Investigation - Event Reconstruction Panel

Document created by RSA Information Design and Development on Jun 26, 2017Last modified by RSA Information Design and Development on Jul 28, 2017
Version 2Show Document
  • View in full screen mode
  

This topic describes the features available in the Investigation > Events view > Event Reconstruction panel.

By default, Security Analytics displays the best reconstruction for the event determined by the event content or the reconstruction that you have selected in the Default Session View setting for Investigation. You can use the options in the Event Reconstruction toolbar to change the reconstruction method, view side-by-side results, export an event, open an email attachment, extract files, and open the event in a new tab.

To access this panel in a new tab, do one of the following:

  • In the Events view, select an event to reconstruct and select Actions > View Event> Open in New Tab.
  • In the Event Reconstruction toolbar of previewed reconstruction, click Open Event in New Tab in the toolbar.
    The Event Reconstruction is displayed in a new tab.

To access this panel in the current tab, do one of the following:

  • At the end of the event, select 104ViewDetail.png
  • Select an event to reconstruct and select Actions > View Event > Preview Inline.

The Event Reconstruction panel opens in a popup window in the same view.

EvReconDg.png

Features

The Event Reconstruction panel has a toolbar at the top with the following options.

             >                     
FeatureDescription
Request & ResponseDisplays a drop-down menu for selecting whether the panel displays:
  • Request & Response
  • Request
  • Response
OrganizationDisplays a drop-down menu for selecting whether the information is displayed top to bottom or side by side.
ViewDisplays a drop-down menu for selecting what information is displayed. By default, Best Reconstruction is selected. Other options are:
  • View Meta
  • View Text
  • View Hex
  • View Packets
  • View Web
  • View Mail
  • View Files
ActionsDisplays a drop-down menu with the actions available in the Event Reconstruction panel.
Open Event in New TabOpens the event in a new browser tab. 
Use More Packets

This button is visible on the Reconstruction panel only when you have enabled 'Allow Full Packet Reconstruction Override' checkbox in the Investigation Configuration Panel.

This option renders sessions using large number of packets.

Note: While rendering large sessions (as an Analyst), you get a confirmation message stating "Using larger number of packets might take time and cause system to slow down. Do you still want to continue?".

Beneath the toolbar is a list of meta keys and values. Some of the keys offer a drop-down menu with available actions.

The bar at the bottom of the panel offers several options.

                       
FeatureDescription
ArrowL.png Displays the previous event.
ArrowR.png Displays the next event.
Show Reconstruction LogDisplays the reconstruction log at the bottom of the panel. Once you click this button, it changes to Hide Reconstruction Log.
Next Topic:Events View
You are here
Table of Contents > Investigation Reference Materials > Event Reconstruction Panel

Attachments

    Outcomes