View Contextual Information for an Asset

NetWitness empowers analysts with the capability to perform context lookups for assets, accessible through the Investigate > Events and Respond pages. By leveraging Context Lookup, analysts can examine an asset’s Network Behavior and determine its criticality. Contextual information plays a pivotal role in enabling analysts to comprehend the asset’s value, evolving categorization, and associated behaviors. This information enables analysts to make informed decisions and take timely, appropriate actions throughout their analysis. The Context Lookup panel showcases contextual information related to the selected asset, with the available data based on the configured sources within the Context Hub.

To perform a Context Lookup for an Asset from the Events view

1. Log in to the NetWitness Platform.

2. Go to Investigate > Events.

3. On the Query search bar, enter the IP address of the asset you want to view the context data and click to load events in the Events panel.

   A query is executed in the Events panel, and matching events are listed.

4. In the Events panel, left or right-click the IP address.

   A Context Highlights dialog is displayed.

   

5. Click Network Exposure.

   The Network Behavior panel of the asset is displayed.

   

   The Network Behavior panel offers a comprehensive overview of an asset’s network activity, providing valuable insights for analysts seeking to understand its communication with other network assets. Using sparklines, analysts can quickly understand recent changes in network behavior over time. In addition, the panel provides contextual information, including exposure rank, categorization, and behavioral patterns, which serve as powerful tools for in-depth analysis, enabling the identification of potential risks and vulnerabilities associated with the asset.

The Network Behavior panel provides the following information about the asset:

Enterprise Network Exposure

The enterprise network exposure helps analysts determine asset criticality in relation to all other assets within the enterprise. It is determined by an in-built algorithm that calculates a rank for each asset, taking into account multiple factors, such as the number of services exported by the asset, as well as the quantity of internal and external IP addresses that connect to it. This enables the analysts to gain a comprehensive understanding of an asset’s significance within the enterprise network, allowing them to prioritize resources and make informed decisions accordingly.

The Enterprise Network Exposure has two values:

• Exposure Rank Highlights

  An asset’s rank is established by evaluating its exposure value, a metric derived from the combined analysis of the services it exposes and the volume of internal and external traffic it handles. This evaluation results in a rank that serves as an indicator of the asset’s criticality relative to all other assets within the network. Sparkline offers a concise overview of asset trends, enabling analysts to quickly identify whether rank is increasing, decreasing, or maintaining a consistent level. A lower rank indicates a higher level of criticality, highlighting the asset’s importance. For example,

  • An asset with a rank of 10 / 200 means that the asset ranks 10th among 200 total assets, where 9 assets have a higher exposure than this asset, and 190 have lower exposure. This determination is influenced by a combination of the following factors:

    • The asset might expose a lot of services compared to other assets.
    • The asset might be handling a lot of traffic compared to other assets.

  • An asset with a rank of 190 / 200 means that the asset ranks 190th among 200 total assets, where 189 assets have a higher exposure than this asset, and 10 have lower exposure. This determination is influenced by a combination of the following factors:

    • The asset might not expose a lot of services compared to other assets.
    • The asset might not handle a lot of traffic compared to other assets.

• Exposure Rank (Percentile)

  The exposure rank percentile provides a valuable measure of an asset’s significance, represented as a percentile. This percentile reflects the asset’s level of criticality within the network. A higher percentile indicates a greater degree of criticality, highlighting the asset’s importance. For example,

  • An asset with an exposure value in the 90th percentile is regarded as having a high level of criticality. This means that the asset’s exposure is higher than 90% of all other assets and only 10% of assets have a higher exposure than this asset. This determination is influenced by a combination of the following factors:

    • The asset might expose a lot of services compared to other assets.
    • The asset might be handling a lot of traffic compared to other assets.

  • An asset with an exposure value in the 10th percentile is regarded as having a lower level of criticality. This means that the asset’s exposure is higher than only 10% of all other assets and that 90% of assets have a higher exposure than this asset. This determination is influenced by a combination of the following factors:

    • The asset might not expose a lot of services compared to other assets.
    • The asset might not handle a lot of traffic compared to other assets.

Peer Network Exposure

The peer network exposure helps analysts in assessing asset criticality, similar to the Enterprise Network Exposure, but with a focus on assets within the asset peer group. A dedicated in-built algorithm is used to determine the peer network exposure rank for each asset, taking into consideration its relation to assets of the same type and category. The rank calculation is based on factors such as the number of services exported by the asset and the count of internal and external IP addresses that connect to these services. By leveraging this indicator, analysts gain insights into an asset’s relative criticality within its peer group, enabling them to prioritize resources and make informed decisions accordingly. The peer network exposure has two values:

• Exposure Rank Highlights

  The rank of an asset within a group of assets sharing the same type and category is determined by evaluating the asset’s level of exposure in comparison to all other asset IPs within the peer group. Sparkline offers a concise overview of asset trends, enabling analysts to quickly identify whether rank is increasing, decreasing, or maintaining a consistent level. A lower rank signifies a higher level of importance within the peer group, indicating that the asset has a more significant presence and impact compared to others in the same category. For example,

  • An asset with a rank of 10 / 200 means that the asset ranks 10th among 200 peer assets, where 9 assets have a higher exposure than this asset, and 190 have lower exposure. This determination is influenced by a combination of the following factors:

    • The asset might expose a lot of services compared to other assets within its peer group.
    • The asset might be handling a lot of traffic compared to other assets in its peer group.

  • An asset with a rank of 190 / 200 means that the asset ranks 190th among 200 peer assets, where 189 assets have a higher exposure than this asset, and 10 have lower exposure. This determination is influenced by a combination of the following factors:

    • The asset might not expose a lot of services compared to other assets within its peer group.
    • The asset might not handle a lot of traffic compared to other assets in its peer group.
      

• Exposure Rank (Percentile)

  The exposure rank percentile provides a means to evaluate the criticality of an asset by comparing it to other assets within its peer group that share the same type and category. Expressed as a percentile, it reflects the asset’s level of criticality relative to other assets. A higher percentile indicates that the asset is more critical compared to other assets in the same group. For example,

  • An asset with an exposure value in the 90th percentile is regarded as having a high level of criticality. This means that the asset’s exposure is higher than 90% of all other peer assets and only 10% of assets have a higher exposure than this asset. This determination is influenced by a combination of the following factors:

    • Asset might expose a lot of services compared to other assets in its peer group.
    • Asset might be handling a lot of traffic compared to other assets in its peer group.

  • An asset with an exposure value in the 10th percentile is regarded as having a lower level of criticality. This means that the asset’s exposure is higher than only 10% of all other peer assets and that 90% of assets have a higher exposure than this asset. This determination is influenced by a combination of the following factors:

    • The asset might not expose a lot of services compared to other assets in its peer group.
    • The asset might not handle a lot of traffic compared to other assets in its peer group.

Peer Network Activity

The peer network activity rank evaluates the level of asset popularity within its peer group. Asset activity is determined using a dedicated in-built algorithm that takes into account the total number of unique IP addresses connecting to the asset in relation to its peers. The peer network activity has two values:

• Activity Rank Highlights

  The activity rank of an asset is determined by its popularity among its peer group. Sparkline offers a concise overview of asset trends, enabling analysts to quickly identify whether rank is increasing, decreasing, or maintaining a consistent level. Rank is calculated using the in-built algorithm that considers the total number of unique client IPs making requests for services associated with the peer group that the asset belongs to. For example,

  • An asset with a rank of 10 / 200 means that the asset ranks 10th among 200 peer assets, where 9 peer assets have higher activity levels than this asset, and 190 have lower activity levels. This determination is influenced by the following factor:

    • The total number of unique IP addresses connecting to the asset.

  • An asset with a rank of 190 / 200 means that the asset ranks 190th among 200 peer assets, where 189 peer assets have higher activity levels than this asset, and 10 have lower activity levels. This determination is influenced by the following factor:

    • The total number of unique IP addresses connecting to the asset.

• Activity Rank (Percentile)

  The activity rank percentile provides a percentile-based measure to evaluate the level of activity displayed by an asset within its peer group. It serves as a valuable tool for understanding the importance of an asset within its peer group. A high activity rank percentile indicates that the asset is more active in comparison to other assets in the same peer group. For example:

  • An asset with a value in the 90th percentile indicates a high level of activity. This means that the asset’s activity is higher than 90% of all other peer assets and only 10% of assets have a higher activity than this asset.

  • An asset with a value in the 10th percentile indicates a relatively low level of activity. This means that the asset’s activity is higher than only 10% of all other peer assets and that 90% of assets have a higher activity than this asset.

Severity level for Asset

The asset severity is computed for Enterprise Network Exposure, Peer Network Exposure, and Peer Network Activity. The Asset Severity relates to the critical, high, medium, and low scores. Following is a summary of asset severity scores.

Severity	Color	Rank
Low	Green	1-25
Medium	Yellow	26-50
High	Orange	51-75
Critical	Red	76-100

Overview

The Overview section provides the following parameters:

Asset Type: Indicates the device type associated with the asset, determined based on the number of exported services and the volume of network traffic it handles. An asset can be categorized as one of the following types: Client, Server, FewClients, Many Services Few Clients (MSFC), Many Services Some Clients (MSSC), Many Services Many Clients (MSMC), or Undefined.

Asset Types

The type of asset is determined by evaluating the network profile that has been calculated for the asset.

Asset Type	Description
Client	An IP address that does not export services to other IPs.
Server	An IP address that exports services to other IPs. Insight assigns Server as an asset type if any one of the following conditions is met: - At least one of the exported services handles at least 50 % of the total traffic and asset serviced five or more clients. - At least two of the exported services handle at least 60% of the traffic together and asset serviced for five or more clients.
FewClients	An IP address that export services to a few other IP addresses. Insight assigns FewClients as an asset type based on the following criteria. - At least one of the exported services handles at least 50% of total traffic and asset serviced for up to four clients.
Many Services Few Clients (MSFC)	An IP address that has a large number of services exported to a few clients. Insight assigns MSFC as an asset type based on the following criteria. - The asset exports more than 20 services and serviced up to four clients.
Many Services Some Clients (MSSC)	An IP address that has a large number of services exported to some clients. Insight assigns MSSC as an asset type based on the following criteria. - The asset exports more than 20 services and serviced up to 19 clients.
Many Services Many Clients (MSMC)	An IP address that has a large number of services exported to many clients. Insight assigns MSMC as an asset type based on the following criteria. - The asset exports more than 20 services and serviced 20 or more clients.
Undefined	An IP address that exports a variety of random services to a variable number of IP addresses.

Asset Category: The asset category is determined by the distribution of traffic reaching the asset. An asset can expose many port numbers identifying specific services. The IANA Service Name and Transport Protocol Port Number Registry provide a list of well-known port numbers and their associated services.

For example, an asset that exports services to traffic on ports 80 and 443 could have a category value of HTTP and HTTPS.

First Time Seen: Displays the timestamp when the analytics first observed an asset.

Last Time Seen: Displays the timestamp when the analytics last observed an asset.

Highlights

The Highlights section provides a quick high-level overview of the last observed asset changes on the network.

Exposed Services: Displays the current number of active services for an asset. An asset can expose multiple services, such as HTTPS and SSH. The number of services exposed by an asset can change over time. The sparkline is a trend of the recently observed number of exposed services by the asset. If you hover over the sparkline, you can view the trending numbers. For example, NetWitness Insight detected the following exposed services for the asset 10.0.0.0 over the past four days:

• January 1, 2023: 1 service (FTP)
• January 2, 2023: 1 service (FTP)
• January 3, 2023: 1 service (FTP)
• January 4, 2023: 2 services (FTP, SMTP)

In this example, the sparkline will show a slight increase in trend. The number 2 next to the sparkline chart is the last observed number of exposed services for this asset. In this case, the asset exposed FTP for a duration of 3 days, and then NetWitness Insight detected that SMTP was added to list of exposed services.

External Connections: Displays the number of external clients that request services from the asset. The sparkline is a trend of the observed number of external clients that requested services exported by the asset. If you hover over the sparkline, you can view the trending numbers.

For example, NetWitness Insight detected the following number of external connections established with the asset 10.0.0.0 over the past three days:

• January 1, 2023: 0 connections
• January 2, 2023: 2 connections
• January 3, 2023: 5 connections

In this example, the sparkline will show an increasing trend. The number 5 next to the sparkline chart is the last observed number of external connections for this asset.

Connection Types: Displays the number of services used by external clients. The sparkline displays a trend of the recently observed total number of services used by external clients. If you hover over the sparkline, you can view the trending numbers.

For example, NetWitness Insight detected the following number of services provided by asset 10.0.0.0 used by external clients over the past three days:

• January 1, 2023: 3 services (HTTP, HTTPS, SSH)
• January 2, 2023: 3 services (HTTP, HTTPS, SSH)
• January 3, 2023: 5 services (HTTP, HTTPS, SSH, FTP, SFTP)

In this example, the sparkline will show an increasing trend. The number 5 next to the sparkline chart is the last observed number of services used by external clients.

Connection Anomalies: Displays the total number of connections to external IPs using unrecognized TCP/UDP traffic. Unrecognized traffic does not match any of the known protocols. The sparkline displays a trend of the recently observed total number of external sources and destinations for unrecognized TCP/UDP traffic. If you hover over the sparkline, you can view the trending numbers.

For example, NetWitness Insight detected the following number of unrecognized connections from 10.0.0.0 over the past five days:

• January 1, 2023: 3 connections
• January 2, 2023: 3 connections
• January 3, 2023: 7 connections
• January 4, 2023: 5 connections
• January 5, 2023: 4 connections

In this example, the sparkline shows an initially increasing trend that peaked at 7 connections and is now decreasing. The number 4 next to the sparkline chart is the last observed number of connections to external IPs using unrecognized TCP/UDP traffic.

Historical Service Trend

The Historical Service Trend displays how much traffic the asset serves out of the total traffic that is captured per service over time. The Historical Service Trend can help analysts understand why an asset is defined as a certain category type. By examining the percentage of services shared by the asset, analysts can better understand its role and purpose. Observing how the service percentages evolve over time provides perspective on any shifts in the asset category. This information empowers analysts to make informed decisions without the need for extensive additional research, enhancing their analytical efficiency.

For example, if a server receives 60% of the total DNS traffic, this value plays a significant role in determining the asset category for that server.

To better understand the traffic volume of different services, services in the chart legend are sorted from highest enterprise traffic to lowest enterprise traffic using the latest date data. In cases where services have the same percentage value, the services are sorted alphabetically as a secondary sort. The chart legend makes it easy to identify which services have the highest and lowest traffic volume.

Analysts can perform the following actions on the Historical Service Trend chart:

• Hover over a data point on the chart to reveal the shared services percentage.

• Click to navigate to the next page to view the other services available.

• Analysts can use the service filter feature with the searchable drop-down menu to filter services by multiple values at once. This allows you to compare different services and gain valuable insights from your data. For example, you can filter HTTP and DNS services and easily understand your data.

• Analysts can navigate seamlessly between the first and last pages using the pagination option. To go to the last page, click .

See also

• Install Insight Sensor
• Install the Cloud Connector Sensor
• Configure Insight as a Data Source