Investigation: Export Events and Extract Files

Document created by RSA Information Design and Development on Mar 23, 2017Last modified by RSA Information Design and Development on Apr 10, 2017
Version 2Show Document
  • View in full screen mode
  

When analysts are viewing an event reconstruction in Security Analytics Investigation, the Actions menu has an option to extract files from the event being viewed and export them to an archive.

Note: You can only export session files that you have permission to view or access.

The file export function queries the service for all sessions inside the selected time range and drill point to extract the content of each session. The details being exported are affected by both the time range and drill point at the time of exporting. In the File Extraction dialog, you can choose:

  • The type of the content to export: archives, audio BitTorrent, documents, executable, images, other, video, and web. 
  • The format of the exported archive: ZIP or GZIP file.

After you send the request, a job is scheduled and you can track the job in in the Jobs tray. If there is an error retrieving the log or PCAP from the service, Security Analytics displays an error notification.

To extract files from an event:

  1. While in the Detail View or List View of an event reconstruction, click an event.
  2. Click Actions menu in the Event Reconstruction toolbar.
  3. If you want to export the event, select Export PCAP in the drop-down menu.
    A message informs you that the PCAP is being downloaded.
  4. If you want to extract files, select Extract Files.
    EvReconExtFiles.png
  5. The File Extraction dialog is displayed.
    NavViewFileExtractionDialog.png
  6. In the Name column, select the types of content that you want to extract.
  7. To generate an archive of the selected file types contained in the event, click Export.
    A drop-down list of archive types for the export is displayed.
  8. Select Export as Zip or Export as Gzip.
    The content that you specified is extracted to an archive and downloaded to the local file system.
You are here
Table of Contents > Conduct an Investigation > Examine Events > Export Events and Extract Files

Attachments

    Outcomes