.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Hosts View - Details TabHosts View - Details Tab
Note: The information in this topic applies to NetWitness Version 11.1 and later.
The Details tab provides details of the selected host. To access this view, go to Hosts view, and select a host.
Workflow
What do you want to do?
- User Role: Threat Hunter
- I want to ...: review hosts with highest risk score*
- Show me how:
- User Role: Threat Hunter
- I want to ...: analyze hosts*
- Show me how: Investigating Hosts
- User Role: Threat Hunter
- I want to ...: perform adhoc scan*
- Show me how:
- User Role: Threat Hunter
- I want to ...: review host details*
- Show me how:
- User Role: Threat Hunter
- I want to ...: search files on host*
- Show me how: Search Files on Host
- User Role: Threat Hunter
- I want to ...: analyze processes*
- Show me how:
- User Role: Threat Hunter
- I want to ...: review reported anomalies
- Show me how:
- User Role: Threat Hunter
- I want to ...: analyze risky users*
- Show me how: Analyzing Risky Users
- User Role:
Threat Hunter
- I want to ...:
analyze events*
- Show me how:
- User Role: Threat Hunter
- I want to ...: download files for deeper analysis
- Show me how: Analyzing Downloaded Files
- User Role: Threat Hunter
- I want to ...: perform external lookups
- Show me how: Launch an External Lookup for a File
- User Role: Threat Hunter
- I want to ...: change file status or remediate
- Show me how: Changing File Status or Remediate
- User Role: Threat Hunter
- I want to ...: isolate host from network*
- Show me how: Isolating Hosts from Network
- User Role: Threat Hunter
- I want to ...: download MFT*, system dump, or process dump*
- Show me how: Performing Host Forensics
*You can perform this task in the current view.
Related Topics
- Focusing on Endpoint Analysis
- Investigating Hosts
- Analyzing Events
- Performing Host Forensics
- Isolating Hosts from Network
Quick Look
Below is an example of the Details tab:
- Column 1: 1
- Column 2:
Agent and Scan Details. You can view the following agent and scan details of the selected host:
Host name - Name of the host. For example, WIN-ABC.
Risk score - Risk score of the host.
Operating System - Operating system on which the agent is running (Linux, Windows, or Mac).
Agent Scan Status - Current status of the scan - Idle, Scanning, Starting Scan, or Stopping Scan. For more information, see Scan Hosts.
Agent Last Seen - Time when the agent last communicated with the Endpoint server.
Agent Version - Version of the agent. For example, 11.3.0.0.
Analyze Events - Lets you investigate a particular host, IP address, username, filename, or hash to get the entire context of the activity. For more information, see Analyzing Events.
More - Provides options to:
- Start a scan for the selected hosts. For more information, see Scan Hosts.
- Extracts host attributes and endpoint data to a JSON file of the selected snapshot. For more information, see Export Host Attributes.
- Isolation host from the network. For more information, see Isolating Hosts from Network.
- Download MFT to the server. For more information, see Performing Host Forensics.
- Download System Dump to the server. For more information, see System and Process Memory Dump.
-
Perform remediation actions using the Remote Shell option. For more information, see Performing Host Forensics.
Snapshot Time - Lists scanned time stamps. To view the scan history, you can select the snapshot time from the drop-down menu.
- Column 1: 2
- Column 2: Search files on host. Lets you search the files on the host (file name, file path, and SHA-256 checksum). For more information, see Search Files on Host.
- Column 1: 3
- Column 2: Show/Hide Right Panel - Displays host and policy details panel.
- Column 1: 4
- Column 2:
Host Details Panel - Displays all properties of the selected host. It is grouped as follows:
Groups - Groups on which the host is added on.
User - Information related to the user.
Network Interfaces - Network adapter information, such as Mac Address, Gateway.
Operating System - Operating system version and build information.
Agent - Agent-related information, such as agent ID, driver error code, install time, and agent mode.
Hardware - Information related to the architecture.
Locale - Time zone and language that is local to the host.
- Column 1: 5
- Column 2:
Policy Details Panel - Displays the following:
- Policy Status -
- Updated - Host has the latest policy.
- Pending - Policy is resolved but the latest policy is not updated on the host. When the host communicates with the Endpoint server next time, the latest policy is applied if there are no errors.
- Unavailable - Hosts that belong to previous versions, such as NetWitness Platform 11.1 or 11.2, or the source server is not installed.
- Error - Problem applying the latest policy along with the error description.
- Blocked Hashes Status -
- Updated - Host has the latest blocked hashes.
- Pending - Hashes are blocked but the latest hashes are not updated on the host. When the host communicates with the Endpoint server next time, the latest hashes are applied if there are no errors.
- Evaluated Time - Time when the Endpoint server evaluated the policy.
- Relay Server. Displays the Relay Server details.
- Server - Host name or IP address of the Relay Server.
- Port - Port number.
- HTTP Beacon Interval - HTTP beacon interval value in minutes.
- Complete resolved policy settings. For more information, see "Managing Policies" in the NetWitness Endpoint Configuration Guide.
Note: The values that are not set in the policy are not displayed.
- Policy Status -
- Column 1: 6
- Column 2:
Alerts Severity - Displays list of distinct alerts, such as Critical, High, Medium and All, along with the total number of events associated with the alert.
- Column 1: 7
- Column 2:
Displays events for an alert and metadata associated with a specific event. For more information, see Analyze Hosts Using the Risk Score.