What Is NetWitness Investigate

NetWitness audits and monitors all traffic on a network. One type of service--a Decoder--ingests, parses, and stores the packets, logs, and endpoint data traversing the network. The configured parsers and feeds on the Decoder create metadata that analysts can use to investigate the ingested logs and packets. Another type of service, called a Concentrator, indexes and stores the metadata. NetWitness Investigate provides the data analysis capabilities in NetWitness, so that analysts can analyze packet, log, and endpoint data, and identify possible internal or external threats to security and the IP infrastructure.

About This Guide

This guide provides end-to-end guidelines for all members of the SOC team to configure NetWitness Investigate and to investigate log and network events. End-to-end guidelines for investigating endpoints and user entity behavior using NetWitness Investigate are provided in separate documents:

Getting Help with NetWitness Platform

There are several options that provide you with help as you need it for installing and using NetWitness:

See the documentation for all aspects of NetWitness here: https://community.netwitness.com/s/netwitness-platform-documentation
Use the Search and Create a Post fields in NetWitness Community portal to find specific information here: https://community.netwitness.com/t5/netwitness-discussions/bd-p/netwitness-discussions
See the NetWitness Knowledge Base: https://community.netwitness.com/t5/netwitness-knowledge-base/tkb-p/netwitness-knowledge-base
See Troubleshooting section in the guides.
See also NetWitness^® Platform Blog Posts.
If you need further assistance, contact NetWitness Support.

Use these links to access documentation that is not related to a particular version of the software:

Hardware setup guides: https://community.netwitness.com/t5/netwitness-platform-hardware/tkb-p/netwitness-hardware-documentation
Documentation for Content such as feeds, parsers, application rules, and reports: https://community.netwitness.com/s/netwitness-platform-documentation.

Getting Started

The following tasks can be performed in any sequence and are for the entire SOC team.

Setup, Installation, or Upgrade Setup, Installation, or Upgrade

No special setup, installation, or upgrade tasks are required for Investigate; it is part of NetWitness Platform for Logs and Network. However, setup is required for several components with which NetWitness Investigate works if you plan to do this type of analysis. These tasks are for the Administrator, and the SOC Manager may want to understand the setup.

System-Level Configuration System-Level Configuration

Administrators configure system-level preferences for NetWitness Investigate.The below-mentioned tasks are for the administrator, and the tasks can be performed in any sequence. SOC Managers should understand the possible configuration options.

User Preference Configuration User Preference Configuration

The following tasks are for Threat Hunters, Content Experts, and Incident Responders, and SOC Managers. The tasks can be performed in any sequence.

InvestigationInvestigation

Different types of investigation may be handled by analysts with different skill levels and goals.

Incident Responders (T1 Analysts) typically pivot to Investigate from NetWitness Respond to find detailed information about an incident so that they can respond to and remediate incidents.
Threat Hunters (T2/T3 Analysts) typically peruse events, metadata, and raw content so that they can recommend issues for remediation and remediate issues.
Content Experts (Threat Intelligence) typically peruse events, metadata, raw content, user and host data, and UEBA data so that they can investigate new threat intelligence, evaluate and create new feeds, and create correlation rules to flag indicators of compromise.
SOC Managers need to understand the use cases.

MaintenanceMaintenance

The administrator can perform the following tasks in any sequence.