NW Cfg: Configure Investigation Settings

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Apr 11, 2019
Version 14Show Document
  • View in full screen mode

This topic provides instructions for administrators who are configuring the settings that apply to all investigations on the NetWitness Platform instance being configured. The settings for configuring and tuning behavior of NetWitness Platform Investigate are available in the ADMIN > System > Investigation panel. These settings apply to all investigations and reconstructions on the current instance of NetWitness Platform.

Map Context Hub Meta Types

The Context Hub is preconfigured with meta fields mapped to entities. NetWitness Respond and Investigate use these default mappings for context lookup. For information about adding meta keys, see "Configure Settings for a Data Source" in the Context Hub Configuration Guide.

Caution: For the Context Lookup to work correctly in the Respond and Investigate views, when mapping meta keys in the ADMIN > System > Investigation > Context Lookup tab, it is best practice to add only meta keys to the Meta Key Mappings. Do not add fields in the MongoDB to the Meta Key Mappings. Here is a sample meta key and Mongo DB field; ip.address is a meta key and ip_address is a field in the MongoDB.

In the Context Lookup tab, you can manage mapping of Context Hub meta types with meta keys in Investigate. You can add or remove meta keys in the list of meta types supported in Investigate by Context Hub. Procedures associated with this tab are provided in "Manage Context Hub Lists and List Values in the Navigate and Events Views" in the NetWitness Investige user Guide.

Configure Navigate and Events View Settings

  1. Go to ADMIN > System.
  2. In the options panel, select Investigation.
    The Investigation Configuration panel is displayed.
  3. In the Navigate tab, in the Render Threads Settings field, select the maximum number of concurrent meta key values that are loaded by a single user in the Navigate view. Click Apply.
  4. In the Navigate tab, in the Parallel Coordinates Settings section, set the maximum limits for meta values scanned and meta value results that can be included in a parallel coordinates visualization. For better performance, these are the recommended settings: Meta Values Scan Limit -100000 and Meta Values Result Limit to 1,000-10,000
    Click Apply.
  5. In the Events tab, in the Event Search Settings section, set the maximum numbers of events scanned and event results displayed when an analyst is conducting an event search in the Events view. The actual number of events scanned and displayed may be slightly greater than the limit set here. Click Apply.
  6. In the Events tab, in the Reconstruction Settings section, set the limits for the amount of data processed in the reconstruction of a single event. The default values are 500 maximum packets and 2097152 bytes. If analysts are seeing slow performance when reconstructing sessions in Investigae, the reconstruction settings may need adjustment. Click Apply.

Caution: Setting a higher value affects the performance of the NetWitness Server by increasing the time and memory taken to create a reconstruction of an event. Setting the value to zero disables any limit and may lead to a NetWitness Server crash.

  1. (Optional) In the Events tab, in the Web View Reconstruction Settings section, enable the use of supporting files in a web view reconstruction, and configure the additional settings to calibrate web view reconstructions. These include the time range (in seconds) to scan for related events, the maximum number of related events to scan, and overrides to Reconstruction Settings for use with web view reconstructions. Click Apply.

Clear Reconstruction Cache for Services

Under Reconstruction Cache Settings, administrators can clear the cache for one or more services. For example, the administrator can clear the cache for a single Broker, a Broker and Decoder, or all connected services. These are a few examples of causes for stale cache being used in a reconstruction.

  • The downstream services may have their sessions invalidated or data reset. As an example, if Investigate is browsing a Broker and a downstream Concentrator or Decoder has a data reset, the metadata and session data for the investigating service (Broker) does not match the content if the downstream service has reset and repopulated. The reconstruction in Investigate shows content from cache, which does not match the real content. Even if the Decoder is offline, content is still displayed in the Broker reconstruction. Clearing cache on the Broker causes the NetWitness Platform to reach out to the Decoder and an error is returned because the Decoder is offline.
  • Another case where cache may be stale is when a service ID for a downstream service changes. This can happen when exporting, importing, deleting, and adding services to NetWitness Platform because NetWitness Platform can reuse service IDs. In this case, clearing the cache on the Broker causes NetWitness Platform to request data from the services.

To clear reconstruction cache, do one of the following:

  1. To clear cache for one or more services, select the services and click Clear Cache for the Selected Services.
  2. To clear the cache for all listed services, click Clear Cache for All Services.
    The reconstruction cache for the selected services is cleared. NetWitness Platform sends a request for data to the services.

You are here
Table of Contents > Standard Procedures > Configure Investigation Settings