Investigation Tab - User Preferences Panel

Document created by RSA Information Design and Development on Nov 23, 2016Last modified by RSA Information Design and Development on Nov 29, 2016
Version 2Show Document
  • View in full screen mode
  

This topic introduces the features of the Profile view > Preferences panel > Investigations tab.

In the Profile view > Preferences panel > Investigation tab, users can set several preferences that affect the performance and behavior of Security Analytics when analyzing data, viewing events, and reconstructing events in Investigation.

Procedures related to this tab are described in Configure Navigate View and Events View.

To access this tab:

  1. In the Security Analytics menu, select Profile.
  2. In the left navigation panel, select Preferences.
  3. In the Preferences panel, select the Investigations tab.
    PrefInvTb.jpg

Features

The following table describes the Investigation preferences.

                                                                 
FeatureDescription
ThresholdThis setting controls the count shown for a Meta Key value in the Navigate view during the load. A higher threshold allows more accurate counts for a value. However, a higher threshold causes longer load times. When the threshold is reached, Security Analytics displays the count and the percentage of time used to reach the count in comparison to the time necessary to load all sessions with that value.

For example, (>100000 - 18%) indicates that the threshold was set at 100000 and this load took only 18% of the time it would have taken with no threshold set. The default value is 100000.
Max Values ResultsThis setting controls the maximum number of values to load in the Navigate View when the Max Results option is selected in the Meta Key Menu for an open Meta Key. The default value is 1000.
Invmetakeymenu.png
Max Session ExportThis setting controls the maximum number of sessions that can be exported. The default value is 100000.

Max Log View Characters

This setting controls the maximum number of characters to be displayed on Investigation > Events > Log Text. The default value is 1000.
Export Log FormatThis setting specifies the default format for exporting logs from Investigation. Available options are Text, XML, CSV, and JSON. There is no built-in default value for the log export format. If you do not select a format here, Security Analytics displays a selection dialog when you invoke export of logs. When you select one of the options from the Export Log Format drop-down menu and click Apply, the setting goes into effect immediately.
Show Debug InformationWhen this option is selected, Security Analytics displays the where clause beneath the breadcrumb in the Navigate view. For each meta value load, the load time is displayed. If the service is a Broker, then the elapsed time for each aggregated service is reported. The default value is Off.
Append Events in Events Panel

When this option is selected, the events displayed in the Events Panel are added incrementally rather than overwriting the currently displayed events.

For example, each time you click the next page icon, the events are displayed incrementally such as 1 -25, 1 -50, 1 -75 and so on.

Note: This option is available, only if the Optimize Investigation Page Loads option is enabled.

Autoload ValuesWhen this option is selected, the service values are automatically loaded in the Navigate view. When not selected, Security Analytics displays a Load Values button, allowing the user the opportunity to modify the options. The default value is Off.
Download Completed PCAPsThis setting automates the downloading of extracted PCAPs in the Investigation module so that you do not have to manually download and open extracted PCAP files in an application, such as Wireshark, that can handle viewing data in a PCAP format.
Optimize Investigation Page Loads This option is enabled by default (checked) and controls how the Events view retrieves events. When optimized, results are returned as quickly as possible. This sacrifices the original ability to go to a specific page in the event list.  Unchecking this box changes the Events list pagination to allow you to go to a specific page in the list (or to the last page).  Being able to go to any page in the list sacrifices some speed in returning the results due to additional overhead determining the events in advance.
Default Session ViewThis setting selects the default reconstruction type for the initial reconstruction view. By default events are reconstructed using the reconstruction method most appropriate to the event.
Enable CSS Reconstruction for Web ViewThis setting controls how web content reconstruction is performed. If enabled, the web reconstruction includes cascaded style sheet (CSS) styles and images so that its appearance matches the original view in a web browser. This includes scanning and reconstructing related events, and searching for stylesheets and images used in the target event. The option is enabled by default.  Uncheck this option if there are problems viewing specific websites. 

Note: The appearance of the reconstructed content may not match the original web page perfectly if related images and stylesheets could not be found or were loaded from the web browser's cache. Also, any layout or styling that is performed dynamically via client side javascript will not render in the reconstruction because all client side javascript is removed for security purposes.

Search OptionsThis setting sets the default search options to apply to a search in the Navigate and Events views. Investigation - Search Options provides detailed information. 
ApplySaves your preferences and puts them into effect immediately.
Previous Topic:Investigate Dialog
You are here
Table of Contents > Investigation Reference Materials > Investigation Tab - User Preferences Panel

Attachments

    Outcomes