Getting Started with NetWitness Platform


NetWitness is a powerful threat detection suite that enables Security Operation Centers (SOCs) to quickly locate, prioritize, and triage threats. NetWitness helps you to isolate and remediate known threats as well as those that were previously unknown. It provides deep insight into packets, logs, and endpoints that provide you with an unparalleled view into your enterprise or business.

NetWitness is powerful, but it is easier for Tier 1 Analysts to use because it automates the process of identifying and prioritizing suspicious threats. Tier 2 and Tier 3 Analysts can hunt for and locate threats by searching and filtering events and then examining events using reconstruction and analysis tools.


NetWitness is a distributed and modular system that enables highly flexible deployment architectures that scale with the needs of the organization. NetWitness allows administrators to collect three types of data from the network infrastructure: packet data, log data, and endpoint data. The key aspects of the architecture are:

  • Distributed Data Collection: The Decoder ingests packet data while the Log Decoder ingests log data. Decoders parse and reconstruct all collected network traffic from Layers 2 - 7, or log and event data from hundreds of devices and event sources, including NetWitness Endpoint data (if installed and configured). The Concentrator indexes metadata extracted from network or log data and makes it available for enterprise-wide querying and real-time analytics while also facilitating reporting and alerting. The Broker aggregates data captured by other devices and event sources. Brokers aggregate data from configured Concentrators; Concentrators aggregate data from Decoders. Therefore, a Broker bridges the multiple real-time data stores held in the various Decoder or Concentrator pairs throughout the infrastructure.

  • Real-time Alerting: The NetWitness Event Stream Analysis (ESA) service provides advanced stream analytics such as correlation and complex event processing at high throughputs and low latency. It can process large volumes of disparate event data from Concentrators. ESA uses an advanced Event Processing Language (EPL) that allows analysts to express filtering, aggregation, joins, pattern recognition, and correlation across multiple disparate event streams. Event Stream Analysis helps to perform powerful incident detection and alerting.

  • Real-time Analytics (automatic analysis of events): The Automated Threat Detection functionality includes preconfigured ESA analytics module for detecting Command and Control traffic.

  • NetWitness Server: The NetWitness Server provides reporting, investigation, administration, and other aspects of the user interface.

  • Capacity: NetWitness has a modular-capacity architecture enabled with direct-attached capacity (DACs) or storage area networks (SANs), that adapts to the organization's short-term investigation and long-term analytic and data-retention needs.

NetWitness provides large deployment flexibility. You can design its architecture using as many as multiple dozens of physical hosts or a single physical host, based on the particulars of the customer's performance and security-related requirements. In addition, the entire NetWitness system has been optimized to run on virtualized infrastructure.

The System Architecture comprises of these major components- Decoders, Brokers, Concentrators, Archivers, ESA, and Warehouse Connectors. NetWitness components can be used together as a system or can be used individually.

  • In a security information and event management (SIEM) implementation, the base configuration requires these components- Log Decoder, Concentrator, Broker, Event Stream Analysis (ESA), and the NetWitness Server.
  • In a forensics implementation, the base configuration requires these components- Decoder, Concentrator, Broker, ESA, Malware Analysis, and Endpoint Log Hybrid. The Respond Server service is also required and is used to prioritize alerts.

The table provides a synopsis of each major component:

System Component Description
Decoder / Log Decoder
  • NetWitness collects packet, log, and endpoint data.
  • Packet data, that is, network packets, are collected using the Decoder through the network tap or span port, which is typically determined to be an egress point on an organization's network.
  • A Log Decoder can collect four different log types - Syslog, ODBC, Windows eventing, and flat files.
  • Windows eventing refers to the Windows 2008 collection methodology and flat files can be obtained via SFTP.
  • Both types of Decoders ingest raw transactional data that is enriched, closed out, and aggregated to other NetWitness components.
  • The process for ingesting and parsing transactional data is a dynamic and open framework.
Endpoint Log Hybrid
  • Collects and manages endpoint (host) data from Windows, Mac, or Linux hosts.
  • Records data about every critical action, such as process, file, registry modification, network connections, and user console interactions.
  • Collects Windows logs and file logs from Windows host, if configured.

  • Generates metadata to correlate endpoint data with sessions from other events sources, such as logs and network.
  • Performs on-demand memory analysis and suspicious user behavior detection.

  • Provides index and query capability to NetWitness Collections.
  • Can optionally forward data to ESA.


  • Distributes NetWitness Collection access across many Concentrators or Archivers, making the entire NetWitness enterprise appear as a single collection.
  • The Archiver service enables long-term log archiving by indexing and compressing log data and sending it to archiving storage.
  • The archiving storage is optimized for long-term data retention, and compliance reporting.
  • Archiver stores raw logs and log metadata from Log Decoders for long-term retention, and it uses Direct-Attached Capacity (DAC) for storage.

    Note: Raw packets and packet metadata are not stored in the Archiver.

Event Stream Analysis (ESA)
  • ESA provides event stream analytics such as correlation and complex event processing at high throughputs and low latency. It can process large volumes of disparate event data from Concentrators.
  • ESA uses advanced Event Processing Language that allows users to express filtering, aggregation, joins, pattern recognition, and correlation across multiple disparate event streams.
  • ESA helps to perform powerful incident detection and alerting.

Core Versus Downstream Components

In NetWitness, the Core services ingest and parse data, generate metadata, and aggregate generated metadata with the raw data. The Core services are Decoder, Log Decoder, Concentrator, and Broker. Downstream systems use data stored on Core services for analytics; therefore, the operations of downstream services are dependent on Core services. The downstream systems are Archiver, ESA, Malware Analysis, Investigate, and Reporting.

Although the Core services can operate and provide a good analytics solution without the downstream systems, the downstream components provide additional analytics. ESA provides real-time correlation across sessions and events as well as between different types of events, such as log, packet, and endpoint data. Investigate provides the ability to drill into data, examine events and files, and reconstruct events in a safe environment. The Malware Analysis service provides real-time, automated inspection for malicious activity in network sessions and associated files.