NW Cfg: Configure Investigation Settings

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Nov 20, 2019
Version 17Show Document
  • View in full screen mode

This topic provides instructions for administrators who are configuring the settings that apply to all investigations on the NetWitness Platform instance being configured. The settings for configuring and tuning behavior of NetWitness Platform Investigate are available in the ADMIN > System > Investigation panel. These settings apply to all investigations and reconstructions on the current instance of NetWitness Platform.

Map Context Hub Meta Types

The Context Hub is preconfigured with meta fields mapped to entities. NetWitness Respond and Investigate use these default mappings for context lookup. For information about adding meta keys, see "Configure Context Hub Data Source Settings" in the Context Hub Configuration Guide.

Caution: For the Context Lookup to work correctly in the Respond and Investigate views, when mapping meta keys in the ADMIN > System > Investigation > Context Lookup tab, it is best practice to add only meta keys to the Meta Key Mappings. Do not add fields in the MongoDB to the Meta Key Mappings. Here is a sample meta key and Mongo DB field; ip.address is a meta key and ip_address is a field in the MongoDB.

In the Context Lookup tab, you can manage mapping of Context Hub meta types with meta keys in Investigate. You can add or remove meta keys in the list of meta types supported in Investigate by Context Hub. Procedures associated with this tab are provided in "Manage Context Hub Lists and List Values in the Navigate and Events Views" in the NetWitness Investige user Guide.

Configure Navigate and Events View Settings

  1. Go to ADMIN > System.
  2. In the options panel, select Investigation.
    The Investigation Configuration panel is displayed.
    the Investigation Configuration panel
  3. In the Navigate tab, in the Render Threads Settings field, select the maximum number of concurrent meta key values that are loaded by a single user in the Navigate view. Click Apply.
  4. In the Navigate tab, in the Parallel Coordinates Settings section, set the maximum limits for meta values scanned and meta value results that can be included in a parallel coordinates visualization. For better performance, these are the recommended settings: Meta Values Scan Limit -100000 and Meta Values Result Limit to 1,000-10,000
    Click Apply.
  5. In the Events tab, in the Event Search Settings section, set the maximum numbers of events scanned and event results displayed when an analyst is conducting an event search in the Events view. The actual number of events scanned and displayed may be slightly greater than the limit set here. Click Apply.
  6. In the Events tab, in the Reconstruction Settings section, set the limits for the amount of data processed in the reconstruction of a single event. The default values are 500 maximum packets and 2097152 bytes. If analysts are seeing slow performance when reconstructing sessions in Investigae, the reconstruction settings may need adjustment. Click Apply.

Caution: Setting a higher value affects the performance of the NetWitness Server by increasing the time and memory taken to create a reconstruction of an event. Setting the value to zero disables any limit and may lead to a NetWitness Server crash.

  1. (Optional) In the Events tab, in the Web View Reconstruction Settings section, enable the use of supporting files in a web view reconstruction, and configure the additional settings to calibrate web view reconstructions. These include the time range (in seconds) to scan for related events, the maximum number of related events to scan, and overrides to Reconstruction Settings for use with web view reconstructions. Click Apply.

Clear Reconstruction Cache for Services

Under Reconstruction Cache Settings, administrators can clear the cache for one or more services. For example, the administrator can clear the cache for a single Broker, a Broker and Decoder, or all connected services. These are a few examples of causes for stale cache being used in a reconstruction.

  • The downstream services may have their sessions invalidated or data reset. As an example, if Investigate is browsing a Broker and a downstream Concentrator or Decoder has a data reset, the metadata and session data for the investigating service (Broker) does not match the content if the downstream service has reset and repopulated. The reconstruction in Investigate shows content from cache, which does not match the real content. Even if the Decoder is offline, content is still displayed in the Broker reconstruction. Clearing cache on the Broker causes the NetWitness Platform to reach out to the Decoder and an error is returned because the Decoder is offline.
  • Another case where cache may be stale is when a service ID for a downstream service changes. This can happen when exporting, importing, deleting, and adding services to NetWitness Platform because NetWitness Platform can reuse service IDs. In this case, clearing the cache on the Broker causes NetWitness Platform to request data from the services.

To clear reconstruction cache, do one of the following:

  1. To clear cache for one or more services, select the services and click Clear Cache for the Selected Services.
  2. To clear the cache for all listed services, click Clear Cache for All Services.
    The reconstruction cache for the selected services is cleared. NetWitness Platform sends a request for data to the services.

Configure the Reconstruction Cache Clearing Interval for the Event Analysis View

Event Analysis reconstruction cache cannot be cleared using the Clear Cache for All Services option described above. In Version 11.3.1 and later, the cache is automatically cleared every 24 hours at 3 am to avoid filling up disk space and to clear data from the Investigate user interface. All Event Analysis reconstruction caches for the selected service, for all users, are cleared if they are older than the configured expiration time. By default, the value is set to 24 hours and you can specify an interval greater than 24 hours using either days or hours as a unit of time. This cache clearing does not duplicate the Clear Cache for the Selected Services option described above.

To configure a different interval for automatic cache clearing, other than the default value of 24 hours:

  1. Go to ADMIN > Services and select the Investigate-server to be cleared.
  2. Select View > Explore to open the selected server in the Explore view.
  3. Select the investigate/reconstruction node, then select clear-cache-older-than and type a new value in the field.
    editing the clear-cache-older-than setting in the Explore view
  4. Press ENTER.
    If you specified a valid value, the parameter is updated and goes into effect immediately.

Configure Event Analysis View Settings

  1. Go to ADMIN > System, and in the options panel, select Investigation.
    The Investigation Configuration panel is displayed.
    example of the Event Analysis Tab
  2. In the Event Analysis tab, in the Event Limit Default field under Events Panel Settings, select the maximum number of events loaded in the Events panel when a query is submitted. The default value is 50,000 events, and you can select a value between 100 and 100,000 events.
    If a query returns more events than the configured Event Limit Default, the Events panel title shows the analyst that more results are available but are not listed due to the limit. Increasing the limit may place additional load on the queried service; the ideal limit is determined by your environment.
  3.  Click Apply.
    The change becomes effective immediately, and applies to any new queries submitted by analysts.
  4. Under Event Limit Per User Role, select the maximum number of events loaded for a single query for individual user roles. This limit must be less than or equal to the system events limit.
  5. Click Apply.
    The change becomes effective immediately, and applies to any new queries submitted by users assigned to the user role.

You are here
Table of Contents > Standard Procedures > Configure Investigation Settings