NetWitness Platform Basic Navigation

The NetWitness application is divided into ten main functional areas, known as views, that are based on typical Security Operation Center (SOC) roles.

Note: On upgrade to version 11.5 or later, by default the Springboard is displayed if you have not configured the default landing page in previous versions.

UI.png

  • Springboard: Springboard presents Analysts with the platform-wide detections and signals in a single view to hunt and investigate faster than ever before. System Administrators set up and maintain the Springboard. You can view the Springboard at any time by clicking NetWitness in the main menu. For more information, see Managing the Springboard.
  • Investigate: This view is primarily for Threat Hunters, who prefer to manually hunt for threats using NetWitness metadata, raw event data, and event reconstruction and analysis. Incident Responders also use this view to get details about events associated with an incident being investigated. Both Threat Hunters and Incident Responders can use the forensic event reconstruction and event analysis features in this view.
  • Respond: This view is for Incident Responders, who can view a list of prioritized incidents to triage. These incidents come from sources such as ESA rules, NetWitness Endpoint, or ESA Analytics modules for Automated Threat Detection. You can also view all of the alerts received by NetWitness here.
  • Users: This view is for SOC Managers and Analysts to discover, investigate, and monitor risky behaviors across entities namely Users and Network in your environment.
  • Hosts: This view is for Analysts, who can investigate or perform analysis on hosts using attributes such as IP address, host name, Mac address, risk score, and so on.
  • Files: This view is for Analysts, who can investigate or perform analysis on files using attributes such as IP address, host name, Mac address, risk score, and so on
  • Dashboard: This view is for all users. You can view dashboards on different areas of interest depending on your user permissions.
  • Reports: This view is for all users. You can view reports on different areas of interest depending on your user permissions.
  • netwitness_configure_view_21x21.png Configure: This view is for Threat Intel personnel (Content Experts), who configure data sources and inputs to NetWitness. Content Experts use this area to download and manage Live content. They can also create and manage incident and ESA rules.
  • netwitness_admin_view_25x25.png Admin: This view is for System Administrators, who set up and maintain the overall application.

Menu changes

The following table illustrates the top-level menu changes in the 11.5 version.

Previous Version - 11.4 and earlier 11.5 Version

N/A

netwitness_rsa_logo_57x22.png Click the RSA logo at the top left corner to view the Springboard.

Monitor > Dashboard

Monitor > Reports

Dashboard

Reports

Investigate > Hosts

Investigate > Files

Investigate > Entities

Hosts

Files

Users

Configure

netwitness_configure_view.png

Admin

netwitness_admin_view.png

The following table illustrates the menu changes in the 12.0 version.

Previous Version - 11.5 to 11.7.x.x 12.0 Version

netwitness_rsa_logo_40x15.png logo

netwitness_netwitness_logo_69x13.png Click the NetWitness logo at the top left corner to view the Springboard.

The following table illustrates the menu changes in the 12.1 version.

12.0 Version 12.1 Version

netwitness_netwitness_logo_69x13.png logo

netwitness_121_netwitness_platform_xdr_logo_1122_69x13.png Click the NetWitness Platform XDR logo at the top left corner to view the Springboard.

The following table illustrates the menu changes in the 12.3.1 version.

Previous Version - 12.1 to 12.3 12.3.1 Version

netwitness_121_netwitness_platform_xdr_logo_1122_69x13.png logo

1231_netwitness_logo.png Click the NetWitness Platform logo at the top left corner to view the Springboard.

Accessing Main Views

The options that open each of the main views are listed at the top of the browser window. With the appropriate permissions, you can access any of these views at the top of every UI at any time.

netwitness_121_main_view_1122_768x18.png

Secondary Menus

The main views have secondary menus with additional views that you can select, which vary according to the tasks that you can complete. The following example shows the Respond menu.

respond.png

Additional Options

In addition to the main views, there are additional options at the top of the UI that are common to the application.

The following table describes the common options.

Common Option Name Description

netwitness_jobsicon.png

Jobs In the Investigate, Dashboard, Reports, netwitness_configureicon_24x21.png (Configure) , and netwitness_adminicon_25x22.png (Admin) views, click this icon to view and manage your jobs in the Jobs tray. Jobs are on-demand or scheduled tasks that take some time to complete in the NetWitness application.
netwitness_ic-notifbell.png Notifications Click this icon to view notifications from the application.
netwitness_admin_icon_81x24.png User Preferences Click this icon to view your available user preference options. You can manage your user preferences and log out of NetWitness.
netwitness_profileoptions_140x114.png User Profile Click your user profile to view the available options. You can manage your user preferences, change your password, and log out of NetWitness UI.
netwitness_ic-helpicon.png Help Click this icon to view NetWitness help topics.

Main Views

The following sections explain the main views:

Springboard

(From 11.5 and later) NetWitness Platform Springboard is an easy-to-use landing page that presents platform-wide detections and signals in a single view to help analysts hunt and investigate faster than ever before.

Click the NetWitness Platform logo at the top left corner to view the Springboard.

122_Springboardview_1122.png

122_springboard_new_panels_1122.png

What can I do here? Path Show me how

View out-of-the-box panels

Edit a panel

Refresh a panel

Select time range

View all incidents, alerts, users, files, and hosts

View details of selected incident, alert, user, file, and host

Manage Board (add, rearrange, and delete panels)

Add a new custom private board

Springboard view

 

See Managing the Springboard.

Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

Investigate

The Investigate view is the tool for SIEM, network, and endpoint data investigation, presenting different views into a set of data. Analysts can see metadata and raw data for endpoints, logs, and events, as well as potential indicators of compromise. In addition to investigating data on a specific service, you can pivot into Investigate from Respond, the Dashboard view, an entry in a report generated by the Reporting Engine, or a properly configured third-party application.

You can begin your investigation in any Investigate view, then continue the investigation seamlessly in another Investigate view. The manner in which you proceed is determined by the question that needs to be answered. If you find an event that needs a response, you can create an incident in Respond where an incident responder will take further action. The following figure depicts the high-level flow of an investigation. The NetWitness Investigate User Guide provides detailed information.

netwitness_invworkflowforlp115-intro.png

Investigate Menu

122_Investigateview1_1122.png

The Investigate menu has the following options:

  • Navigate: The Navigate view provides a list of meta keys and meta values with a focus on metadata. You can drill into the data, search for events, open a selected event in the Events view, and look up additional context from the Context Hub service.
    122_NavVw116_1122.png
  • Events: The Events view (formerly Event Analysis view) is the default user interface for interacting with events. It provides a sortable list of events with focus on metadata and raw data. You can search for events, view a reconstruction that offers helpful cues to identify points of interest, pivot to standalone Endpoint, look up additional context from the Context Hub service, look up data in Live, do external lookups, and create an incident for incident responders. By default only the Events view appears in the menu, but when the Legacy Events view is enabled, both the Events view and the Legacy Events view are visible in the menu bar.
    122_events_view_1122.png

  • Legacy Events: With major functionality added to the 11.3 Events view, the Legacy Events is no longer needed and it is hidden unless the administrator enables it. The Legacy Events view provides a list of events with a focus on raw data. You can browse a simple list of events, a detailed list, and a log list. You can search for events, view a reconstruction of an event, look up additional context from the Context Hub service, and create an incident for incident responders.
    122_LegEvVw1_1122.png
  • Malware Analysis: Malware Analysis is an automated malware analysis processor designed to analyze certain types of file objects (for example, Windows PE, PDF, and MS Office) to assess the likelihood that a file is malicious. Using Malware Analysis, you can prioritize the massive number of files captured in order to focus analysis efforts on the files that are most likely to be malicious.
    122_malwareview_1122.png
What can I do here? Path Show me how
Configure Investigate Views and Preferences Investigate view See "Configuring Investigate Views and Preferences" in the NetWitness Investigate User Guide.
Browse Event Metadata Navigate view See "Refining the Results Set" in the NetWitness Investigate User Guide.
Browse Raw Events Events view See "Refining the Results Set" in the NetWitness Investigate User Guide.
Analyze Raw Events and Metadata Events view See "Reconstructing and Analyzing Events" in the NetWitness Investigate User Guide.
Scan Files and Events for Malware Malware Analysis view See the Malware Analysis User Guide.
Triage an Incident Pivot from the Respond view See the NetWitness Respond User Guide.

Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

Respond

The Respond view presents analysts with a queue of incidents in severity order. When you take an incident from the queue, you receive relevant supporting data to help you investigate the incident. From there, you can determine the incident scope and escalate or remediate it as appropriate.

Respond Menu

respond.png

The Respond menu has the following options:

  • Incidents: The Incidents List view contains a list of all incidents with basic information. The Incident Details view provides extensive details about the incident.
  • Alerts: The Alerts List and Alert Details views provide information about all of the threat alerts and indicators received by NetWitness in one location.
  • Tasks: The Tasks List view enables you to create tasks and track them to completion.

The following figure shows the Respond view - Incidents List view, which shows a list of prioritized incidents.

122_IncListView_1122.png

When using NetWitness as your case management tool, you can also manage incidents from this view. New incidents appear at the top of the incident queue.

The following figure shows an example of the Respond view - Incident Details view, which shows details for a selected incident.

122_IncDetVw_1122.png

The Respond view is designed to make it easy to evaluate incidents, contextualize that data, collaborate with other analysts, and pivot to a deep-dive investigation as needed. The following figure shows an example of an event analysis in the Incident Details view.

122_respond_view_1122.png

The following figure shows the high-level Respond workflow process.

netwitness_resphighlevelwf_11.5_vert.png

The following figure shows the high-level process that Incident Responders use to respond to incidents in the Respond view.

netwitness_respnavworkflow3.png

In the Respond view, analysts look at the prioritized list of incidents and determine which incidents require action. They click an incident for a clear picture of the incident with supporting details and they can investigate the incident further. Analysts can then determine how to respond to the threat, by escalating or remediating it.

What can I do here? Path Show me how
View prioritized incident lists Respond > Incidents (Incidents List view) See the NetWitness Respond User Guide.
Determine which incidents require action
(Triage an incident)
Respond > Incidents (Incident Details view) See the NetWitness Respond User Guide.
Investigate the incident Respond > Incidents (Incident Details view) See the NetWitness Respond User Guide. (You can also pivot to the Investigate view.)
Escalate or Remediate the Incident Respond > Incidents (Incident Details view) and Respond > Tasks (Tasks List view) See the NetWitness Respond User Guide.
Review Alerts Respond > Alerts (Alerts List and Alert Details views) See the NetWitness Respond User Guide.

Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

Users

The Users view provides visibility into risky user behaviors across your enterprise with NetWitness UEBA. You can view a list of high-risk users and a summary of the top alerts for risky behavior for your environment. Then you can select a user or an alert and view details about the risky behavior and a timeline during which the behaviors occurred.

Users_123.png

The Users menu has the following options:

  • Overview: It provides an initial view into the recent and most important user or network entity activities in the environment. Each panel shows either prioritized incidents for investigation or consolidated metrics reflecting potential risks to the enterprise.
  • Entities: It is a proactive threat hunting console. You can use behavioral filters to build use case driven target lists, and to continuously monitor the environment for specific risky behavior patterns.

Note: The Entities view is only available if you are assigned the role of Administrator or UEBA Analyst.

  • Alerts: It displays details about all the alerts in your environment. You can view forensic information about suspicious activity in your environment that is based on a specific timeframe.
What can I do here? Path Show me how
Find Risky User Behavior Users view See the NetWitness UEBA User Guide.

Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

Hosts

The Hosts view lists all hosts that have a NetWitness Endpoint agent running. You can filter hosts based on operating system, agent last seen, last scan time, risk score, and other factors. You can open a specific host to view events related to alerts, anomalies, process details, and information related to logged-in users.

122_Hosts_view1_1122.png

What can I do here? Path Show me how
Investigate Endpoints Hosts view See the NetWitness Endpoint User Guide.

Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

Files

The Files view provides a holistic view of all files in your deployment. You can apply filters, sort, and categorize files by status to reduce the number of files for analysis, and identify suspicious or malicious files.

122_Files_view1_1122.png

What can I do here? Path Show me how
Find Suspicious Endpoint Files Files view See the NetWitness Endpoint User Guide.

Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

Dashboard

A dashboard is a group of dashlets that give you the ability to view data in one space, the key snapshots of the various components that you consider important. In NetWitness® Platform, you can compose dashboards to obtain high-level information and metrics that portray the overall picture of a NetWitness Platform deployment, displaying only the information that is most relevant to the day-to-day operations.

122_Dashboard_view_1122.png

NetWitness Platform has predefined dashboards that you can select in the Dashboard view depending on the tasks you perform:

You can select the following preconfigured dashboards:

    • Default
    • Identity
    • Investigation
    • Operations - File Analysis
    • Operations - Logs
    • Operations - Network
    • Operations - Protocol Analysis
    • Overview
    • SecurID
    • Threat - Hunting
    • Threat - Intrusion
    • Threat - Malware Indicators
What can I do here? Path Show me how
Select a Dashboard Dashboard view See Managing Dashboards.
Create a Dashboard Dashboard view See Managing Dashboards.
Manage Dashboards Dashboard view See Managing Dashboards.

Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

Reports

The Reports view enables you to view and manage reports relevant to your SOC role according to your assigned permissions.

Reports Menu

reports_main_view.png

The Reports menu has the following options:

  • Manage: This panel allows you to create or modify an rules, reports, charts, alerts, and lists as per the requirement.
  • View: You can view a report or list of all reports. You can also view the scheduled reports to know the state of the scheduled report. If the scheduled report is in a stop or disable state, you can start or enable the scheduled report.
What can I do here? Path Show me how
View a Report Reports > View See the Reporting User Guide.
Manage Reports Reports > Manage See the Reporting User Guide.

Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

netwitness_configure_view_28x30.png Configure

The Configure view enables Threat Intel personnel (Content Experts) to configure data sources and inputs to NetWitness in one convenient location.

Configure Menu

live_content_main_view.png

The Configure menu has the following options:

  • Live Content (Live Services) The Live Content view enables you to search for and subscribe to Live Services resources. Live Services is the component of the NetWitness that manages communication and synchronization between NetWitness services and a library of Live content available to NetWitness customers. You can view, search, deploy, and subscribe to content from the RSA Live Content Management System (CMS) to NetWitness services and software. When you subscribe to a resource, you agree to receive updates on a regular basis from RSA Live Services.
  • Subscriptions (Live Services) The Subscriptions view enables you manage the Live content that you subscribed to, in the Live Content view. To set up Live Services on NetWitness, you configure the connection and synchronize between the CMS server and NetWitness.
  • Capture Policies: The Capture Policies view enables you to set up selective network data collection, which gives you the ability to apply centrally managed capture policies across your Network Decoders. This results in better use of service resources, including hard drive space, which leads to more predictable costs and lessens the burden of managing multiple services. You can determine which traffic is stored and how it is stored by using policies. Each policy contains a list of supported base protocols and definitions for handling any other protocols that are detected.
  • Policies: The Policies view contains two sub-tabs, namely Configuration and Content.
    • Configuration: Centralized Service Configuration via policy allows you to manage the configuration of services in your environment efficiently. The Decoder, Concentrator, and Log Decoder deployed in your environment may be large in number and geographically distributed.
    • Content: Policy-based Centralized Content Management enables you to find, deploy, and manage content through the entire life cycle based on policies that can be assigned to groups of devices. It is a single location to view, modify and manage the content deployed across all services in the environment.
  • Incident Rules: The Incident Rules view enables you to create incident rules with various criteria to automatically create incidents. You can view prioritized incidents in the Respond view.
  • Incident Notifications: The Incident Notifications view enables you to automatically send email notifications to SOC Managers and the Analysts assigned to the incidents when incidents are created or updated.
  • ESA Rules: The ESA Rules view enables you to manage the Event Stream Analysis (ESA) rules that specify criteria for problematic behavior or threatening events in your network. When ESA detects a threat that matches the rule criteria, it generates an alert.
    You can create ESA rules yourself or download them from Live Services. The Rule Library shows all ESA rules created or downloaded. To activate rules, you have to add them to a deployment. Deployments map rules from your rule library to the appropriate ESA services.
  • Custom Feeds (Live Services) The Custom Feeds view streamlines the task of creating and managing custom feeds, as well as populating the feeds to selected Decoders and Log Decoders. You can set up and maintain custom and identity feeds.
    NetWitness uses feeds to create metadata based on externally defined metadata values. A feed is a list of data that is compared to sessions as they are captured or processed. For each match, additional metadata is created.
    You can create custom feeds to provide extra metadata extraction, for example, to accommodate custom network applications.
  • Log Parser Rules: The Log Parser Rules tab displays information about individual log parsers, as well as the default, "parse all" parser that can parse logs that are not associated with a particular log parser. This tab contains the following information:
    • You can view the rules for a particular event source type, including the default parser.
    • You can view the names, literals, patterns, and metadata for each configured log parser.
    • You can add log parsers.
    • You can add, edit, and delete custom rules for log parsers.
  • Service Topology: The Service Topology tab enables administrators and analysts to view all the NetWitness core services in a hierarchical layout depicting the collection and aggregation of the services in your deployment. This visualization displays the topology for Broker, Concentrator, Log Decoder, Packet Decoder, Hybrids, ESA and Log Collector.
What can I do here? Path Show me how
Create a Live Services account. RSA Live Registration Portal:
https://cms.netwitness.com/registration/
See the Live Services Management Guide.
Find and deploy Live Services resources. netwitness_configureicon_24x21.png (Configure) > Live Content See the Live Services Management Guide.

Set up selective network data collection.

netwitness_configureicon_24x21.png (Configure) > Capture Policies

See the Decoder Configuration Guide.

Set up Live Services Services on NetWitness. netwitness_configureicon_24x21.png (Configure) > Subscriptions See the Live Services Management Guide.

Create Policies and Groups.

netwitness_configureicon_24x21.png (Configure) > Policies

See the Host and Services Getting Started Guide.

Create Policies and Groups.

netwitness_configureicon_24x21.png (Configure) > Policies

See the Live Services Management Guide.

Create incidents automatically. netwitness_configureicon_24x21.png (Configure) > Incident Rules See the NetWitness Respond Configuration Guide.
Configure incident notifications. netwitness_configureicon_24x21.png (Configure) > Incident Notifications See the NetWitness Respond Configuration Guide.
Configure alerts. netwitness_configureicon_24x21.png (Configure) > ESA Rules See the Alerting with ESA Correlation Rules User Guide.
Set up and maintain custom and identity feeds. netwitness_configureicon_24x21.png (Configure) > Custom Feeds See the Live Services Management Guide.
View and edit log parsers and log parser rules. netwitness_configureicon_24x21.png (Configure) > Log Parser Rules See the Log Parser Customization Guide.

View Topology for different core services

netwitness_configureicon_24x21.png (Configure) > Service Topology

See the Host and Services Getting Started Guide.

Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

netwitness_admin_view.png Admin

In the Admin view, administrators can manage network hosts and services; monitor the health and wellness of NetWitness; and manage system-level security. They can also configure global system resources and manage event sources.

Admin Menu

122_Admin_view1_1122.png

The netwitness_adminicon_25x22.png (Admin) menu has the following options:

  • Hosts: The Hosts view is where you set up and maintain hosts. A host is the machine on which services run and a host can be a physical or virtual machine.
  • Services: The Services view enables you to manage services, manage service users and roles, maintain service configuration files, and explore and edit service properties. A service performs a unique function, such as a Decoder service, which captures network data in packet form.
  • Event Sources: The Event Sources view enables you to manage event sources and configure alerting policies for them. Organizations typically monitor event sources in groups based on the criticality of the event sources. You can create monitoring policies for each event source group and order them based on priority.
  • Endpoint Sources: The Endpoint Sources view enables you to manage and update endpoint agent configurations through groups and manage the agents behavior using policies. You can either use the default policies or customize these policies.
  • Health & Wellness: The Health & Wellness view enables you to monitor the health of the NetWitness hosts and services in your network environment.
  • System: The System view enables you to set global NetWitness configurations. You can configure global audit logging, email, system logging, jobs, RSA Live Services, URL integration, Investigation, Event Stream Analysis (ESA), ESA Analytics, and advanced performance settings. In addition, you can manage NetWitness versions and configure the local licensing server.
  • Security: The Admin Security view provides the capability to manage user accounts, manage user roles, map external groups to NetWitness roles, and modify other security-related system parameters. These apply to the NetWitness system and are used in conjunction with the security settings for individual services.
What can I do here? Path Show me how
Manage hosts. netwitness_adminicon_25x22.png (Admin) > Hosts See the Host and Services Getting Started Guide.
Manage services including managing service user access and security. netwitness_adminicon_25x22.png (Admin) > Services See the Host and Services Getting Started Guide.
Manage event sources and configure alerting policies for them. netwitness_adminicon_25x22.png (Admin) > Event Sources See the Event Source Management Guide.
Manage endpoint sources and configure alerting policies for them. netwitness_adminicon_25x22.png (Admin) > Endpoint Sources See the Event Source Management Guide.
Set up and monitor alarms for the hosts and services in your NetWitness domain. netwitness_adminicon_25x22.png (Admin) > Health & Wellness > Alarm See the System Maintenance Guide.
Monitor statistics for the NetWitness hosts and the services running on the hosts. netwitness_adminicon_25x22.png (Admin) > Health & Wellness > Monitoring See the System Maintenance Guide.
Create and apply policies to your hosts and services to help you maintain the health and wellness of your NetWitness domain. netwitness_adminicon_25x22.png (Admin) > Health & Wellness > Policies See the System Maintenance Guide.
Set global configurations for NetWitness. netwitness_adminicon_25x22.png (Admin) > System See the System Configuration Guide.
Configure Global Audit Logging. netwitness_adminicon_25x22.png (Admin) > System > Global Auditing See the System Configuration Guide.
Set up system security. netwitness_adminicon_25x22.png (Admin) > Security See the System Security and User Management Guide.
Manage system users with roles and permissions. netwitness_adminicon_25x22.png (Admin) > Security See the System Security and User Management Guide.
Set up Public Key Infrastructure (PKI) authentication. PKI is available in NetWitness 11.3 and later. netwitness_adminicon_25x22.png (Admin) > Security See the System Security and User Management Guide.

Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.