Focusing on Endpoint Analysis

This guide provides the information needed to conduct an investigation that is focused on endpoint data from configured hosts. Analysts who conduct analysis using Investigate need to have the appropriate system roles and permissions set up for their user accounts. An administrator must configure roles and permissions as described in Roles and Permissions for Endpoint Analysts. For more information on roles and permissions, see the System Security and User Management Guide.

To hunt for information on hosts that have the agent running, begin the investigation in the Hosts view (Hosts). For every host, you can see processes, drivers, DLLs, files (executables), services, anomalies, and autoruns that are running, and information related to logged-in users. (See Investigating Hosts.)

You can begin the investigation on files in your deployment in the Files view (Files). (See Investigating Files.)

Note: To access the Hosts and Files views, you must have the endpoint-server.filter.manage permission.

Analysts use the Hosts and Files views to investigate or perform analysis on hosts or files using attributes such as IP address, host name, Mac address, risk score, and so on. This figure shows the high-level capabilities of an endpoint investigation. The top box are all the possible starting points, and the lower box shows the tasks that you can accomplish from different starting points.

netwitness_epworkflow_642x725.png