NetWitness Platform Getting Started Guide for 12.5.1.0

Tags: Documentation, Getting Started, PDF Documentation, Version 12.5.1

The following article contains a summary of the NetWitness® Platform Getting Started Guide for 12.5.1.0. To see the full guide, go to Attachments on this article and download the associated PDF.

Summary of the NetWitness® Platform Getting Started Guide for 12.5.1.0

This guide outlines all major sections, including platform overview, architecture, navigation, user roles, widgets, dashboards, troubleshooting, and references. 

Introduction & Legal Information

This section provides information on the NetWitness® Platform User Interface.

• Contact Information: Points users to the NetWitness® Community for documentation, support, and case management.
• Trademarks & License: Details about RSA trademarks and licensing terms. Advises against unauthorized changes to the NetWitness® OS, warning of potential service conflicts.
• Third-Party Licenses & Encryption: Notes inclusion of third-party software and encryption technologies, with links to relevant license agreements.
• Distribution & Disclaimer: Usage requires a valid license; information is provided "as is" without warranties.
  
  

Getting Started with NetWitness® Platform

This section gives an Overview of the NetWitness® platform. NetWitness® is a threat detection suite for SOCs, enabling rapid threat identification and remediation. It supports both automated and manual threat hunting for analysts of all tiers. 

Architecture

• Distributed & Modular: Scalable deployment, supporting packet, log, and endpoint data collection.
• Key Components: Decoder, Log Decoder, Concentrator, Broker, ESA (Event Stream Analysis), Server, and modular storage.
• Deployment Flexibility: Can run on multiple hosts or a single host, including virtualized environments.
• SIEM & Forensics: Different base configurations for SIEM and forensic use cases.

Core vs. Downstream Components

• Core Services: Decoder, Log Decoder, Concentrator, Broker—handle data ingestion and aggregation.
• Downstream Services: Archiver, ESA, Malware Analysis, Investigate, Reporting—provide analytics and additional capabilities. 

Logging In & User Management

• Supported Browsers: Chrome, Firefox, Edge, Safari (not IE).
• Authentication: Supports internal/external accounts and SSO via SAML 2.0/ADFS.
• Password Management: Users can change passwords; admins set requirements.
• Role Assignment: User roles determine access and permissions; contact admin if access is insufficient. 

Platform Navigation

• Main Views: Home, Springboard, Investigate, Respond, Users, Hosts, Files, Dashboard, Reports, Configure, Admin.
• Home Page: Default for new users; features widgets for different SOC roles.
• Springboard: Deprecated in future releases; provides platform-wide detections.
• Navigation: Top menu for switching views; secondary menus for additional options.
• Common Options: Jobs, Notifications, User Preferences, User Profile, Help. 

Main Functional Views

• Home: Widgets for Admin, Analyst, Manager roles; customizable layout.
• Springboard: Panels for incidents, alerts, risky hosts/files/users, MITRE ATT&CK tactics/techniques, indicators/enablers/behaviors of compromise.
• Investigate: Tools for SIEM, network, and endpoint data investigation; supports event reconstruction and analysis.
• Respond: Incident queue for triage; details for investigation, escalation, and remediation.
• Users: Visibility into risky user behaviors; overview, entities, alerts.
• Hosts: Lists hosts with endpoint agents; filter and analyze host events.
• Files: Holistic view of files; filter, sort, and analyze suspicious files.
• Dashboard: Customizable dashboards for high-level metrics and snapshots.
• Reports: Manage and view reports relevant to SOC roles.
• Configure: Manage data sources, content, policies, incident rules, notifications, ESA rules, custom feeds, log parsers, service topology.
• Admin: Manage hosts, services, event sources, endpoint sources, health & wellness, system settings, security, users, PKI authentication. 
  
  
  

Setting Up Default Views & Widgets

This section shows how to set up the default views and widgets.

• Default View by SOC Role: Users can set their landing page based on their role (e.g., Analyst, Incident Responder, Threat Hunter, SOC Manager, Content Expert, Data Privacy Officer, System Administrator).
• Widget Management: Add, customize, rearrange, resize, delete, and reset widgets on dashboards.
• Admin, Analyst, Manager Views: Each role has specific widgets for monitoring incidents, alerts, retention, resource usage, suspicious endpoints/files/users/assets, MITRE ATT&CK coverage, and more. 

Dashboards

• Basics: Dashboards consist of dashlets; users can select, create, import/export, copy, share, and remove dashboards.
• Customization: Dashlets can be added, edited, rearranged, maximized, or deleted.
• Preconfigured Dashboards: Default, Identity, Investigation, Operations, Overview, Threat Hunting, Intrusion, Malware Indicators.
• Sharing & Cleaning: Dashboards can be shared among roles; cleaning jobs remove unused dashboards.

User Preferences & Jobs

• Preferences: Change language, time zone, date/time format, theme, password, notifications, context menus, default views.
• Jobs: Manage on-demand or scheduled tasks; view, pause/resume, cancel, delete, download jobs. 

Notifications & Help

• Notifications: System notifications for actions/events; view recent/all notifications, delete records.
• Help: Inline help, tooltips, online documentation, NetWitness® Community resources. 

Troubleshooting & References

• Troubleshooting: Tips for common setup issues, error codes for widgets/panels, solutions for dashboard/Springboard problems.
• References: Quick guides for user preferences, notifications, jobs, and links to NetWitness® documentation, content, integrations, hardware guides, educational services, and feedback channels.

The following article contains a summary of the NetWitness® Platform Getting Started Guide for 12.5.1.0. To see the full guide, go to Attachments on this article and download the associated PDF.