1 - Welcome to NetWitness Insight

Provides an overview about NetWitness Insight.

NetWitness Insight is a SaaS solution available as an extension for a NetWitness Network, Detection & Response (NDR) customer. NetWitness Insight is an advanced analytics solution that leverages unsupervised machine learning to empower the response of the Security Operations Center (SOC) team. NetWitness Insight continuously examines network data collected by the Decoder to discover, profile, categorize, characterize, prioritize, and track all assets actively.

NetWitness Insight passively identifies all assets in the environment and alerts analysts of their presence. The discovered assets are automatically categorized into groups of similar servers and prioritized based on their network profiles. These assets are presented to analysts to guide them to focus on certain assets to protect their organization.

NetWitness Insight enables you to do the following:

  • Asset discovery and characterization.
  • Monitor critical Assets.
  • Leverage the security operations team to triage based on prioritization.

See also

2 - NetWitness Insight Use Cases

Provides information about NetWitness Insight use cases.

NetWitness Insight provides advanced analytics capabilities to alert organizations about risky and anomalous assets.

Analysts must scan through billions of network sessions and IP addresses to protect their organization, searching for threats and anomalies. This is where NetWitness Insight passively identifies the assets in the enterprise to alert analysts of their presence. The discovered assets are automatically categorized into groups of similar servers and prioritized based on their network profiles. These assets are presented to analysts to guide them to focus on specific assets to protect their organization.

Use Cases

The following are typical use cases for NetWitness Insight:

  • Provides asset discovery and characterization.
  • Provides asset exposure rank.
  • Provides efficiency in security operations through triage based on prioritization.

See also

3 - NetWitness Insight Architecture

Provides information about NetWitness Insight architecture.

NetWitness Insight enables analysts to get complete visibility into unknown assets and can help increase the visibility of the assets within the organization.

NetWitness Insight architecture

NetWitness Insight uses custom machine learning to process the data. The Insight Sensor collects the network metadata from the Packet Decoder and transfers metadata to the NetWitness Cloud every hour. The NetWitness Cloud merges all the network metadata received from different Insight sensors in a customer environment and provides a unified view of their network to the analysts for analysis in the Springboard assets panel view.

The Springboard assets panel queries the Cloud Connector Sensor for asset data. Cloud Connector Sensor retrieves asset data from the NetWitness Cloud and transfers it to Springboard. This helps analysts to drill down the assets data for further investigation and take immediate action.

NetWitness Insight uses unsupervised learning techniques applied to traffic associated with the assets to determine the type and significance of the asset. The services, clients, and external clients are the parameters aggregated to determine the total traffic of an asset. NetWitness Insight also computes custom importance ranks reflecting asset exposure and activity ranks so that security teams can use them to prioritize and triage incidents.

See also

4 - About NetWitness Insight licenses

Provides information about NetWitness Insight licenses.

NetWitness Insight licenses are valid for the time period associated with the license purchase. NetWitness Insight provides a customer-focused licensing strategy and available for NDR customers.

The following pricing is annual and can be billed monthly:

Product Unit
NetWitness Insight (SaaS only) Analytics for up to 5 million IPs per day

For additional licenses, contact NetWitness Customer Support.

See also

Log in to your NetWitness Cloud Portal

5 - Log in to the NetWitness Cloud Portal

Provides information on how to access NetWitness Cloud Portal

The NetWitness Cloud Portal provides administrators with the capability to manage and monitor Insight services for their account.

Prerequisites

Before you log on to the NetWitness Cloud Portal, ensure that you have received an email from NetWitness containing the account URL link.

To Log in to NetWitness Cloud Portal

  1. Click on the URL provided in the NetWitness Cloud Portal welcome email.

    The NetWitness Cloud Portal home page is displayed.

    how to login to NetWitness Cloud Portal

  2. Enter your registered email ID and the temporary password in the respective fields. As this is your first login, the page prompts you to reset your password.

  3. Enter the new password, and confirm the same. Review the password format rules and ensure that your new password conforms to the indicated format rules

  4. Click Sign In.

See also

6 - Change NetWitness Cloud Portal Account Password for Insight

Provides information on changing NetWitness Cloud Portal account password for Insight.

Your NetWitness Cloud Portal account password is used for identification and authentication.

You can change your NetWitness Cloud Portal account password at any time. The password is valid for 90 days. Once the password is expired, you need to change your password. You can get an authentication code using your registered email address or your registered phone number.

If you have received a notification that your NetWitness Cloud Portal account password is about to expire, you must change your password.

Make sure that you enable Multi-Factor Authentication (MFA). To enable MFA, go to your Profile, and under Account Password, turn on Multi-Factor Authentication.

To change or reset your NetWitness Cloud Portal Account Password

  1. In the NetWitness Cloud Portal login window, click Reset Password.

    The Reset Password window is displayed.

  2. Type the reset code that you received on your registered email address or phone number.

  3. Type your new password.

  4. Type your new password again to confirm.

  5. Click Save.

See also

Log in to the NetWitness Cloud Portal

7 - Check System Status

Provides information about how to know the Insight operational health status.

Users can check the operational health status or service availability of NetWitness Insight. The operational health status indicates if all the services and integrations are operational or experiencing any disruptions. The service disruptions may be caused by server maintenance activity, regional network outages, or cloud vendor outages. These service disruptions are recorded as Incidents and displayed on Statuspage.

Users can also subscribe to receive email or Slack notifications whenever an incident occurs.

To Check the Health Status of NetWitness Insight

  1. Login to NetWitness Cloud Portal.

  2. Click Operational Health Status Icon (View System Status). The System Status tiles are displayed.

    • Sensors Status: Displays the connected or disconnected sensor count.
    • Operational Health: Displays the operational health details for NetWitness Insight. Status is indicated as below:
Color Status
Green Indicates that NetWitness Insight is operational
Yellow Indicates that Statuspage service is unavailable
Red Indicates that NetWitness Insight is experiencing service disruptionsin the region it is deployed
System Status
  1. If you observe that some services and/or integrations of NetWitness Insight are non-operational or experiencing service disruptions, click on the Operational health status tile or visit NetWitness Statuspage and learn more about service disruptions on Statuspage.
Entitlement Status Page

Users can see the uptime of the past 90 days and the Incidents list on Statuspage. If there is any recorded incident on a particular day, the status bar is displayed in red color. Click View historical uptime to see the service’s historical uptime beyond 90 days.

Subscribe to System Status Update

Users can subscribe to receive email or Slack notifications whenever NetWitness SaaS Operations team creates, updates, or resolves an Incident for NetWitness Insight.

To Subscribe to the System Status Updates

  1. Click on the Subscribe to Updates on the NetWitness Statuspage.

    Subscribe to Updates

Note

Users will receive operational status notifications for all NetWitness Cloud Services upon subscription, regardless of licensed usage.

  1. If you want to receive system status updates over an email, click Email icon.
    Enter the email address on which you want to receive notifications and click Subscribe via Email.

  2. If you want to receive system status updates over Slack, click Slack icon.
    Click Subscribe via Slack. You will be redirected to Sign in to your workspace slack page. Follow the online instructions and provide the required details to complete the sign-in and subscription process.

Note

If you do not know the Workspace URL, see Locate your Slack URL.

See also

Install Insight Sensor

8 - Setup and Manage Insight Administrators

Provides information on how to set up and manage Insight administrators.

Once the tenant administrative user of an organization is onboarded into NetWitness Cloud Portal, the administrative user can perform the following tasks:

  • Manage other administrative users - add, delete, enable and disable administrators, and update the profiles.
  • Install, configure, and manage sensors.
  • Configure and manage multi-factor authentication (MFA) for administrators.
  • Temporarily enable or disable access to other administrators, instead of deleting them permanently.

Use the following table as a guide to the user management tasks that you can perform.

User Management Tasks in NetWitness Cloud Portal

Task Description
Add an administrator See Add Additional Administrators
Edit account settings See Edit User Account Settings
Delete an administrator See Remove an Administrator
Multi-factor user authentication See Enable Multi-Factor Authentication for Insight

Add Additional Administrators

To add an administrative user

  1. Go to admin icon Admin > Users Management > Users.

    The Users and Roles page is displayed.

  2. Click Add User.

    The Add User window is displayed.

  3. Enter your first name, last name, email ID, and mobile number in the respective fields.

  4. Click Add.

Edit User Account Settings

As an administrator, you can update the user account settings for the administrators who are configured in the system. You must ensure that the contact information of administrative users is specified so that the user receives notifications on this contact number.

Note

The mobile number you specify here must be valid as it will be used for multi-factor authentication for the user. For more information on multi-factor authentication, see Enable Multi-Factor Authentication for Insight.

To edit the administrator account settings

  1. Go to admin icon Admin > Users Management > Users.

    The Users and Roles page is displayed.

  2. Select the user, and click Edit Details.

    The Edit Details page is displayed.

  3. Edit the first name, last name, and mobile number of the user in the respective fields.

  4. Click Save.

If you are logged in and you want to edit your contact information, update your user profile by going to User Account > Profile.

Remove an Administrator

As an administrator, you can remove the account details and access privileges for other administrators.

To delete an administrator

  1. Go to admin icon Admin > Users Management > Users.

    The Users page is displayed.

  2. Click Delete User.

Enable or Disable Access for Users

You can enable or disable access for users. When you disable access for a specific user, the user cannot access the NetWitness Cloud Portal account.

If a user is logged in to NetWitness Cloud Portal and the user access is disabled, the user can continue to access NetWitness Cloud Portal until the session times out.

To enable access for a user

  1. Log in to the NetWitness Cloud Portal.
  2. Go to admin icon Admin > Users Management > Users.
  3. Under the Users tab, select a user and click Enable User.
  4. To confirm, click Enable.

To disable access for a user

  1. Log in to the NetWitness Cloud Portal.
  2. Go to admin icon Admin > Users Management > Users.
  3. Under the Users tab, select a user and click Disable User.
  4. To confirm, click Disable.

See also

Enable Multi-factor Authentication for Insight

9 - Enable Multi-factor Authentication for Insight

Provides information on how to Enable Multi-factor Authentication for Insight.

NetWitness offers Multi-factor authentication (MFA), using which you can configure an additional layer of credentials to secure your identity and manage access. If you enable MFA, then the administrative user will be prompted to additional identifications at the time of log in, such as verification code sent to the mobile number or mobile authentication application.

To Configure MFA

  1. Go to admin icon Admin > Account Settings > Multi-Factor Authentication. The Multi-Factor Authentication page is displayed.
  2. Select ON, OFF or OPTIONAL as per your requirement.

The following table provides information on the different MFA settings that NetWitness Cloud Portal offers:

Multi-Factor Authentication Settings

MFA Setting Description
ON Select ON to activate MFA. A secret code will be sent to the registered email account of the new administrators. Administrators can log in to their account, and choose between the secret code or an authentication mobile application as their preferred authentication method.
OFF Select OFF to deactivate MFA. Administrators can log in to their account with their registered email ID and password.
OPTIONAL Select OPTIONAL if you want to let the administrators decide if they want to activate or deactivate MFA for their accounts.

See also

Setup and Manage Insight Administrators

10 - Configure Email Notification Preferences for Insight

Provides information on how to configure Email Notification preferences for Insight.

NetWitness Cloud Portal introduces the Email Notifications setting option that allows administrators to manage email notification preferences for Sensor Status, and License Usage. Using this setting, administrators can choose to turn on or turn off email notifications as needed, giving them more control and flexibility in managing notifications.

Note

  • By default, the email notifications for License Usage are enabled, and email is sent to the users registered to the NetWitness Cloud Portal.
  • By default, the email notifications for Sensor Status are disabled, and emails related to sensor status are not sent to the users. However, you can enable these notifications anytime to start receiving them.

Important

Enabling or disabling email notifications only affects the logged-in user, as it is not a global setting.

To Adjust the Email Notification Preferences

  1. Log in to the NetWitness Cloud Portal.

  2. Click on your name or avatar located in the top-right corner, then click Profile (example@netwitness.com).

  3. On the left side bar, click Email Notifications.
    The Email Notifications page is displayed.

    email notifications preferences setting for Insight users
  4. To enable a notification email, turn the toggle on (admin icon).

  5. To disable a notification email, turn the toggle off (admin icon)

Configure email notification preferences within the NetWitness Cloud Portal for the following event:

Notification Type Description
Sensor Status This setting allows administrators to receive email notifications when the status of each sensor changes under the Sensor List tab. For example, if a sensor gets disconnected, you will receive an email notification.
License Usage This setting allows administrators to receive email notifications when their data ingestion exceeds the daily limit based on the configured license.

See also

Enable Multi-factor Authentication for Insight

11 - Planning Requirements

Provides information about system requirements and various prerequisites.

Before you install the sensors, you must plan for the following:

  • The NetWitness Platform (Admin Server and Packet Decoder Host) is on version 12.3 or later.

  • Customers must have NetWitness Cloud tenant account with entitlements that allow NetWitness Insight capability.

  • Ensure you have the administrator access to the NetWitness Cloud Portal.

  • The host on which the Insight Sensor and Cloud Connector Sensor will be installed needs to be connected to Amazon Web Services(AWS). This might require changes to your existing firewall rules. Hosts will need to connect to the IP ranges for the chosen deployment region. For more information on the current list of AWS IPs by region, see AWS IP address ranges.

  • If a proxy is identified as either the source or destination of network connections, it can limit the effectiveness of NetWitness Insight, whether it’s North-South (outbound) or East-West (lateral) traffic.

    • When a proxy is used as the source of a connection, all internal assets will appear to have the same IP addresses, as all connections are considered to originate from the same source. This can make it difficult to track the true source of connections and obtain accurate ranks, types, and categorizations.

    • When a proxy is used as the destination of a connection, all the connections will appear to be going toward the same destination. This can also cause difficulties in obtaining accurate ranks, types, and categorizations.

  • To classify assets effectively, you must decrypt the network traffic. Encrypted traffic is captured as an SSL category and hence, Insight does not have complete visibility in the data.

  • For organizations that do not follow RFC 1918 for private IP addresses, you must configure the Traffic Flow LUA parser to tag the Decoder traffic correctly. For more information on configuration, see the topic Traffic Flow LUA Parser.

  • If users are running Port Scanners in their environment, it is important to remember that these Port Scanners can generate significant traffic. Such traffic could impact the NetWitness Analytics and result in misclassification of servers as clients, affecting enterprise network exposure, peer network exposure rankings, asset category, and detection accuracy for each asset. To prevent network asset misclassification, contact NetWitness Customer Support and provide them with the list of Port Scanner IPs. Your information will be used by NetWitness Analytics to improve asset identification and classification.

  • If users do not follow the RFC 1918 standard and use a different standard to define their internal IP addresses, NetWitness Analytics may not recognize them correctly. As a result, some internal assets may be classified as external assets or vice versa. To avoid this issue, contact NetWitness Customer Support and provide them with your internal IP ranges. Your information will be used by NetWitness Analytics to improve asset identification and classification.

  • Ensure that the analysts have write (manage) access to create the Springboard panel. For more information, see the Springboard section in the Role Permissions topic in the System Security and User Management Guide.

  • Ensure that the system clock is accurate. To fix the system clock, configure the NTP server on the Admin server. For more information on how to configure NTP server, see Configure NTP Servers.

Important

NetWitness recommends that users upgrade to version 12.4.1 or later to benefit from the significant improvements made to Insight.

Important

  • From version 12.4 or later, NetWitness no longer supports CentOS 7 and only supports Alma OS. For the Insight and Cloud Connector Sensors to upgrade to version 12.4 from lower versions, all NetWitness Platform services must be upgraded to version 12.4. This step ensures a successful upgrade for the sensors. For more information on upgrade, see NetWitness Upgrade Guide 12.4.
  • For users onboarded on version 12.4, you must follow the installation procedures to deploy the sensors. For more information, see topics Install Insight Sensor and Install the Cloud Connector Sensor.

Important

While performing the failover on Admin Server, if the Cloud Connector Server is found inactive. In this scenario, you must uninstall the Cloud Connector Service by running the script /var/lib/netwitness/cloud-connector-server/nwtools/uninstall-cloud-connector.sh from the Admin Server backend (NOTE: If you still see the Cloud Connector Service in the UI after running the uninstall script, restart jetty service). Once the service is successfully uninstalled, reinstall the Cloud Connector Sensor from UI to work correctly. For more information on installation, see Install the Cloud Connector Sensor.

You can install Insight Sensor on the following hosts:

Model Category
S5/S6/S6E/Virtual Packet Decoder
Packet Hybrid

NetWitness has tested and qualified the Packet Hybrid and Packet Decoders for NetWitness Insight:

The following table represents the qualified capture rate for Packet Hybrid and Packet Decoder.

Host Type Qualified Capture Rate in Gbps
Packet Hybrid up to 1.5
Packet Decoder up to 6*

Note

*For more information on Packet Decoders with 10G configuration, see topic Configure High Speed Packet Capture Capability (Version 11.6 and Later) in the Decoder Configuration Guide.

See also