Investigation - Settings Dialog for Navigate View and Events View

Document created by RSA Information Design and Development on Jul 22, 2016
Version 1Show Document
  • View in full screen mode
 

The settings in the Navigate view and Events view Settings dialogs are a subset of the Investigation settings made in the Profiles > Preferences panel > Investigations tab. By providing the settings within the Investigation view, Security Analytics saves time for Analysts. If you change a setting here, the same setting is changed in the Profiles view, and if you change a setting in the Profiles view, the same setting is changed here.

To access this dialog:

  1. In the Security Analytics menu, select Investigation > Navigate or Events.
    The Investigate dialog is displayed.
  2. Select a service and click Navigate.
  3. In the toolbar, select the Settings option.
    The Settings dialog is displayed.

Features

The Settings dialog in the Navigate view and Events view have several features in common.

Navigate View Settings Dialog

Several Investigation settings influence the performance of Security Analytics when loading values in the Values panel. Default values are set based on common usage, and individual analysts can adjust these settings for their own investigations.

The following table describes the features.

                                                   
FeatureDescription
ThresholdSets the threshold for the maximum number of sessions loaded for a meta key value in the Values panel. A higher threshold allows accurate counts for a value, and also causes longer load times. The default value is 100000.
Max Values ResultsSets the maximum number of values to load in the Navigate View when the Max Results option is selected in the Meta Key Menu for an open Meta Key. The default value is 1000.
Max Session ExportSets the maximum number of sessions able to be exported. The default value is 100000.
Export Log FormatSets the file format of exported logs. There are four formats available:
  • Text
  • SML
  • CSV
  • JSON
Show Debug InformationIf you want Security Analytics to display the where clause beneath the breadcrumb in the Navigate view and the elapsed load time for each aggregated service on a Broker, check this option. The default value is Off.
Autoload ValuesIf you want Security Analytics to automatically load values for the selected service in the Navigate view, check this option. When not selected, Security Analytics displays a Load Values button, allowing the opportunity to modify options. The default value is Off.
Download Completed PCAPsThis setting automates the downloading of extracted PCAPs in the Investigation module so that you do not have to manually download and open extracted PCAP files in an application, such as Wireshark, that can handle viewing data in a PCAP form.
Live Connect: Highlight Risky IPsIf you want Security Analytics to highlight and display only IP addresses that are considered as risky by RSA community, check this option. When not selected, Security Analytics displays all IP addresses. By default, this option is not selected (Off).
ApplyApplies the settings immediately and they are visible the next time you load values. The same changes are also applied in the Profiles view.
CancelCancels the editing operation and closes the dialog, leaving the settings unchanged.

Events View Settings Dialog

The following table describes the features.

                                           
FeatureDescription
Export Log FormatSets the file format of exported logs. There are four formats available:
  • Text
  • SML
  • CSV
  • JSON
Download Completed PCAPsThis setting automates the downloading of extracted PCAPs in the Investigation module so that you do not have to manually download and open extracted PCAP files in an application, such as Wireshark, that can handle viewing data in a PCAP form.

Live Connect: Highlight Risky IPs

If you want Security Analytics to highlight and display only IP addresses that are considered as risky by RSA community, check this option. When not selected, Security Analytics displays all IP addresses. By default, this option is not selected (Off).

Optimize Investigation page loadsSets a paging option. When optimized, results are returned as quickly as possible, sacrificing the original ability to go to a specific page in the event list. Unchecking this box changes the Events list pagination to allow you to go to a specific page in the list (or to the last page). The default value is enabled.
Default Session ViewSelects the default reconstruction type for the initial reconstruction in the Events view. The default value is Best Reconstruction in which events are reconstructed using the reconstruction method most appropriate to the event.
Enable CSS Reconstruction for Web ViewThis setting controls how web content reconstruction is performed. If enabled, the web reconstruction includes cascaded style sheet (CSS) styles and images so that its appearance matches the original view in a web browser. This includes scanning and reconstructing related events, and searching for style sheets and images used in the target event. The option is enabled by default. Uncheck this option if there are problems viewing specific websites. 
ApplyApplies the settings immediately and they are visible the next time you view events. The same changes are also applied in the Profiles view.
CancelCancels the editing operation and closes the dialog, leaving the settings unchanged.
You are here: Investigation Reference Materials > Settings Dialog for Navigate View and Events View

Attachments

    Outcomes