Investigate: Event Analysis View

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Sep 11, 2018
Version 17Show Document
  • View in full screen mode
 

In the Event Analysis view analysts can view raw events and meta data with interactive features that enhance the ability to find meaningful patterns in the data. This is an alternative to the static Event Reconstruction view. You can examine network, log, and endpoint events in the Event Analysis view. The Event Analysis view offers packet, text, and log reconstruction, and does not support email and web reconstruction directly. However, in Version 11.1 and later, you can open an email or web reconstruction of the current results in the Events view email or web reconstruction.

Note: The administrator sets permission for analysts to access this view. If your administrator has not given you access, and you navigate to the Event Analysis view by any means, the following message is displayed: Forbidden. You cannot access the requested page. For example, if you are viewing a reconstruction from the Events view and attempt to view the same reconstruction in the Event Analysis view, you will see the Forbidden message.

The events displayed in the Events Analysis view are for the current drill point in the Navigate view or Events view. Beginning with Version 11.1, the events can be the results of a query entered in the Event Analysis view breadcrumb. Whatever the source of the query, the Event Analysis view lists events in order by time. You can rearrange and resize the columns, In Version 11.1 and later, you can also choose the columns that you want to see and select one of the built-in column groups or a custom column group.

When you click an event, the Network Event Details, Log Event Details, or the Endpoint Event Details panel opens in the same browser window. Each type of event has one or more types of analysis: Text Analysis, Packet Analysis, and File Analysis.

There are multiple access points to this view, which are described in Begin an Investigation in the Event Analysis View.

Note: If you access Event Analysis from the Respond view, you can see the Event Analysis for a selected event in an incident; the options are a subset of the options available when you open an event from within the Investigate view. To get complete functionality and examine other events, you can go to the Event Analysis view directly (INVESTIGATE > Event Analysis).

Workflow

The following figure is a high-level workflow illustrating the tasks you can do in NetWitness Investigate, with the Event Analysis view tasks highlighted in red.

the Investigate Workflow with Analyze Raw Events and Metadata highlighted

What do you want to do?

                                                                              
User RoleI want to ...Show me how
Threat Hunter

browse event metadata

Begin an Investigation in the Navigate or Events View

Threat Hunter

browse raw events

Begin an Investigation in the Navigate or Events View

Threat Hunter

analyze raw events and metadata*

Begin an Investigation in the Event Analysis View

Threat Hunter

query events in the Event Analysis view (Version 11.1)*

Filter Results in the Event Analysis View

Threat Hunterexport events and files in the Event Analysis view*Download Data in the Event Analysis View

Threat Hunter

reconstruct events in Event Analysis view*

Examine Events in the Event Analysis View

Threat Hunterperform external lookups from the Event Analysis view (Version 11.1)*Act on Data in the Event Analysis View
Threat Hunter query events in the Navigate view Investigating Metadata in the Navigate View

Threat Hunter

query events in the Events view

Examining Raw Events in the Events View

Threat Hunterinvestigate endpoints (Version 11.1)Investigate Hosts

Threat Hunter

find suspicious endpoint files (Version 11.1)

Investigate Files

Threat Hunterscan files and events for malwareConducting Malware Analysis

Incident Responder

triage an incident in Investigate

NetWitness Respond User Guide

*You can perform this task in the current view.

Related Topics

Quick Look

When you first open Investigate, input fields for a query are displayed so that you can select a service and time range, and type an optional query.

  • Version 11.0 has the input fields in the Navigate view and the Events view.
  • Version 11.1 has the input fields in the Navigate view, the Events view, and the Event Analysis view.

When you open a drill point in the Event Analysis view, the service being investigated counts the results of the initial query up to a limit of 100,000 events, and the first 100 events (packets, logs, and endpoint) are loaded in the Events panel. The columns in the Events panel are the Event Time, Event Type (Network, Log, or Endpoint), Event Size, and Summary. You can:

  • Scroll through the list and click Load More to see the next 100 events.
  • Select a column group (Version 11.1 and later).
  • Select the columns that you want to include (Version 11.1 and later).
  • Drag the columns to rearrange the order.
  • Make columns wider or narrower.
  • View the event analysis of an event.

The following figure highlights the major features of the Event Analysis view for Version 11.1 and later.

a quick look at the Event Analysis view for Version 11.1

Note: Version 11.2 included an undocumented beta feature, called Next Gen mode, in the Event Analysis view query builder that was still being developed and tested; Next Gen mode was disabled in the 11.2.0.1 patch. If you see Next Gen mode do not use it; you should use only the Guided Mode and Free-Form Mode in the query builder to ensure consistent and predictable results.
Next Gen Mode

 

                                                                 
1Interactive Breadcrumb: When a service is selected, displays the service selector, time range selector, and the queries you have entered. In Version 11.1 and later, you can select a service as described in Begin an Investigation in the Event Analysis View and refine the query as described in Filter Results in the Event Analysis View. Clicking the Submit Query button submits the query and sends a request to the selected service to load the data.
2The type of event being analyzed is reflected in the heading: Network Event Details, Log Event Details, or Endpoint Event Details. Each view is discussed in detail in Examine Events in the Event Analysis View.
3The types of analysis available for the event type. Network events can use all types of analysis: text, packet, and file. Log and endpoint events use only text analysis.
4The Email and Web analysis types open the current event as an email or web reconstruction in the Events view.
5These options vary for the different types of analysis. They are discussed in detail in Examine Events in the Event Analysis View.
6

Controls to show or hide the Event Header, show or hide requests and responses, and open the Event Meta panel (16). These controls are described in Examine Events in the Event Analysis View.

7, 11Controls to change the size of the panel and close the panel.
8Reopens the Events panel or the Event Meta panel if you have closed it.
9 Sets preferences for the Event Analysis view (see Configure the Event Analysis View.
10

The Events panel for Version 11.1 is interactive, displaying query results as you submit updated queries. The Events panel includes a count of the events. You can rearrange and resize columns. You can scroll to the bottom of the list, and load more events (see Examine Events in the Event Analysis View).

12The Column Group drop-down lists built-in and custom column groups that you can apply to the Events panel. The built-in column groups are Email Analysis, Endpoint Analysis, Malware Analysis, Outbound HTTP, Outbound SSL/TLS, and Summary List. Summary List is the default column group.
13Settings to select the columns included in the Events panel.
14The Event Header provides summary information about the event. This information is different for the different event types (packet, log, and endpoint).
15The event data (sometimes called a payload for packets). The event data for a log event or endpoint event is typically a line of text from the raw log rather than request and response shown for a packet.
16The Event Meta panel lists the meta keys and values found in the data. Some metadata are searchable; they have a binoculars icon, which you can click to see the associated data highlighted in the event data (see Examine Events in the Event Analysis View.

 

The following figure highlights the major features of the Event Analysis view for Version 11.0.0.x.

the Event Analysis view in Version 11.0

 

                                                 
1 The read-only breadcrumb displays the selected service, time range, and query entered in the Navigate view or Events view.
2This is a read-only list of events based on the query made in the Navigate or Events view. The Events panel includes a count of the events. You can rearrange and resize columns. You can scroll to the bottom of the list, and load more events (see Examine Events in the Event Analysis View).
3, 8Controls to change the size of the panel and close the panel.
4The type of event being analyzed is reflected in the heading: Network Event Details, Log Event Details, or Endpoint Event Details. Each view is discussed in detail in Examine Events in the Event Analysis View.
5The types of analysis available for the event type. Network events can use all three types of analysis: text, packet, and file. Log and endpoint events use only text analysis.
6These options vary for the different types of analysis. They are discussed in detail in Examine Events in the Event Analysis View.
7

Controls to show or hide the Event Header, show or hide requests and responses, and open the Event Meta panel (12). These controls are described in Examine Events in the Event Analysis View.

9Reopens the Events panel or the Event Meta panel if you have closed it.
10The Event Header provides summary information about the event. This information is different for the different event types (packet, log, and endpoint).
11The event data (sometimes called a payload for packets). The event data for a log event or endpoint event is typically a line of text from the raw log rather than request and response shown for a packet.
12The Event Meta panel lists the meta keys and values found in the data. Some meta data are searchable; they have a binoculars icon, which you can click to see the associated data highlighted in the event data (see Examine Events in the Event Analysis View.
You are here
Table of Contents > Investigate Reference Materials > Event Analysis View

Attachments

    Outcomes