Investigation: Configure Navigate View and Events View

Document created by RSA Information Design and Development on Jul 22, 2016
Version 1Show Document
  • View in full screen mode

Analysts can set preferences that affect performance and behavior of Security Analytics when analyzing data using the Investigation > Navigate view and Events view.

These settings are available in two places in Security Analytics, and changes made in either location are applied in the other view:

  • Investigation view > Settings dialog and Search field for the Navigate view and the Events view.
  • In the Profiles > Preferences panel > Investigations tab. 

Access the Investigation Settings

To access the settings, do one of the following:

  • In the Navigate view toolbar, select the Settings option.
    The Settings dialog for the Navigate view is displayed.
  • In the Events view toolbar, select the Settings option.
    The Settings dialog for the Events view is displayed.
  • In the Security Analytics menu, select Profile. Then in the left navigation panel select Preferences. Click the Investigations tab.
    The Investigation tab is displayed.

Calibrate Navigate View Value Loading Parameters

Several Investigation settings influence the performance of Security Analytics when loading values in the Values panel. Default values are set based on common usage, and individual analysts can adjust these settings for their own investigations.

To adjust these settings:

  1. Navigate to the Investigation tab or to the Settings dialog for the Navigate view.
  2. Adjust the following parameters:
  • Threshold: Set the threshold for the maximum number of sessions loaded for a meta key value in the Values panel. A higher threshold allows accurate counts for a value, and also causes longer load times. The default value is 100000.
  • Max Values Results: Set the maximum number of values to load in the Navigate View when the Max Results option is selected in the Meta Key Menu for an open Meta Key. The default value is 1000.
  • Max Session Export: Specify the number of events that can be exported in a single PCAP or Log file.
  • Max Log View Characters: Set the maximum number of characters to be displayed on Investigation > Events > Log Text. The default value is 1000.
  • Show Debug Information: If you want Security Analytics to display the where clause beneath the breadcrumb in the Navigate view and the elapsed load time for each aggregated service on a Broker, check this option. The default value is Off.
  • Autoload Values: If you want Security Analytics to automatically load values for the selected service in the Navigate view, check this option. When not selected, Security Analytics displays a Load Values button, allowing the opportunity to modify options. The default value is Off.
  • Live Connect: Highlight Risky IPs: If you want Security Analytics to highlight and display only IP addresses that are considered as risky by RSA community, check this option. When not selected, Security Analytics displays all IP addresses. By default, this option is not selected (Off).
  1. Click Apply.

The settings become effective immediately and are visible the next time you load values.

Configure PCAP Download Behavior in Investigation

You can automate the downloading of extracted PCAPs in the Investigation module so that the browser downloads the extracted PCAP and opens it in the default application for opening PCAP files, such as Wireshark.

To configure this:

  1. Ensure that an application that can open PCAPs is installed on your local file system and that the application is set as the default application to handle PCAP file formats.
  2. Navigate to the Investigation tab or to the Settings dialog for the Navigate view or the Events view.
  3. Check the Download Completed PCAPs option.
  4. Click Apply.
    The setting becomes effective immediately.

Configure the Default Log Export Format in Investigation

You can export logs from Investigation in different formats. Available options are Text, XML, CSV, JSON. There is no built-in default value for the log export format. If you do not select a format here, Security Analytics displays a selection dialog when you invoke export of logs.

To select the format for exported logs:

  1. Navigate to the Investigation tab or to the Settings dialog for the Navigate view.
  2. Select one of the options from the Export Log Format drop-down menu.
  3. Click Apply.
    The setting goes into effect immediately.

Calibrate Events View Retrieval and Default Reconstruction

You can configure several parameters that control the how Security Analytics retrieves events and reconstructs events in the Events view. To do so:

  1. Navigate to the Investigation tab or to the Settings dialog for the Events view.
  2. Configure the following parameters.
    Optimize Investigation page loadsSet a paging option. When optimized, results are returned as quickly as possible, sacrificing the original ability to go to a specific page in the event list. Unchecking this box changes the Events list pagination to allow you to go to a specific page in the list (or to the last page). The default value is enabled.
    Append Events in Events Panel

    When this option is selected, the events displayed in the Events Panel are added incrementally.

    For example, each time you click the next page icon, the next increment of events is added, at first you see 1 to 25, then 1 to 50, then 1 to 75 and so on.

    Note: This option is available only if the Optimize Investigation Page Loads option is enabled.

    Default Session ViewSelects the default reconstruction type for the initial reconstruction in the Events view. The default value is Best Reconstruction in which events are reconstructed using the reconstruction method most appropriate to the event.

  3. To activate the changes immediately, click Apply.

Enable or Disable Cascading Style Sheet Rendering in Web Content Reconstructions

Analysts can enable the use of cascading style sheets (CSS) when reconstructing web content. If enabled, the web reconstruction includes cascaded style sheet (CSS) styles and images so that its appearance matches the original view in a web browser. This includes scanning and reconstructing related events, and searching for style sheets and images used in the target event. The option is enabled by default. Disable this option if there are problems viewing specific websites. 

Note: The appearance of the reconstructed content may not match the original web page perfectly if related images and style sheets could not be found or were loaded from the web browser's cache. Also, any layout or styling that is performed dynamically via client side javascript will not render in the reconstruction because all client side javascript is removed for security purposes.

To enable or disable this option:

  1. Navigate to the Investigation tab.
  2. Click the Enable CSS Reconstruction for Web View checkbox.
  3. Click Apply.
    The setting becomes effective immediately and is visible in the next web content reconstruction.

(Optional) Configure Search Options

  1. Click in the Search field to display the Search Events drop-down menu.
  2. Select one or more search options to apply to the search. Investigation - Search Options provides detailed information about each option.
  3. To save the search settings, click Apply.
    The preferences are saved and effective immediately. 
You are here: Configure Investigation Views and Preferences > Configure Navigate View and Events View