Investigation: Reconstruct an Event

Document created by RSA Information Design and Development on Jun 26, 2017Last modified by RSA Information Design and Development on Jul 28, 2017
Version 2Show Document
  • View in full screen mode
  

When viewing a list of events in Security Analytics Investigation > Events view, you can safely create a reconstruction of the event in a readable form that matches the original. By default, the initial view of a reconstructed event is the most suitable format (Best Reconstruction); for example, web content is reconstructed as a web page; an IM conversation is displayed with both parts of the conversation. Each user can select a different default reconstruction in the Profile > Preferences view.

In the reconstruction, you can:

  • Select event information to view. Possible values are: request data, response data, both request and response data.
  • Select the reconstruction type: details, text, hex, packets, web, mail, or IM.
  • Export raw logs.
  • Export the event as a PCAP file.
  • Extract any files available in the event.

Caution: Be careful when clicking a link to a file in the Reconstruction. If your system has an application associated with the file , or the browser is capable of opening them, and the attachments are malicious, they can negatively affect your system.

  • Display the event in a separate window or tab (depending on your browser configuration).
  • If you are viewing the reconstruction as a preview in the current view, you can page forward to the next event and back to the previous using the navigation buttons in the bottom left corner.

Note: Security Analytics Reconstruction Settings and Reconstruction Cache Settings allow an administrator to manage application performance for Investigation. As analysts reconstruct sessions that they are investigating, two situations can affect performance and results.
-Some events can be very large and contain many thousands of source packets. Reconstructing these types of sessions can degrade application performance.
- In some cases, the reconstruction cache can present incorrect content; for this reason, a Security Analytics cleans cache that is older than a day every 24 hours. Between the daily cache cleanings, certain actions my result in stale cache being used for a reconstruction, and if the need arises, administrators can manually clear cache for one or more services that are connected to the current Security Analytics server.

Reconstruct an Event

  1. Open a drill point in the Events view.
  2. To show all meta data, click 104ShowAddlMeta.png.
  3. To open an event reconstruction in the current view, do one of the following:
    1. At the end of the event, select 104ViewDetail.png.
    2. Select an event to reconstruct and select Actions > View Event > Preview Inline.
      The Event Reconstruction opens in a popup window in the same view. By default, Security Analytics displays the best reconstruction for the event determined by the event content or the reconstruction that you have selected in the Default Session View setting for Investigation. You can use the options in the Event Reconstruction toolbar to change the reconstruction method, view side-by-side results, export an event, open an email attachment, extract files, and open the event in a new tab.
      104EvReconTopToBot.png
  4. To preview a reconstruction of the next event, click 104ReconNext.png or to preview a reconstruction of the previous event, click 104ReconPrevious.png.
  5. To open an event reconstruction in a new tab, do one of the following:
    1. In the Events view, select an event to reconstruct and select Actions > View Event> Open in New Tab.
    2. In the Event Reconstruction toolbar of previewed reconstruction, click Open Event in New Tab in the toolbar.
      The Event Reconstruction opens in a new tab.
      104NavEvReconNT.png

Note: In case of masqueraded files, the meta view in the event reconstruction view might show the masqueraded file extensions, while the files view in the event reconstructions view display the actual file extension (true file type), as that is detected and set by the decoder. For example, if a malware executable of type .exe is being masqueraded and sent as a .jpg file to the network, when you reconstruct that session, in the files view of event reconstruction view, file extension is displayed as .exe instead of .jpg as.exe is the actual extension of a file. And, the file type will also be displayed as executable.

View Side by Side or Top to Bottom

To select the way requests and responses for an event are displayed:

  1. In the Event Reconstruction toolbar, click Top to Bottom or Side by Side.
  2. In the drop-down menu, select the information you want to see in the event: Side by Side or Top to Bottom.
    The reconstruction is refreshed with the selected information.
    104EvenReconPreview.png

Select Event Information to View

To select what event information to view:

  1. In the Event Reconstruction toolbar, click Request & Response.
  2. In the drop-down menu, select the information you want to see in the event: Request & Response, Request, or Response.
    The reconstruction is refreshed with the selected information.

Select Event Reconstruction Type

To select the reconstruction type for an event:

  1. In the Event Reconstruction section toolbar, click Best Reconstruction.
  2. In the drop-down menu, select the reconstruction type to view: meta, text, hex, packets, web, mail, or files.
    The reconstruction is refreshed with the selected reconstruction type.

Open or Download an Email Attachment

When viewing a reconstruction of an email that has attachments, you can open supported file types or download the files to the local system.

Caution: Be careful when selecting file attachments. If your system has an application associated with the file attachments, or the browser is capable of opening them, and the attachments are malicious, they can negatively affect your system.

To open or download email attachments:

  1. In the Event Reconstruction section toolbar, select the View drop-down and select View Mail.
    The Event Reconstruction is displayed.
    EmlRecatt.png
  2. In the Event Reconstruction section of the email, click the Attachment.
    If the file type is supported by the browser, the attachment will open in a new tab.
    If the file type is not supported, the Download dialog is displayed so that you can download the attachment.

Export an Event as a PCAP File

The PCAP export option downloads the sessions for the current time range and drill point to a PCAP file. To export an event as a pcap file:

  1. In the Event Reconstruction section toolbar, click Actions.
  2. Click Export PCAP.
  3. A confirmation dialog is displayed.
  4. Click OK.
    The job is scheduled and when complete the PCAP is downloaded to the local file system. In the Profile > Jobs tab, you can download the PCAP.

Extract Files from a Reconstructed Event

The Extract Files option extracts and downloads the files associated with the event. To extract files:

  1. In the Event Reconstruction section toolbar, click Actions.
  2. Click Extract Files.
    The File Extraction dialog is displayed.
  3. Select the types of files to extract,and click OK.
  4. The job is scheduled and when complete the selected file types are downloaded to the local file system. In the Profile > Jobs tab, you can download the files.
You are here
Table of Contents > Conduct an Investigation > Examine Events > Reconstruct an Event

Attachments

    Outcomes