Services Config View - Auditing Tab

Document created by RSA Information Design and Development on Sep 15, 2017Last modified by RSA Information Design and Development on Sep 19, 2017
Version 2Show Document
  • View in full screen mode
  

In the Events view and the New Events view - Reconstruction panel (Investigate > Events panel > click an event), you can safely view a reconstruction of an event of interest that you found in the Navigate view or the Events panel.

In the Events view and the New Events view - Reconstruction panel (Investigate > Events panel > click an event), you can safely view a reconstruction of an event of interest that you found in the Navigate view or the Events panel.

Workflow

What do you want to do?

                                      
User RoleI want to ...Documentation

Threat Hunter

submit queryConducting an Investigation
Threat Hunterview query resultsViewing Events

Threat Hunter

reconstruct an event*

Working with Event Reconstruction in the New Event Detail View

Threat Hunterexport files from an eventWorking with Event Reconstruction in the New Event Detail View
Threat HunterLook up additional context of an eventLooking up Contextual Information

Related Topics

Quick Look

The Investigate Reconstruction panel displays a reconstruction of a single event in Packet View, File View, and Text View. When you click an event in the Events panel, the adjacent Reconstruction panel shows the packet reconstruction of the event. You can use the options in the Event Reconstruction toolbar to change the reconstruction type and direction (request or response), to hide or display the header panel, and to expand, contract, and close the Event Reconstruction panel. Depending on the reconstruction type selected and the contents of the payload, additional options are available. For example, you can display the payload only in the Text View, download files in the Files View, and download PCAP files in the Packet View.

Below is an example of a packet Reconstruction.

Event Reconstruction with labels

NetWitness Suite Reconstruction Settings and Reconstruction Cache Settings allow an administrator to manage application performance for Investigation. As analysts reconstruct sessions that they are investigating, two situations can affect performance and results

  • -Some events can be very large and contain many thousands of source packets. Reconstructing these types of sessions can degrade application performance.
  • - In some cases, the reconstruction cache can present incorrect content; for this reason, a Security Analytics cleans cache that is older than a day every 24 hours. Between the daily cache cleanings, certain actions my result in stale cache being used for a reconstruction, and if the need arises, administrators can manually clear cache for one or more services that are connected to the current Security Analytics server.
                                     
1Tabs or drop-down menu to select the reconstruction type: packet view, file view, text view. The currently selected type is displayed in the label.
2Click to hide or show the header panel.
3Click these icons to display the Request, Response, or both.
4Click this icon to show or hide the Event Meta panel, which provides a detailed listing of meta data associated with the event..
5An option to expand or contract the Reconstruction panel horizontally in the Navigate view.
6An option to close the Reconstruction panel.
7The header displays summary information for the event being reconstructed.
8Lists each packet in the event. For each packet, you can see the packet number, the direction (Request or Response), and the packet contents in binary format on the left, hexadecimal format in the middle, and text format on the right.

Packet Reconstruction Details

In the packet reconstruction, Investigate provides the packet number, the direction of the packet (Request or Response), the packet start time, and then the contents of the packet.

 

 

All packets begin with a header, and some packets have a footer. In the Packet View, the header and footer have a darker background so that you can distinguish them from the payload of the packet. The darker background for the header and footer appears in both the hexadecimal and text format.

a header and footer in the Packet View

The contents of the packet are provided in hexadecimal, and text format. The meta data is highlighted in blue; when you hover over the meta data, the meta key/meta value information is displayed as a screen tip.

Additional options in the Packet View include the ability to Download the PCAP for the event, and display payloads only. When Payload only is displayed, you can use the Shade Bytes option to help distinguish patterns in the data.

Text Reconstruction Details

In the Text reconstruction, network events and log events are presented differently. For network events, Investigate provides the direction of the packet (Request or Response) and contents of each packet in text format.

For log events, (filter on Medium = Log), there is no request or response; only the raw log is displayed in the Text reconstruction.


A subset of the reconstruction options is available in the Text View. You can:

  • Hide and show the header.
  • For Network events, select display of Requests only, Responses only, or both.
  • For Network events, export the session as a PCAP file.
  • For Log events, export the raw log.
  • Switch between a compressed and decompressed view of payloads. When the session is decompressed, the compressed parts of the text become readable.
  • Select text for decoding and encoding.

Note: This feature is not available for the File view, non-http network sessions, and log data.

File Reconstruction Details

In the File reconstruction, Investigate presents a list of files associated with the selected network event.

You can select one file, one or more files, or all files to export to your local file system. When files are selected, the Export Files button becomes active and reflects the number of files selected. Clicking the button exports the selected files as a zip archive, which ensures that any potentially malicious files will not be opened by the default application and executed. The exported archive is named using the following convention:

<service-ID or host name>_SID<nnnnnnnn>_FC<n>.zip

where:

  • <service-ID or host name> is the name of the service (for example a Concentrator or Broker) where the session was saved
  • SID<nnnnnnnn> is the session ID number
  • FC<nnnnnnnn> is the file count or number of files in the archive.

To prevent an archive from being unzipped automatically when downloaded, NetWitness Suite exports the archive with password protection. To open an archive, enter the following password: netwitness.

Caution: Caution is advised when unzipping and opening files that are associated with a default application; for example, an Excel spreadsheet may automatically open in Excel before you have a chance to verify it is safe.

Detailed Description

                                           
FeatureDescription
Reconstruction type menuIn this menu, you can select the type of reconstruction: Packet or File. When you first open a reconstruction, NetWitness Suite chooses the best reconstruction by default.
Download optionsOptions for exporting a log, a PCAP, or files for deeper analysis and to share with others.
Controls the display of a header above the packet list; you can click this icon to hide the header or display it. Hiding the header allows more space for the packet list, reducing the amount of scrolling required to view more packets.
The header provides information about the reconstructed event: the name of the service that collected the packet, session or event number, type of event (network), source IP:port, destination IP:port, sevice type, first packet time in the event, last packet time in the event, event size, payload size in bytes, packet count, and the flags applied to the event (keep, assembled, App meta, network meta).

Two controls turn the display of Request and Response on and off (see Reconstructing Events).

Displays the meta details for the event in another panel.

(Future) Settings menu.
Sizing controls for the Reconstruction panel (see Reconstructing Events).

Closes the Reconstruction panel. The view now shows only the Events panel and the Events panel.

You are here
Table of Contents > Malware Analysis References > Services Config View - Auditing Tab

Attachments

    Outcomes