The NetWitness application is divided into ten main functional areas, known as views, that are based on typical Security Operation Center (SOC) roles.

Note: On upgrade to latest version, by default the Springboard is displayed if you have not configured the default landing page in previous versions.


  • Springboard: Springboard presents Analysts with the platform-wide detections and signals in a single view to hunt and investigate faster than ever before. System Administrators set up and maintain the Springboard. You can view the Springboard at any time by clicking NetWitness in the main menu. For more information, see Managing the Springboard.
  • Investigate: This view is primarily for Threat Hunters, who prefer to manually hunt for threats using NetWitness metadata, raw event data, and event reconstruction and analysis. Incident Responders also use this view to get details about events associated with an incident being investigated. Both Threat Hunters and Incident Responders can use the forensic event reconstruction and event analysis features in this view.
  • Respond: This view is for Incident Responders, who can view a list of prioritized incidents to triage. These incidents come from sources such as ESA rules, NetWitness Endpoint, or ESA Analytics modules for Automated Threat Detection. You can also view all of the alerts received by NetWitness here.
  • Users: This view is for SOC Managers and Analysts to discover, investigate, and monitor risky behaviors across entities namely Users and Network in your environment.
  • Hosts: This view is for Analysts, who can investigate or perform analysis on hosts using attributes such as IP address, host name, Mac address, risk score, and so on.
  • Files: This view is for Analysts, who can investigate or perform analysis on files using attributes such as IP address, host name, Mac address, risk score, and so on
  • Dashboard: This view is for all users. You can view dashboards on different areas of interest depending on your user permissions.
  • Reports: This view is for all users. You can view reports on different areas of interest depending on your user permissions.
  • netwitness_configure_view_21x21.png Configure: This view is for Threat Intel personnel (Content Experts), who configure data sources and inputs to NetWitness. Content Experts use this area to download and manage Live content. They can also create and manage incident and ESA rules.
  • netwitness_admin_view_25x25.png Admin: This view is for System Administrators, who set up and maintain the overall application.

Accessing Main Views

The options that open each of the main views are listed at the top of the browser window. With the appropriate permissions, you can access any of these views at the top of every UI at any time.


Secondary Menus

The main views have secondary menus with additional views that you can select, which vary according to the tasks that you can complete. The following example shows the Respond menu.


Additional Options

In addition to the main views, there are additional options at the top of the UI that are common to the application.

The following table describes the common options.

Common Option Name Description


Jobs In the Investigate, Dashboard, Reports, netwitness_configureicon_24x21.png (Configure) , and netwitness_adminicon_25x22.png (Admin) views, click this icon to view and manage your jobs in the Jobs tray. Jobs are on-demand or scheduled tasks that take some time to complete in the NetWitness application.
netwitness_ic-notifbell.png Notifications Click this icon to view notifications from the application.
netwitness_admin_icon_81x24.png User Preferences Click this icon to view your available user preference options. You can manage your user preferences and log out of NetWitness.
netwitness_profileoptions_140x114.png User Profile Click your user profile to view the available options. You can manage your user preferences, change your password, and log out of NetWitness UI.
netwitness_ic-helpicon.png Help Click this icon to view NetWitness help topics.

Main Views

The following sections explain the main views:


NetWitness Platform Springboard is an easy-to-use landing page that presents platform-wide detections and signals in a single view to help analysts hunt and investigate faster than ever before.

Click the NetWitness Platform logo at the top left corner to view the Springboard.



Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.


The Investigate view is the tool for SIEM, network, and endpoint data investigation, presenting different views into a set of data. Analysts can see metadata and raw data for endpoints, logs, and events, as well as potential indicators of compromise. In addition to investigating data on a specific service, you can pivot into Investigate from Respond, the Dashboard view, an entry in a report generated by the Reporting Engine, or a properly configured third-party application.

You can begin your investigation in any Investigate view, then continue the investigation seamlessly in another Investigate view. The manner in which you proceed is determined by the question that needs to be answered. If you find an event that needs a response, you can create an incident in Respond where an incident responder will take further action. The following figure depicts the high-level flow of an investigation. The NetWitness Investigate User Guide provides detailed information.


Investigate Menu


The Investigate menu has the following options:

  • Navigate: The Navigate view provides a list of meta keys and meta values with a focus on metadata. You can drill into the data, search for events, open a selected event in the Events view, and look up additional context from the Context Hub service.
  • Events: The Events view (formerly Event Analysis view) is the default user interface for interacting with events. It provides a sortable list of events with focus on metadata and raw data. You can search for events, view a reconstruction that offers helpful cues to identify points of interest, pivot to standalone Endpoint, look up additional context from the Context Hub service, look up data in Live, do external lookups, and create an incident for incident responders. By default only the Events view appears in the menu, but when the Legacy Events view is enabled, both the Events view and the Legacy Events view are visible in the menu bar.

  • Legacy Events: With major functionality added to the  Events view, the Legacy Events is no longer needed and it is hidden unless the administrator enables it. The Legacy Events view provides a list of events with a focus on raw data. You can browse a simple list of events, a detailed list, and a log list. You can search for events, view a reconstruction of an event, look up additional context from the Context Hub service, and create an incident for incident responders.
  • Malware Analysis: Malware Analysis is an automated malware analysis processor designed to analyze certain types of file objects (for example, Windows PE, PDF, and MS Office) to assess the likelihood that a file is malicious. Using Malware Analysis, you can prioritize the massive number of files captured in order to focus analysis efforts on the files that are most likely to be malicious.
Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.


The Respond view presents analysts with a queue of incidents in severity order. When you take an incident from the queue, you receive relevant supporting data to help you investigate the incident. From there, you can determine the incident scope and escalate or remediate it as appropriate.

Respond Menu


The Respond menu has the following options:

  • Incidents: The Incidents List view contains a list of all incidents with basic information. The Incident Details view provides extensive details about the incident.
  • Alerts: The Alerts List and Alert Details views provide information about all of the threat alerts and indicators received by NetWitness in one location.
  • Tasks: The Tasks List view enables you to create tasks and track them to completion.

The following figure shows the Respond view - Incidents List view, which shows a list of prioritized incidents.


When using NetWitness as your case management tool, you can also manage incidents from this view. New incidents appear at the top of the incident queue.

The following figure shows an example of the Respond view - Incident Details view, which shows details for a selected incident.


The Respond view is designed to make it easy to evaluate incidents, contextualize that data, collaborate with other analysts, and pivot to a deep-dive investigation as needed. The following figure shows an example of an event analysis in the Incident Details view.


The following figure shows the high-level Respond workflow process.


The following figure shows the high-level process that Incident Responders use to respond to incidents in the Respond view.


In the Respond view, analysts look at the prioritized list of incidents and determine which incidents require action. They click an incident for a clear picture of the incident with supporting details and they can investigate the incident further. Analysts can then determine how to respond to the threat, by escalating or remediating it.

Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.


The Users view provides visibility into risky user behaviors across your enterprise with NetWitness UEBA. You can view a list of high-risk users and a summary of the top alerts for risky behavior for your environment. Then you can select a user or an alert and view details about the risky behavior and a timeline during which the behaviors occurred.


The Users menu has the following options:

  • Overview: It provides an initial view into the recent and most important user or network entity activities in the environment. Each panel shows either prioritized incidents for investigation or consolidated metrics reflecting potential risks to the enterprise.
  • Entities: It is a proactive threat hunting console. You can use behavioral filters to build use case driven target lists, and to continuously monitor the environment for specific risky behavior patterns.

Note: The Entities view is only available if you are assigned the role of Administrator or UEBA Analyst.

  • Alerts: It displays details about all the alerts in your environment. You can view forensic information about suspicious activity in your environment that is based on a specific timeframe.
The Hosts view lists all hosts that have a NetWitness Endpoint agent running. You can filter hosts based on operating system, agent last seen, last scan time, risk score, and other factors. You can open a specific host to view events related to alerts, anomalies, process details, and information related to logged-in users.


The Files view provides a holistic view of all files in your deployment. You can apply filters, sort, and categorize files by status to reduce the number of files for analysis, and identify suspicious or malicious files.


A dashboard is a group of dashlets that give you the ability to view data in one space, the key snapshots of the various components that you consider important. In NetWitness® Platform, you can compose dashboards to obtain high-level information and metrics that portray the overall picture of a NetWitness Platform deployment, displaying only the information that is most relevant to the day-to-day operations.


NetWitness Platform has predefined dashboards that you can select in the Dashboard view depending on the tasks you perform:

You can select the following preconfigured dashboards:

    • Default
    • Identity
    • Investigation
    • Operations - File Analysis
    • Operations - Logs
    • Operations - Network
    • Operations - Protocol Analysis
    • Overview
    • SecurID
    • Threat - Hunting
    • Threat - Intrusion
    • Threat - Malware Indicators
The Reports view enables you to view and manage reports relevant to your SOC role according to your assigned permissions.

Reports Menu


The Reports menu has the following options:

  • Manage: This panel allows you to create or modify an rules, reports, charts, alerts, and lists as per the requirement.
  • View: You can view a report or list of all reports. You can also view the scheduled reports to know the state of the scheduled report. If the scheduled report is in a stop or disable state, you can start or enable the scheduled report.
netwitness_configure_view_28x30.png Configure

The Configure view enables Threat Intel personnel (Content Experts) to configure data sources and inputs to NetWitness in one convenient location.

Configure Menu


The Configure menu has the following options:

  • Live Content (Live Services) The Live Content view enables you to search for and subscribe to Live Services resources. Live Services is the component of the NetWitness that manages communication and synchronization between NetWitness services and a library of Live content available to NetWitness customers. You can view, search, deploy, and subscribe to content from the RSA Live Content Management System (CMS) to NetWitness services and software. When you subscribe to a resource, you agree to receive updates on a regular basis from RSA Live Services.
  • Subscriptions (Live Services) The Subscriptions view enables you manage the Live content that you subscribed to, in the Live Content view. To set up Live Services on NetWitness, you configure the connection and synchronize between the CMS server and NetWitness.
  • Capture Policies: The Capture Policies view enables you to set up selective network data collection, which gives you the ability to apply centrally managed capture policies across your Network Decoders. This results in better use of service resources, including hard drive space, which leads to more predictable costs and lessens the burden of managing multiple services. You can determine which traffic is stored and how it is stored by using policies. Each policy contains a list of supported base protocols and definitions for handling any other protocols that are detected.
  • Policies: The Policies view contains two sub-tabs, namely Configuration and Content.
    • Configuration: Centralized Service Configuration via policy allows you to manage the configuration of services in your environment efficiently. The Decoder, Concentrator, and Log Decoder deployed in your environment may be large in number and geographically distributed.
    • Content: Policy-based Centralized Content Management enables you to find, deploy, and manage content through the entire life cycle based on policies that can be assigned to groups of devices. It is a single location to view, modify and manage the content deployed across all services in the environment.
  • Incident Rules: The Incident Rules view enables you to create incident rules with various criteria to automatically create incidents. You can view prioritized incidents in the Respond view.
  • Incident Notifications: The Incident Notifications view enables you to automatically send email notifications to SOC Managers and the Analysts assigned to the incidents when incidents are created or updated.
  • ESA Rules: The ESA Rules view enables you to manage the Event Stream Analysis (ESA) rules that specify criteria for problematic behavior or threatening events in your network. When ESA detects a threat that matches the rule criteria, it generates an alert.
    You can create ESA rules yourself or download them from Live Services. The Rule Library shows all ESA rules created or downloaded. To activate rules, you have to add them to a deployment. Deployments map rules from your rule library to the appropriate ESA services.
  • Custom Feeds (Live Services) The Custom Feeds view streamlines the task of creating and managing custom feeds, as well as populating the feeds to selected Decoders and Log Decoders. You can set up and maintain custom and identity feeds.
    NetWitness uses feeds to create metadata based on externally defined metadata values. A feed is a list of data that is compared to sessions as they are captured or processed. For each match, additional metadata is created.
    You can create custom feeds to provide extra metadata extraction, for example, to accommodate custom network applications.
  • Log Parser Rules: The Log Parser Rules tab displays information about individual log parsers, as well as the default, "parse all" parser that can parse logs that are not associated with a particular log parser. This tab contains the following information:
    • You can view the rules for a particular event source type, including the default parser.
    • You can view the names, literals, patterns, and metadata for each configured log parser.
    • You can add log parsers.
    • You can add, edit, and delete custom rules for log parsers.
  • Service Topology: The Service Topology tab enables administrators and analysts to view all the NetWitness core services in a hierarchical layout depicting the collection and aggregation of the services in your deployment. This visualization displays the topology for Broker, Concentrator, Log Decoder, Packet Decoder, Hybrids, ESA and Log Collector.
netwitness_admin_view.png Admin

In the Admin view, administrators can manage network hosts and services; monitor the health and wellness of NetWitness; and manage system-level security. They can also configure global system resources and manage event sources.

Admin Menu


The netwitness_adminicon_25x22.png (Admin) menu has the following options:

  • Hosts: The Hosts view is where you set up and maintain hosts. A host is the machine on which services run and a host can be a physical or virtual machine.
  • Services: The Services view enables you to manage services, manage service users and roles, maintain service configuration files, and explore and edit service properties. A service performs a unique function, such as a Decoder service, which captures network data in packet form.
  • Event Sources: The Event Sources view enables you to manage event sources and configure alerting policies for them. Organizations typically monitor event sources in groups based on the criticality of the event sources. You can create monitoring policies for each event source group and order them based on priority.
  • Endpoint Sources: The Endpoint Sources view enables you to manage and update endpoint agent configurations through groups and manage the agents behavior using policies. You can either use the default policies or customize these policies.
  • Health & Wellness: The Health & Wellness view enables you to monitor the health of the NetWitness hosts and services in your network environment.
  • System: The System view enables you to set global NetWitness configurations. You can configure global audit logging, email, system logging, jobs, RSA Live Services, URL integration, Investigation, Event Stream Analysis (ESA), ESA Analytics, and advanced performance settings. In addition, you can manage NetWitness versions and configure the local licensing server.
  • Security: The Admin Security view provides the capability to manage user accounts, manage user roles, map external groups to NetWitness roles, and modify other security-related system parameters. These apply to the NetWitness system and are used in conjunction with the security settings for individual services.
