Investigation: Begin an Investigation

Document created by RSA Information Design and Development on Nov 23, 2016Last modified by RSA Information Design and Development on Nov 29, 2016
Version 2Show Document
  • View in full screen mode
  

Analysts can begin an investigation of data on a Security Analytics service or collection, which results in the loading of values.

To begin an investigation in Security Analytics, a service must be specified.

  • Security Analytics opens the Navigate view with the user-specified default service selected.
  • If no default service is currently specified and the service id is not in the URL, Security Analytics presents a dialog for selecting the service or collection to investigate.
  • When a service has been selected manually or by default in the Navigate view, you can change the service or collection to investigate by selecting the service name in the toolbar. Security Analytics presents the dialog for selecting the service to investigate.

Note: The Archiver service does not appear in the Navigate view to minimize user experience of slow performance when performing investigations. The Archiver is available in the Events view for log exports and enhanced search capabilities. 

With a service or collection selected, Security Analytics is ready to load data for the service or collection. Several settings in the Navigate View and Events View Settings dialog or the Profiles > Preferences panel > Investigations tab affect the loading process: Threshold, Max Values Results, Show Debug Information, Autoload Values, and Optimize Investigation page loads (see Configure Investigation Views and Preferences).

Note: If you specified Autoload Values, Security Analytics populates the data automatically. Otherwise, you must select the Load button. Security Analytics populates the meta data in the Navigate view Values panel and results become visible almost immediately.

The rest of this topic provides instructions for beginning the investigation of data on a service.

Note: Only users with the administrator role can create a collection, and only the creator of the collection is able to  investigate a collection.

Procedures

Begin an Investigation (No Default Service)

  1. In the Security Analytics menu, select Investigation > Navigate.
    The Investigate dialog is displayed.
    INVDgServ.png
  2. Double-click a service or select a service and click Navigate.
    The resulting panel displays the activity for the selected service.
  3. If you want to modify investigation options before loading, you can create or modify a custom profile, apply a different time range, create or apply a meta group, and perform a custom query as described in Filter Information in Navigate View.
  4. When ready, click 103-SP2Icon-LoadValues.png.
    The data for the selected service begins loading.
    NavVwBrok.png
    With the service selected and data loaded, you are ready to begin analyzing the data.

Set or Clear the Default Service

You can set the default service and clear the default service in the Investigate a Service dialog.

  1. Click the service name in the toolbar.
    The Investigate dialog is displayed.
    INVDgServ.png
  2. Select a service on the Services grid, and click ic-DefServ.png.
    The service becomes the default, (indicated by Default in parentheses after the service name).
  3. To clear the default service, select the default service in the grid, click ic-DefServ.png, and click Cancel to close the dialog.
    No default service is set. 

Note: The Cancel button does not cancel your selection of the default service. It simply closes the dialog without navigating to the currently selected service in the grid. Setting a default service that is different from the service currently being investigated, does not refresh the Navigate view. You must explicitly select and Navigate to a different service.

Begin an Investigation (Default Service Specified)

  1. In the Security Analytics menu, select Investigation > Navigate.
    If the Autoload Values setting is set to off, the Navigate view is displayed with the default service selected, and ready to load data. If the Autoload Values setting is on, the values are loaded as shown in Step 3.
    NavVwLoadVal.png
  2. If you want to modify investigation options before loading, you can create or modify a custom profile, apply a different time range, create or apply a meta group, and perform a custom query.
  3. When ready, click 103-SP2Icon-LoadValues.png.
    The values for the service are loaded in accordance with the selected options.
    NavVwBrok.png
    With the service selected and data loaded you are ready to begin analyzing the data.

Change the Service or Collection to Investigate

  1. In the Navigate view, click 103-SP2DeviceName.png (the service name) at the top of the options panel.
    The Investigate dialog is displayed.
    INVDgServ.png
  2. Double-click a service or select a service and click Navigate. The resulting panel displays the activity for the selected service.
    If the Autoload Values setting is on, the values are loaded as shown in Step 3. Otherwise, the Navigate view is displayed with the default service selected, and data ready to load. 
    NavVwLoadVal.png
  3. When ready, click 103-SP2Icon-LoadValues.png.
    The values for the service begin loading in accordance with the selected options.
    NavVwBrok.png
    With the service selected and data loaded you are ready to begin analyzing the data.

Investigate Workbench Restoration Collections

This procedure enables Administrators to select content from an existing collection to reprocess for further investigation.

Note: Only a user with administrative privileges can create a collection, and you can view only those collections that you created.

To reprocess data for further investigation:

  1. In the Security Analytics menu, select Investigation > Navigate.
    The Investigate dialog is displayed.
    INVDgCollect.png
  2. Select a workbench service and workbench name that you want to investigate.
  3. Click Navigate to perform an investigation on your selected workbench service.
    Click Cancel to select a different workbench service to investigate.
    The Investigation view is displayed.
    investwbsvc2020415.png
    With the collection selected and data loaded you are ready to begin analyzing the data.
You are here
Table of Contents > Conduct an Investigation > Begin an Investigation

Attachments

    Outcomes