What Is NetWitness Investigate

NetWitness audits and monitors all traffic on a network. One type of service--a Decoder--ingests, parses, and stores the packets, logs, and endpoint data traversing the network. The configured parsers and feeds on the Decoder create metadata that analysts can use to investigate the ingested logs and packets. Another type of service, called a Concentrator, indexes and stores the metadata. NetWitness Investigate provides the data analysis capabilities in NetWitness, so that analysts can analyze packet, log, and endpoint data, and identify possible internal or external threats to security and the IP infrastructure.

About This Guide

This guide provides end-to-end guidelines for all members of the SOC team to configure NetWitness Investigate and to investigate log and network events. End-to-end guidelines for investigating endpoints and user entity behavior using NetWitness Investigate are provided in separate documents:

Getting Help with NetWitness Platform

There are several options that provide you with help as you need it for installing and using NetWitness:

See the documentation for all aspects of NetWitness here: https://community.netwitness.com/t5/netwitness-platform/ct-p/netwitness-documentation
Use the Search and Create a Post fields in NetWitness Community portal to find specific information here: https://community.netwitness.com/t5/netwitness-discussions/bd-p/netwitness-discussions
See the NetWitness Knowledge Base: https://community.netwitness.com/t5/netwitness-knowledge-base/tkb-p/netwitness-knowledge-base
See Troubleshooting section in the guides.
See also NetWitness^® Platform Blog Posts.
If you need further assistance, contact NetWitness Support.

Use these links to access documentation that is not related to a particular version of the software:

Hardware setup guides: https://community.netwitness.com/t5/netwitness-platform-hardware/tkb-p/netwitness-hardware-documentation
Documentation for Content such as feeds, parsers, application rules, and reports: https://community.netwitness.com/t5/netwitness-platform-threat/tkb-p/netwitness-threat-intelligence.

Getting Started

The following tasks can be performed in any sequence and are for the entire SOC team.

Description

References

View information about product updates, improvements, and known issues

Release Notes

Understand how NetWitness Investigate works

"How NetWitness Investigate Works" in the NetWitness Investigate User Guide

Setup, Installation, or Upgrade Setup, Installation, or Upgrade

No special setup, installation, or upgrade tasks are required for Investigate; it is part of NetWitness Platform for Logs and Network. However, setup is required for several components with which NetWitness Investigate works if you plan to do this type of analysis. These tasks are for the Administrator, and the SOC Manager may want to understand the setup.

Description	References

Install and set up the Malware Analysis (standalone or service)	Malware Analysis Configuration Guide
Install and set up NetWitness Endpoint (standalone or service)	NetWitness Endpoint Quick Start Guide
Install and set up NetWitness UEBA (standalone or service)	NetWitness UEBA Quick Start Guide

System-Level Configuration System-Level Configuration

Administrators configure system-level preferences for NetWitness Investigate.The below-mentioned tasks are for the administrator, and the tasks can be performed in any sequence. SOC Managers should understand the possible configuration options.

Description	References

Configure role-based access control (RBAC) for analysts who will be using Investigate. These components have permissions related to investigate: investigate (Navigate view and Legacy Events view), investigate-server (Events view), Malware (Malware Analysis view), Endpoint-broker-server, and Endpoint-server.	"Role Permissions" in the System Security and User Management Guide
Configure Investigate to limit content available for different user roles (preQueries).	"Verify Query and Session Attributes per Role" in the System Security and User Management Guide
Configure default settings and limits for NetWitness Investigate on a system level.	"Configure Investigation Settings" in the System Configuration Guide

User Preference Configuration User Preference Configuration

The following tasks are for Threat Hunters, Content Experts, and Incident Responders, and SOC Managers. The tasks can be performed in any sequence.

Description	References

Configure Navigate view and Events view preferences.	"Configure the Navigate and Legacy Events View" in the NetWitness Investigate User Guide
Configure Event Analysis view preferences.	"Configure the Events View" in the NetWitness Investigate User Guide
Configure the Malware Analysis view preferences.	"Configure Malware Analysis" in the Malware Analysis User Guide

InvestigationInvestigation

Different types of investigation may be handled by analysts with different skill levels and goals.

Incident Responders (T1 Analysts) typically pivot to Investigate from NetWitness Respond to find detailed information about an incident so that they can respond to and remediate incidents.
Threat Hunters (T2/T3 Analysts) typically peruse events, metadata, and raw content so that they can recommend issues for remediation and remediate issues.
Content Experts (Threat Intelligence) typically peruse events, metadata, raw content, user and host data, and UEBA data so that they can investigate new threat intelligence, evaluate and create new feeds, and create correlation rules to flag indicators of compromise.
SOC Managers need to understand the use cases.

Description	References

Learn about practical use cases	"Sample Use Cases for NetWitness Investigate" in the NetWitness Investigate User Guide
Investigate metadata and raw events in logs and network traffic	"Beginning an Investigation" in the NetWitness Investigate User Guide
Investigate possible malware	Malware Analysis User Guide
Investigate endpoints	NetWitness Endpoint User Guide
Perform user and entity behavior analysis	NetWitness UEBA User Guide

MaintenanceMaintenance

The administrator can perform the following tasks in any sequence.

Description	References

Maintain the list of queries and analyze the query patterns of other users of the NetWitness Platform system.	"Maintaining Queries Using URL Integration" in the System Maintenance Guide
Fine tune system-level configuration settings to improve performance or limit access to data.	"Verify Query and Session Attributes per Role" in the System Security and User Management Guide "Configure Investigation Settings" in the System Configuration Guide

Description

References

Maintain the list of queries and analyze the query patterns of other users of the NetWitness Platform system.

"Maintaining Queries Using URL Integration" in the System Maintenance Guide

Fine tune system-level configuration settings to improve performance or limit access to data.

"Verify Query and Session Attributes per Role" in the System Security and User Management Guide

"Configure Investigation Settings" in the System Configuration Guide

NetWitness Community

Table of Contents

Product Resources