display Critical and High priority incidents. It enables the Managers to effectively analyze and process the changing trends and make informed security decisions.

A line graph visually presents the dataset. By default, it showcases the values for Incident Trend Over Time of critical and high incidents over a time range of 4 weeks on a weekly trend. However, users have the option to set the time filter to display the data for a maximum of 90 days. Each line segment in the chart is color-coded to represent a specific Priority, as indicated by the chart legend. Users have the option to configure the Priority of choice to show up on the graph. The vertical axis shows the average incident count, while the horizontal axis shows the weekly trend.

Placing the cursor over a graph line will display a tooltip allowing the user to view the exact values of average incident count for each incident priority represented in that displayed week.

To edit the Incident Trend Over Time widget

1. Click the three-dot ( ) icon in the widget's upper-right corner and click Configuration.

   The Incident Trend Over Time Configuration dialog is displayed.

   

2. Configure the following options based on your preference:

   • ­Priority: This option sets the priority. Options include Low, Medium, High, and Critical. Based on the selected Priority, the chart displays the incident trend over time.

3. Click Save to persist the changes made to the configuration.

4. Click X to close the Configuration dialog.

Alert Trend Over Time

This widget displays the average number of alerts created each week based on their severity. The default settings display Critical and High priority alerts. The last 4 weeks data is displayed in this widget. It enables the Managers to effectively analyze and process the changing trends of alerts created over time.

A line graph visually presents the dataset. By default, it showcases the values for Alert Trend Over Time of critical and high alerts over a time range of 4 weeks on a weekly trend. However, users have the option to set the time filter to display the data for a maximum of 90 days. Each line segment in the chart is color-coded to represent a specific severity, as indicated by the chart legend. Users have the option to configure the severity.

The vertical axis shows the average alert count, while the horizontal axis shows the weekly trend.

Placing the cursor over a graph line will display a tooltip allowing the user to view the exact values of average alert count for each level of alert severity represented in that displayed week.

To edit the Alert Trend Over Time widget

1. Click the three-dot (  icon in the widget's upper-right corner and click Configuration.

   The Alert Trend Over Time Configuration dialog is displayed.

   

2. Configure the following options based on your preference:

   • ­Priority: This option sets the severity. Options include Low, Medium, High, and Critical. Based on the selected severity, the chart displays the alert trend over time.

3. Click Save to persist the changes made to the configuration.

4. Click X to close the Configuration dialog.

Incident SLAS

This widget displays the average time to close/resolve an incident versus the Service Level Agreement (SLA). It enables the Managers to analyze and determine if the incidents are resolved within the committed SLA.

A stacked bar graph visually presents the dataset. By default, it showcases the mean time to resolve and the SLA over a time range of 30 days for the selected priority. However, users have the option to configure the widget to display the data for a maximum of 90 days. The selected time range is displayed next to the widget name. Each bar segment in the chart is color-coded to represent the mean time to resolve and the SLA, as indicated by the chart legend. Users also have the option to configure the Time Unit, Priority and the SLA configuration.

Placing the cursor over a graph bar will display a tooltip allowing the user to view the exact values of MTTR vs the SLA.

To edit the Incident SLAS widget

1. Click the three-dot ( ) icon in the widget's upper-right corner and click Configuration.

   The Incident SLAS Configuration dialog is displayed.

   

2. Configure the following options based on your preference:

   • Time Range: This option sets the date range. Options include Last 30 Days or Last 90 Days.

   • ­Time Unit: This option sets the time unit. Options include Minutes, Hours, and Days.

   • ­Priority: This option sets the priority. Options include Low, Medium, High, and Critical.

   • ­SLA Configuration: This option sets the SLA Configuration based on the selected Time Unit for each Priority. Users can enter the preferred time unit to view the SLA values for the incidents.

3. Click Save to persist the changes made to the configuration.

4. Click X to close the Configuration dialog.

Note: When using this feature for the first time, you must configure the SLA Configuration here and save it to view this widget.

Incident Status by Priority

This widget displays the status of the actual number of incidents based on their priority. It enables the Managers to view the exact status of the incidents over time and follow up to its closure.

A stacked bar graph visually presents the dataset. By default, it showcases the status by priority of critical and high incidents over a time range of 30 days. However, users have the option to configure the widget to display the data for a maximum of 90 days. The selected time range is displayed in front of the widget name. Each bar segment in the chart is color-coded to represent a specific Priority, as indicated by the chart legend. Users have the option to configure the priority and the status.

The vertical axis shows number of incidents, while the horizontal axis shows the incident status.

Placing the cursor over a graph bar will display a tooltip allowing the user to view the exact values of incident based on the selected status.

To edit the Incident Status by Priority widget

1. Click the three-dot ( ) icon in the widget's upper-right corner and click Configuration.

   The Incident Status by Priority Configuration dialog is displayed.

   

2. Configure the following options based on your preference:

   • Time Range: This option sets the date range. Options include Last 24 hours, Last 7 Days, Last 30 Days or Last 90 Days.

   • ­Time Unit: This option sets the time unit. Options include Minutes, Hours, and Days.

   • ­Priority: This option sets the priority. Options include Low, Medium, High, and Critical.

   • ­Status: This option sets the incident status. Options include New, Reopen, Assigned, In Progress, Task Complete, Task Requested, Closed, and Closed False Positive.

3. Click Save to persist the changes made to the configuration.

4. Click X to close the Configuration dialog.

False Positives (Incidents)

This widget displays the average number of False Positives (Incidents) closed among the total number of incidents closed. It enables the Managers to analyze and identify the false positives out of the total incidents closed.

A stacked bar graph visually presents the dataset. By default, it showcases the values for total incidents and false positives incidents over a time range of 30 days on a weekly trend. However, users have the option to configure the widget to display the data for a maximum of 90 days. Each bar segment in the chart is color-coded to represent the total incidents and false positives, as indicated by the chart legend.

The vertical axis shows average incident count (mean calculated over the week), while the horizontal axis shows the days on a weekly basis.

Placing the cursor over a graph bar will display a tooltip allowing the user to view the exact values of total incidents and false positives for the selected time range.

To edit the False Positives (Incidents) widget

1. Click the three-dot ( ) icon in the widget's upper-right corner and click Configuration.

   The False Positives (Incidents) Configuration dialog is displayed.

   

2. Configure the following options based on your preference:

   • ­Time Range: This option sets the date range. Options include Last 30 Days or Last 90 Days.

3. Click Save to persist the changes made to the configuration.

4. Click X to close the Configuration dialog.

Incident Flow

This widget provides information about the average number of incidents that are closed among the total number of incidents created in respond. It enables the Managers to effectively analyze and process the ratio between the incidents created vs closed which gives an insight of why a segment of the workflow is trending differently.

A line graph visually presents the dataset. By default, it showcases the values for created and closed critical incidents over a time range of 30 days on a weekly trend. However, users have the option to set the global time filters to display the data for a maximum of 90 days. Each line segment in the chart is color-coded to represent a specific incident, as indicated by the chart legend.

The vertical axis shows the average incident count, while the horizontal axis shows the weekly trend.

Placing the cursor over a graph line will display a tooltip allowing the user to view the exact values of average incident count for each created, open and closed incidents represented in that displayed week.

To edit the Incident Flow widget

1. Click the three-dot ( ) icon in the widget's upper-right corner and click Configuration.

   The Incident Flow Configuration dialog is displayed.

   

2. Configure the following options based on your preference:

   • ­Time Range: This option sets the date range. Options include Last 30 Days or Last 90 Days.

3. Click Save to persist the changes made to the configuration.

4. Click X to close the Configuration dialog.

Team Workload

This widget displays the total number of incidents handled by each assignee in the team for the selected time range. The widget also displays the total team workload of all the incidents associated with each assignee in the team. It enables the Managers to view the team’s performance and equally distribute the work among different team members.

A stacked bar graph visually presents the dataset. By default, it showcases the number of incidents handled by each assignee for the last 30 days. However, users have the option to configure the widget to display the data for a maximum of 90 days. The selected time range is displayed in front of the widget name. Each bar segment displays the assignee name and total incidents handled. Users also have the option to configure the number of results.

Placing the cursor over a graph bar will display a tooltip allowing the user to view the exact values of incidents handled by the selected assignee.

To edit the Team Workload widget

1. Click the three-dot ( ) icon in the widget's upper-right corner and click Configuration.

   The Team Workload Configuration dialog is displayed.

   

2. Configure the following options based on your preference:

   • Time Range: This option sets the date range. Options include Last 24 hours Last 7 Days, Last 30 Days or Last 90 Days.

   • ­Number of Results: This option sets the number of results to be displayed on the widget.

3. Click Save to persist the changes made to the configuration.

4. Click X to close the Configuration dialog.

Incident Overview by Owner

This widget displays the number of Critical, High, Medium, and Low priority incidents handled by each assignee in the team for the selected time range. The widget also displays the total incidents based on priority associated with each assignee in the team. It enables the Managers to view the number of incidents by priority.

A stacked bar graph visually presents the dataset. By default, it showcases the number of incidents based on the selected priority handled by each assignee for the last 30 days. However, users have the option to configure the widget to display the data for a maximum of 90 days. The selected time range is displayed in front of the widget name. Each bar segment in the chart is color-coded to represent the incident priority, as indicated by the chart legend.

The vertical axis shows average incident count, while the horizontal axis shows the assignee with the selected priority. Users also have the option to configure the incident priority.

Placing the cursor over a graph bar will display a tooltip allowing the user to view the exact values of incidents based on the selected priority for the assignee.

Note: This widget shows only the top 5 users in a graphical format.

Click All Users in the widget to view the numerical data of Critical, High, Medium, and Low priority incidents owned by each assignee in the team.

To edit the Incident Overview by Owner widget

1. Click the three-dot ( ) icon in the widget's upper-right corner and click Configuration.

   The Incident Overview by Owner Configuration dialog is displayed.

   

2. Configure the following options based on your preference:

   • ­­Time Range: This option sets the date range. Options include Last 24 hours Last 7 Days, Last 30 Days or Last 90 Days.

   • ­Priority: This option sets the priority. Options include Low, Medium, High, and Critical.

3. Click Save to persist the changes made to the configuration.
4. Click X to close the Configuration dialog.

 

• • Incident Overview

    This widget displays the following.

    • List of all the unassigned incidents.

    • List of all the incidents assigned to you.

    • List of all the alerts (Users must edit the Configuration for the alerts to be displayed).

    The incidents are listed in the columns Created, Priority, Risk Score, ID, Name, Status, Assignee, Alerts, and Mitre Att&ck Tactics. For more information on the columns displayed in the Incident Overview widget, see NetWitness Respond User Guide.

    Note: By default, the widget displays the unassigned incidents. To view the incidents assigned to you, switch the toggle to For You in the widget.

    

    A color-coded donut chart at the top left displays the incidents based on the priority, as indicated by the chart legend.

    A bar graph at the top right displays the Top 5 MITRE Tactics Detected. The vertical axis shows the number of incidents, while the horizontal axis shows the MITRE tactics.

    Placing the cursor over the donut chart and the bar graph bar will display a tooltip allowing the user to view the exact values of incidents.

    Select any incident or incidents and click Assign To. A list of assignees is displayed to select and assign an incident.

    

    To edit the Incident Overview widget

    1. Click the three-dot ( ) icon in the widget's upper-right corner and click Configuration.

       The Incident Overview Configuration dialog is displayed.

       

    2. Configure the following options based on your preference:

       • Display Tabs: This option sets Incidents, Alerts or both on the Widget screen.

       • ­Incidents Sort By: This option sets the incidents sorting preference. Options include Created, Priority, Risk Score, Status, Assignee, and Alerts.

       • ­Alerts Sort By: This option sets the alerts sorting preference. Options include Created, Severity, Name, Source, and #Events.

       • ­Show Charts: This toggle option enables the display of charts in the widget screen.

    3. Click Save to persist the changes made to the configuration.

    4. Click X to close the Configuration dialog.

    Note: On Selecting both Incidents and Alerts in the Display Tabs under Configuration, Users can view either a list of incidents or alerts on separate tabs.

    

    Error Messages for Widgets

    This topic provides an overview of various configuration and access issues encountered in NetWitness Widgets on the Home page, along with corresponding recommended actions.

    Following is a list of error codes displayed on the widget screen. Please reference the error code number when contacting support for assistance.

    Error Codes	Title	Description
    1101	Widget Data Retrieve Error	An unexpected error has occurred attempting to retrieve this data. Try again later.
    1102	Live Account Unavailable	Either live account is not configured or there is an issue connecting to the live server. Configure live and try again or contact your administrator.
    1301	Respond Server not configured	Please configure Respond server. For more details contact your administrator.
    1302	Respond Server offline	The Respond Server is not running or is inaccessible. For more details contact your administrator.
    1303	Access is denied	You do not have the required permissions to view Respond content. For more details contact your administrator.
    1304	SLA not configured	Please configure the SLA in widget configuration. For more details contact your administrator.
    1401	Access is denied	You do not have the required permissions to view Investigate content. For more details contact your administrator.
    1402	Investigate Server is offline	The Investigate Server is not running or is inaccessible. For more details contact your administrator.
    1501	Access is denied	You do not have the required permissions to view Endpoint content. For more details contact your administrator.
    1502	Endpoint Server not configured	Please configure Endpoint server. For more details contact your administrator.
    1503	Endpoint Server is offline	The Endpoint Server is not running or is inaccessible. For more details contact your administrator.
    1601	Access is denied	You do not have the required permissions to view UEBA content. For more details contact your administrator.
    1602	UEBA Server not configured	Please configure UEBA server. For more details contact your administrator.
    1701	Access is denied	You do not have the required permissions to view Cloud Connector content. For more details contact your administrator.
    1702	Cloud Connector Server not configured	Please configure Cloud Connector server. For more details contact your administrator.
    1703	Cloud Connector Server is offline	The Cloud Connector Server is not running or is inaccessible. For more details contact your administrator.
    1801	Source Server Offline	The Source Server is not running or is inaccessible. For more details contact your administrator.
    1802	Source Server Data Retrieve Error	An unexpected error has occurred attempting to retrieve this data. Try again later.
    9999	Unhandled Error	An unhandled error has occurred. For more details contact your administrator.

    Note: If you encounter any error codes not listed above, review the service health and configuration settings. If the service is offline, try restarting it. If the problem persists, reach out to Customer Support for assistance.