Investigation: Use Investigation Profiles to Encapsulate Custom Views

Document created by RSA Information Design and Development on Mar 23, 2017Last modified by RSA Information Design and Development on Apr 10, 2017
Version 2Show Document
  • View in full screen mode
  

This topic tells analysts how to use Profiles that define a set of Investigation preferences for the Navigate and Events view.

Using profiles is a quick and easy way to customize which data is displayed in Investigation. In the Manage Profiles dialog, you can use a profile to specify which meta groups and column groups are displayed by default, to append queries to an investigation, and to import or export profiles.

Note: Profiles are shared across users in the same Security Analytics network. If one user modifies or deletes a profile it has an affect on what is available to the other users.

If you have multiple profiles, you can switch between them to quickly change to the selected profile's preferences. If a profile is currently active, the title of the Profile menu is replaced with the profile name.

The following figure illustrates this in the Navigate view. The profile name is displayed between Query and Meta.

NavVwTb.png

The following figure illustrates this in the Events view. The profile name is displayed between Query and List View.

EvTbProf.png

Navigate to the Manage Profiles Dialog

  1. In the Security Analytics menu, select Investigation > Navigate or Investigation > Events.
  2. If the Investigate dialog is displayed, select a service and click Navigate.
  3. In the toolbar, select Profile > Manage Profiles.
    The Manage Profiles dialog is displayed.
    ManProfDg.png

Create and Edit Profiles

  1. In the Manage Profiles dialog, either select an existing profile by clicking the checkbox beside the name, or click Add icon to create a new profile.
    The right panel is available.
  2. Edit or enter the profile name by typing in the Name field. The name must be between 2 and 80 characters.
  3. Select a meta group from the Meta Group drop-down list. You can add custom meta groups as described in Manage User-Defined Meta Groups.
  4. Select a column group for the Column Group drop-down list. You can add custom column groups as described in  Manage Column Groups in the Events View.
  5. Type queries to filter results in the PreQuery field. PreQuery follows the same syntax as the Query builder. The PreQuery in the figure uses a meta group called crypto exists.
  6. Click Save to save the profile without using it, or click Save and Apply to save the profile and use it immediately.
    If you click Save and Apply, a confirmation dialog is displayed before setting the selected profile as active.

Change Active Profile

If you do not see enough results or the right results in the Navigate or Events views, you may have a profile active. If you do not want to use any profiles, you can click Deactivate Profiles in the Profiles drop-down menu.

To use a different profile:

  1. In the Navigate or Events view toolbar, open the Profiles drop-down menu.
  2. Hover over the Profile option to display a drop-down list of available profiles.
  3. Select the profile you want to use.
    The profile settings are applied immediately.

If you want to change the active profile from the Manage Profile dialog:

  1. In the Navigate or Events view toolbar, select Profiles > Manage Profiles.
    The Manage Profiles dialog is displayed.
  2. Select a profile from the left panel and click Save and Apply.
    A confirmation dialog is displayed.
  3. Click Yes.
    The profile settings are applied immediately.

Import Profiles

You can upload or import .jsn files that have been downloaded from another service.

  1. In the Manage Profiles dialog, click Import.png in the left panel toolbar.
  2. The Profile Import dialog is displayed.
  3. Click Browse or the Upload File field to select a file from your computer.
  4. When the file is selected, click Upload.
    The profile is displayed in the left panel.

Download Profiles

Profiles are downloaded as .jsn files.

  1. In the Manage Profiles dialog, select one or more profiles from the left panel.
  2. In the left panel toolbar, click Export.png.
    The download begins immediately.
You are here
Table of Contents > Conduct an Investigation > Filter Information in the Navigate View > Use Investigation Profiles to Encapsulate Custom Views

Attachments

    Outcomes