Setting Up Your Default View by SOC Role

After logging in to NetWitness, you can navigate into the application easier by setting up your default view based on your Security Operations (SOC) role. You can set your default view, also known as a landing page, in your user preferences.

On upgrade to version 11.5 or later, by default the Springboard is displayed if you have not configured the default landing page in previous versions.

In version 11.4 and prior versions, if you configured the default landing page as Respond or Investigate in the User Preferences, then on upgrade to version 11.5, the default landing page will be Respond or Investigate view.

On fresh install of NetWitness 11.5 version, when you log in, by default Springboard is the landing page.

The following figure shows the main NetWitness views.

UI.png

  • Springboard: This view is for Analysts, who can see panels for prioritized alerts, incidents, risky hosts, risky users, risky files, and focused event data to help hunt and investigate faster than ever before.
  • Investigate: This view is for Threat Hunters, who investigate and hunt for advanced threats. Other analysts such as Incident Responders may pivot into this view for deeper analysis of an incident.
  • Respond: This view is for Incident Responders, who can view a list of incidents to triage and alerts.
  • Users: This view is for SOC Managers and Analysts to discover, investigate, and monitor risky behaviors across entities namely Users and Network in your environment.
  • Hosts: This view is for Analysts, who can investigate or perform analysis on hosts using attributes such as IP address, host name, Mac address, risk score, and so on.
  • Files: This view is for Analysts, who can investigate or perform analysis on files using attributes such as IP address, host name, Mac address, risk score, and so on.
  • Dashboard: This view is for all users. You can view dashboards on different areas of interest depending on your user permissions. You have the option to select a preconfigured dashboard, import a dashboard, or create your own custom dashboard.
  • Reports: This view is for all users. You can view reports on different areas of interest depending on your user permissions.
  • netwitness_configure_view_32x34.png Configure: This view is for Threat Intel personnel (Content Experts), who configure data sources and inputs to NetWitness. Content Experts use this area to download and manage Live content. They can also create and manage incident and ESA rules.
  • netwitness_admin_view_40x41.png Admin: This view is for System Administrators, who set up and maintain the overall application.

You can select any of the main NetWitness views as your default view. In addition to the main views, NetWitness has predefined dashboards that you can select in the Dashboards view depending on the tasks you perform:

  • Default Dashboard

  • Identity Dashboard

  • Operations - Logs Dashboard

  • Operations - Network Dashboard
  • Overview Dashboard
  • Threat - Indicators Dashboard

  • Threat - Intrusion Dashboard

The following table shows typical SOC roles and the available views you can select as your landing page in your user preferences based on your SOC role. If you have more than one role, select the view that is most appropriate for you to start with when you log in to NetWitness.

SOC Roles Role Description Consider this Default Landing Page

Incident Responder
(Tier 1 Analyst)

Addresses incidents and alerts queued for them to review and mitigate.

Springboard or Respond

Threat Hunter
(Tier 2/Tier 3 Analyst)

Investigates and hunts for advanced threats.

Springboard, Investigate, Users, Hosts, or Files
For information on selecting the default Investigate view, see the NetWitness Investigate User Guide.

SOC Manager (SOC Management and Reporting)

Manages SOC readiness and responds to incidents and data breaches.

Springboard or Dashboard

When you log in, select the appropriate predefined dashboard for your SOC role. You can also import a dashboard or create your own dashboard.

Content Expert
(Threat Intelligence)

Configures data sources and inputs to NetWitness.

Dashboard or netwitness_configureicon_24x21.png (Configure)

When you log in, select the appropriate predefined dashboard for your SOC role. You can also import a dashboard or create your own dashboard. If you choose Dashboard as your default view, you can navigate to the netwitness_configureicon_24x21.png (Configure) view from the main menu.

Data Privacy Officer
(DPO)

Similar to an Administrator, but a DPO monitors and protects privacy-sensitive information.

Dashboard

When you log in, select the appropriate predefined dashboard for your SOC role. You can also import a dashboard or create your own dashboard.

System Administrator

Focuses on the configuration and stability of the overall application. Manages user access.

Springboard

Set Your Default ViewSet Your Default View

  1. On the main menu bar, select your username, for example, netwitness_admin_icon_56x16.png.

    The User Preferences dialog shows your current preferences.

    netwitness_userpreferences_288x569.png

  2. In the Default Landing Page field, select the default view that you would like to see when you log in to NetWitness. Use the above table to make your selection based on your SOC role. For example, if you are an Analyst, you can select Springboard; if you are an Incident Responder you can select Respond; and if you are a Threat Hunter, you can select Investigate.

    Your preferences become effective immediately. You can change your default landing page at any time. For information on other preferences, see Setting User Preferences.

  3. To verify that you can see the correct default view, click Sign Out to log out and then log back in to NetWitness.