In Security Analytics Investigation, when you have the data for a drill point displayed in the Navigate view, you can:
- Extract files from a session and choose the type of files to extract: archives, audio BitTorrent, documents, executable, images, other, video, and web.
- Export the drillpoint as a packet capture (PCAP) file or a log file.
The details being exported are affected by both the time range and drill point at the time of exporting.
Note: When you export the drill point as a log file, only the log sessions are exported. The job queue message refers to the total number of sessions in the drill point rather than the number of logs. For example, if the drill point has 505 sessions and only five log sessions, the job queue message states that Security Analytics is extracting logs for 505 sessions.
To export a drill point from the Navigate view:
- Conduct an investigation until you reach the desired drillpoint.
- In the toolbar, select Actions > Export and select one of the export options: Extract Files, PCAP Export, and Logs Export.
The drill point is extracted, and a message advises that the job is scheduled. You can check the jobs page for the status.
- When the scheduled file extraction is complete, it is displayed in the Job Notifications tray.
- Click the View link to the Jobs Tray and download the specific extraction file requested.