NetWitness Endpoint Integration

NetWitness customers who are using NetWitness Endpoint,, 4.4,, or later can integrate into NetWitness 11.x in several different ways.

Note: In Version 11.2 and later, the following components are rebranded:
- NetWitness Suite to NetWitness Platform
- Packet Decoder to Network Decoder

Integration Options


Integration Methods

The following are the NetWitness Endpoint integration methods:

  • Configure Endpoint Alerts through Respond
  • Configure Contextual Data from Endpoint through Recurring Feed
  • Configure Endpoint Alerts through Syslog into a Log Decoder
  • Configuring Meta Integrator service in the NetWitness Endpoint or later directly to a Log Decoder

Endpoint alerts into NetWitness Respond. This integration provides the capability for forwarding Endpoint alerts to Respond.

Contextual data from Endpoint through a NetWitness Live recurring ​feed. This integration can enrich the session displayed in NetWitness Investigation with contextual information; some examples include the host operating system, MAC address, IIOC score, and other data that may not be present in the log or packet data.

NetWitness Endpoint alerts through Syslog (CEF) into NetWitness Log Decoders. This integration provides the capability to forward Endpoint events through Syslog and to correlate the events with other log or packet metadata in the NetWitness ecosystem.

(For Version 11.1 and later) NetWitness Endpoint directly to a Log Decoder. This integration lets you view the Endpoint metadata in the Investigate > Navigate and Event Analysis view similar to Logs and Packets.

Note: For information on NetWitness Endpoint 4.4.0.x integration with NetWitness, see NetWitness Endpoint Configuration Guide.

NetWitness Endpoint Metadata Integration

The NetWitness Platform provides seamless integration allowing Endpoint metadata to be included into the NetWitness work flow. This lets analyst to investigate an incident and respond using packet, log, and endpoint metadata. The endpoint metadata provides further indicators and context related to a host, user, process, or file. It also provides tracking data that provide data of what has transpired with a host, user, process, or file.


Built-in NetWitness Endpoint Lookup

With the NetWitness Endpoint user interface (UI) installed on the same machine where the analyst is using a browser to access NetWitness, the built-in NetWitness Endpoint Lookup from NetWitness Investigation and NetWitness Respond provides right-click access to the NetWitness Endpoint console server for the following meta keys: IP address (ip-src, ip-dst, ipv6-src, ipv6-dst, orig_ip), host (alias-host, domain.dst), client, and file-hash. These are described in the "Launch an External Lookup of a Meta Key" topic in Investigation and Malware Analysis User Guide and the "View Alerts" topic in NetWitness Respond User Guide.

NetWitness configuration is not required for endpoint lookup when you are using one of the built-in parsers, NetWitness Endpoint or CEF, and you have not customized the default meta keys used when loading metadata in Investigation. For more information, see "Manage and Apply Default Meta Keys in an Investigation" topic in the Investigation and Malware Analysis User Guide.​

Note: The exception occurs if you customize NetWitness by editing the display setting for the default meta keys in Investigation, add meta keys to the table-map-custom.xml file, or customize NetWitness Endpoint feeds. Some configuration is required to add the custom meta keys to the context menu NetWitness Endpoint Lookup in the netwitness_adminicon_25x22.png (Admin) > System view as described in the "Add Custom Context Menu Actions" topic in the System Configuration Guide.

NetWitness Endpoint Alerts and Indicators of Compromise

NetWitness Endpoint IIOC (Instant Indicator of Compromise) is a database query that NetWitness Endpoint runs on collected NetWitness Endpoint scan data to determine the presence of potential malware on scanned hosts. NetWitness Endpoint 4.1.2 or later ships with IOCs that users can enable and mark as alertable. NetWitness Endpoint runs IOC queries regularly on new scan data, which is collected and stored in the database. If the IOC query is satisfied, this indicates a potential indicator of compromise, and the event can be reported to a user or sent to an external system as an alert.

Possible types of alerts are:

  • Machine alert: This alert indicates that the machine in question is suspicious.
  • Module alert: ​This alert indicates that a module, such as a file, a DLL, or an executable, is suspicious. It contains details about the module in question.
  • Event alert: This alert represents any other suspicious activity detected by NetWitness Endpoint that does not​ fall into the above categories.

Each of these alert types can be sent to NetWitness.