NetWitness Core Services API GuideNetWitness Core Services API Guide
The NetWitness Platform Core Services API can be accessed using the same host and port as the NetWitness user interface. Information on the APIs can be guide as mentioned below..
NetWitness Platform Core Services API
... View more
Introduction to Endpoint InvestigationIntroduction to Endpoint Investigation
NetWitness Investigate provides data analysis capabilities in NetWitness , so that analysts can analyze packet, log, endpoint, and UEBA data, and identify possible internal or external threats to security and the IP infrastructure. This guide helps analysts perform investigations of endpoint data using NetWitness Investigate.
Note: In Version 11.1 and later, the Hosts and Files views provide a view into endpoint data. Earlier versions offer access to endpoint data using a standalone NetWitness Endpoint server.
For more information, see the NetWitness Endpoint Quick Start Guide, the NetWitness Investigate Quick Start Guide, and the NetWitness Investigate User Guide.
Endpoint MetadataEndpoint Metadata
Endpoint metadata is generated when hosts are scanned and when there are real-time activities on the hosts. You can view the following categories of sessions when metadata forwarding is enabled:
Scan Categories & Real-time events
file, service, dll, process, task, autorun, machine, kernel hook, image hook, registry discrepancies, suspicious threads and removable device(USB) detection
Process event - Reports any process related activities, such as openprocess , openosprocess , createprocess , createremotethread , openbrowserprocess .
File event - Reports any file related activities by an executable, such as readdocument , writetoexecutable , renameexecutable , selfdeleteexecutable , openphysicaldrive .
Registry event - Reports activities that result in registry creation or modification, such as modifyservicesimagepath , modifyfirewallpolicy , createservicesimagepath , createsecuritycenterconfiguration , modifybadcertificatewarningsetting , Modifies Startup Folder Location , Modifies Winlogon Registry Settings , Registers Time Provider Dll , Registers Port Monitor Dll , Registers Netsh helper Dll , Registers AppInit Dll , Registers AppCert Dll ,
System event - Reports connection of removable devices(USB devices), IP change and boot events such as, removableDeviceConnected , removableDeviceDisconnected
Network event - TCP/UDP and incoming/outgoing. Reports outbound and inbound network connections on all supported Windows platforms. Reports IPv4 and IPv6 connections.
Console event (for Windows 8 and later) - User input that is entered into a console application, such as cmd.exe , powershell.exe , is captured and reported with the context console.local .
Commands executed by cmd.exe , powershell.exe as a result of inter-process communication through anonymous pipes are captured and reported with the context console.remote .
For example, Get-Item -Path Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion .
file, autrorun, loaded library, systemd, process, cron, initd, and machine
file, daemon, process, task, dylib, autorun, and machine
Process event - Reports any process related activities, such as openprocess , createprocess , openosprocess , openbrowserprocess , allocateremotememory , createremotethread .
File event - Reports any file related activities by an executable, such as writetoexecutable , renameexecutable , createautorun , deleteexecutable , selfdeleteexecutable , writetoplist , writetosudoers , createbrowserextension .
Network event - TCP/UDP and incoming/outgoing. Reports outbound and inbound network connections on all supported Mac operating system. Reports IPv4 and IPv6 connections.
For more information on metadata, meta keys, meta values, and meta entities, see the NetWitness Investigate User Guide.
Risk Score Risk Score
Analysts can use the risk score to begin an investigation on hosts and files. RSA uses a proprietary algorithm to calculate the risk scores ranging from 0 to 100. A subset of alerts associated with hosts and files contribute to the risk score calculation. Analysts can review critical and high alerts associated with a risk score to identify strong evidence of malicious activity and take required action.
Note: If you have an Insights agent, you can view the risk score for files but not for hosts. To view the risk score for hosts, upgrade to the Advanced agent. For more information, see the NetWitness Endpoint Configuration Guide.
The following factors contribute to the risk score:
Distinct Alerts. Any host or file activities that are suspicious or malicious generate alerts. Only the distinct alerts are used for risk score calculation.
Severity of Alerts. Severity of alerts, such as critical, high, and medium.
This figure is an example of a host with 1 Critical, 2 High and 4 Medium distinct alerts.
All the distinct alert shown in the above example can be for the same file or different files. For example, Modifies File Associations alert is triggered for files, such as svchost.exe and OneDrive.exe .
This figure is an example of files with distinct alerts. Each file can have a multiple distinct alerts. The files can have a same alert name being triggered by two different hosts as shown below.
The risk score is reset when you perform any of the following actions:
Whitelist or blacklist a file after investigation. The risk score of a file is set to 0 on whitelisting and set to 100 on blacklisting.
If the alerts or events triggered by the host or files on the host are false positive, you make changes to the Endpoint Application rules or ESA rules and reset the risk score.
Besides the above factors, the risk score is reset when a file no longer matches Yara rules in the subsequent scans
Note: When you whitelist a file or reset the risk score, the alerts that contributed to the risk score are not shown in the Host Details tab.
The host risk score depends on the risk score of all the files on the host. When you change the file status or reset the file risk score, the host risk score is recalculated. For example, the score for all the hosts on which a blacklisted file is present is recalculated and becomes 100. If the host is not found to be infected, you can reset the host risk score. This deletes the alerts contributed to the risk score and does not impact the global file score. For more information on changing the file status, see Changing File Status or Remediate.
Note: For the risk score calculation, the ESA Correlation server must be configured with an Endpoint Concentrator. The application rules are automatically deployed on installation. For an upgrade, you must deploy the application rules from RSA Live. For more information, see the NetWitness Endpoint Configuration Guide.
Note: For the accurate risk score calculation, the default multi-valued meta keys are required on the ESA Correlation service. For more information, see "Configure Meta Keys as Arrays in ESA Correlation Rule Values" section in the ESA Configuration Guide.
Severity of AlertsSeverity of Alerts
The following table depicts the risk score range based on the associated alert severity:
Risk Score Range
The following is an example of alerts contributing to the risk score:
In the above example, there are three distinct critical alerts. For each alert type, associated events are displayed. You can see that the "Enables Cleartext Credential Storage" alert was triggered twice. The details of the two events are displayed with the metadata information. For more information on severity alerts and metadata information, see Analyze Hosts Using the Risk Score and Analyze Files Using the Risk Score.
Global and Local Risk ScoreGlobal and Local Risk Score
Analysts can get better context on file activities on hosts using the global risk score and the local risk score of a file.
Global Risk Score - The global risk score is an aggregate of all suspicious and malicious activities performed by the file across all hosts. This score indicates the potential threat posed by the file across the NetWitness Platform.
Local Risk Score - The local risk score is calculated on suspicious or malicious activities performed by the file on a specific host. The local risk score is used for the host risk score calculation.
For more information on the global and local risk score, see Investigating Files and Investigating Hosts.
Automated Incident Creation Based on Risk ScoreAutomated Incident Creation Based on Risk Score
By default, a threshold is set for the risk score to control the generation of incidents and alerts in NetWitness Respond. For more information on configuring the threshold limit, see the NetWitness Respond Configuration Guide.
File ReputationFile Reputation
The File Reputation service available on RSA Live checks the reputation of every file hash against an extensive database of known file hashes updated in real-time. The file reputation is displayed on the Investigate and Respond views.
The reputations for a file hash are:
File hash is labeled as malicious.
File hash is suspected to be malicious.
File hash is not known.
File hash information is known to the file reputation service and does not have any previous bad record.
File hash information is known good, such as files signed by Microsoft or RSA.
File hash format is invalid.
The suspicious or malicious files are available for further analysis in the Investigate > Navigate view and Investigate > Events view. For more information on the file reputation service, see the Live Services Management Guide.
Note: The File Reputation service supports maximum of 10 million files for a reputation of file hash.
File Status File Status
To help analysts triage and focus on their investigation, NetWitness provides capabilities to manage suspect and legitimate files. For example, you can whitelist files that are legitimate (such as security products), or blacklist files based on known threats and investigation.
A file can be classified as follows:
Blacklist: File that is marked suspicious, such as when ransomware is found by scan.
Graylist: File that is marked for a later review.
Whitelist: File that is legitimate and is not to be considered for risk scoring.
Neutral: Default status.
For more information, see Changing File Status or Remediate.
If a file is malicious or infected, you can block the file to prevent future execution on any host. Remediation helps to:
Stop or reduce the spread of identified malware, such as viruses, trojans, rootkits, worms, spyware, and adware.
Identify attempted breach points to aid in deeper analysis; all events are time-stamped allowing analysts to trace backward to identify the entry point.
Remove unwanted software, such as adware, which can potentially mask real malware.
Stop all actions possible by the loader.
You can block files with the following file extension: EXE, COM, SYS, DLL, SCR, OCX, BAT, PS1, VBS, VBE, and VB. For more information, see Changing File Status or Remediate.
Network IsolationNetwork Isolation
If you suspect that a host is potentially compromised with the threat still being active, you can isolate the host from the network and safely investigate possible threats within the host. By isolating the host, you can control the spread of an attack and analyze the malware behavior. When a host is isolated, only connection to the following IP addresses are allowed:
Endpoint Server, Relay Server, DNS, DHCP, Gateways, 0.0.0.0, and 255.255.255.255.
Other IP addresses that you include in the exclusion list.
In the isolated state, all events are reported to the Endpoint Server retaining full visibility into activities on the host. You can continue investigation by requesting scans, downloading MFT, files, and so on. The following metadata is added to the network events:
network.isolated - indicates that the host is isolated.
network.connectallowed - indicates that the network connection is allowed as the IP address is included in the exclusion list.
network.connectblocked - indicates that the network connection is blocked.
Note: If the agent is enabled for log or file collection, make sure that you add the Log Decoder IP addresses in the exclusion list while you isolate the host.
For more information, see Isolating Hosts from Network.
... View more
(Optional) Internet Content Adaptation Protocol Capture(Optional) Internet Content Adaptation Protocol Capture
Internet Content Adaptation Protocol (ICAP) is a service protocol that encapsulates HTTP messages into ICAP Messages and forwards them to an ICAP server for processing.
NwDecoder supports capturing ICAP Messages and converting the HTTP requests and responses into packets. The capture device is named icap , ICAP Server , and can be used simultaneously with other capture devices (i.e., packet capture).
ICAP Capture OptionsICAP Capture Options
The capture options are specified on Decoder in the configuration node /decoder/config/capture.params
You must restart the capture before any changes take effect.
reqmod=<bool> - By default, the Decoder will process both REQMOD and RESPMOD messages. Since the RESPMOD contains both the request and response, it may be advantageous for Decoder to ignore REQMOD messages and only process RESPMOD . If you set the reqmod=false , the Decoder will generate a request packet and response packets from a single RESPMOD message. The default behavior is equivalent to reqmod=true
client_ip=<string> - You can configure some ICAP Clients to include the originating IP address in the ICAP headers. The name of the header with this information can vary, so you can use this setting to specify the name of the client IP header. For example, client_ip=X-Client-IP would configure the Decoder to extract the IP from the X-Client-IP header. Ignoring this setting will disable searching for the header.
... View more
Upgrade to NetWitness Platform 11.7.1
This section of the documentation consists of the following topics:
Contacting Customer Care
Upgrade Preparation Tasks
Post Upgrade Tasks
Endpoint Upgrade Tasks
Enable New Features
Appendix A. Offline Upgrade Using CLI
Appendix B. Troubleshooting Version Installations and Upgrades
... View more
Introduction to Endpoint Agent InstallationIntroduction to Endpoint Agent Installation
Note: The information in this guide applies to Version 11.1 and later.
Hosts can be laptops, workstations, servers, physical or virtual, where a supported operating system is installed. An Endpoint Agent can be deployed on a host with either a Windows, Mac, or Linux operating system. The installation process involves:
(Optional) Configuring the Relay Server
Note: You must set up the default relay server before generating the Agent packager. Whenever the Relay server configuration is modified, agent policy is updated automatically. For more information on configuring the relay server, see Endpoint Configuration Guide.
Generating an agent packager
Generating the agent installer
You can run the agent installer specific to your operating system to deploy agents on the hosts. The agents collect endpoint data and tracking events from these hosts. It monitors key behaviors related to process, file, registry, console, and network, and forwards them as events to the Endpoint Server over HTTPs.
Note: The Endpoint agent can operate either in Insights or Advanced mode depending on the policy configuration. For more information, see the NetWitness Endpoint Configuration Guide.
Supported Operating SystemsSupported Operating Systems
Linux (The agent software runs on either i386 or x84_64 architecture)
Windows 10 (32 and 64-bit) (up to version 21H1)
CentOS 6.x, 7.x, and 8.x
macOS Big Sur (11 )
Windows 8.1 (32 and 64-bit)
Red Hat Enterprise Linux 6.x, 7.x, and 8.x
macOS Catalina (10.15)
Windows 8 (32 and 64-bit)
SUSE Linux Enterprise Server 12 SP3, 12 SP4, 12 SP5 and 15 SP1
macOS Mojave (10.14)
Windows 7 (32 and 64-bit)
Ubuntu 16.04 LTS, 18.04 LTS, and 20.04 LTS
macOS High Sierra (10.13)
Windows Server 2019
macOS Sierra (10.12)
Windows Server 2016
OS X El Capitan (10.11)
Windows Server 2012 R2
OS X Yosemite (10.10)
Windows Server 2012
OS X Mavericks (10.9)
Windows Server 2008 R2 (32 and 64-bit)
Hardware RequirementsHardware Requirements
The following are the minimum hardware requirements to run an agent in a host (laptops, workstations, servers, physical or virtual):
256 MB RAM
300 MB disk space
Installation FlowchartInstallation Flowchart
The following flowchart illustrates the Endpoint agent installation process:
... View more