|Threshold||This setting controls the count shown for a Meta Key value in the Navigate view during the load. A higher threshold allows more accurate counts for a value. However, a higher threshold causes longer load times. When the threshold is reached, Security Analytics displays the count and the percentage of time used to reach the count in comparison to the time necessary to load all sessions with that value.|
For example, (>100000 - 18%) indicates that the threshold was set at 100000 and this load took only 18% of the time it would have taken with no threshold set. The default value is 100000.
|Max Values Results||This setting controls the maximum number of values to load in the Navigate View when the Max Results option is selected in the Meta Key Menu for an open Meta Key. The default value is 1000.|
|Max Session Export||This setting controls the maximum number of sessions that can be exported. The default value is 100000.|
(In SA 10.5.1 or later) Max Log View Characters
|This setting controls the maximum number of characters to be displayed on Investigation > Events > Log Text. The default value is 1000.|
|Export Log Format||This setting specifies the default format for exporting logs from Investigation. Available options are Text, XML, CSV, and JSON. There is no built-in default value for the log export format. If you do not select a format here, Security Analytics displays a selection dialog when you invoke export of logs. When you select one of the options from the Export Log Format drop-down menu and click Apply, the setting goes into effect immediately.|
(In SA 10.5.1 or later)
Append Events in Events Panel
When this option is selected, the events displayed in the Events Panel are added incrementally below the currently displayed events rather than replacing the currently displayed events.
For example, each time you click the next page icon, the events are displayed incrementally, beginning with events 1 through 25, then 1 through 50, 1 through 75 and so on.
Note: This option is available, only if the Optimize Investigation Page Loads option is enabled.
|Show Debug Information||When this option is selected, Security Analytics displays the where clause beneath the breadcrumb in the Navigate view. For each meta value load, the load time is displayed. If the service is a Broker, then the elapsed time for each aggregated service is reported. The default value is Off.|
|Autoload Values||When this option is selected, the service values are automatically loaded in the Navigate view. When not selected, Security Analytics displays a Load Values button, allowing the user the opportunity to modify the options. The default value is Off.|
|Download Completed PCAPs||This setting automates the downloading of extracted PCAPs in the Investigation module so that you do not have to manually download and open extracted PCAP files in an application, such as Wireshark, that can handle viewing data in a PCAP format.|
|Optimize Investigation Page Loads ||This option is enabled by default (checked) and controls how the Events view retrieves events. When optimized, results are returned as quickly as possible. This sacrifices the original ability to go to a specific page in the event list. Unchecking this box changes the Events list pagination to allow you to go to a specific page in the list (or to the last page). Being able to go to any page in the list sacrifices some speed in returning the results due to additional overhead determining the events in advance.|
|Default Session View||This setting selects the default reconstruction type for the initial reconstruction view. By default events are reconstructed using the reconstruction method most appropriate to the event.|
|Enable CSS Reconstruction for Web View||This setting controls how web content reconstruction is performed. If enabled, the web reconstruction includes cascaded style sheet (CSS) styles and images so that its appearance matches the original view in a web browser. This includes scanning and reconstructing related events, and searching for stylesheets and images used in the target event. The option is enabled by default. Uncheck this option if there are problems viewing specific websites. |
|Search Options||This setting sets the default search options to apply to a search in the Events view. You must select Meta or RAW; you can also select both of these options. Possible values are: |
- Meta: Search the meta data.
- RAW (Network/Log): Search the log text. Every event is decoded and content is searched. If you select all data with no filters on an Archiver, execution time may be excessive and a warning may be displayed.
- Case Insensitive: Ignore case when searching.
- Regular Expression: The search string is a Perl regular expression, rather than text. By default Security Analytics executes a text search. To execute a regular expression search, you must select the Regular Expression option.
|Apply||Saves your preferences and puts them into effect immediately.|