Analysts can view a list of events associated with a session in the Investigation > Events view.
There are two ways to display the Events view:
- Select Investigation > Events in the Security Analytics menu. Security Analytics runs a default query on the last three hours for the default service (if one is set) or displays a dialog in which you can select a service and then runs the default query. The default query selects all events and the Events view displays events on the selected service, with the oldest events first.
- In the Navigate view, click a meta value, which in fact represents an event. The Events view displays the events on the selected service based on the drill point in the Navigate view. The Events view provides three built-in presentations of event data: the Detail view, the List view, and the Log view.
You can use queries, the time range setting, and profiles to filter the events listed in the Events view. From any view type in Events view, you can extract files, export events, export logs, and open the Event Reconstruction panel by double-clicking an event. See Examine Events for detailed information about these capabilities.