Investigate: Event Analysis View

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Apr 25, 2019
Version 19Show Document
  • View in full screen mode
 

In the Event Analysis view analysts can view a list of events, select an event for analysis, and view the raw event and metadata with interactive features that enhance the ability to see meaningful patterns in the data. This is an alternative to the static Events view and Event Reconstruction view. You can view network, log, and endpoint events in the Event Analysis view. The Event Analysis view offers packet, text, and log reconstruction. It does not support email and web reconstruction directly; however, you can open an email or web reconstruction of the current results in the Events view email or web reconstruction.

Note: The administrator sets permission for analysts to access this view. If your administrator has not given you access, and you navigate to the Event Analysis view by any means, the following message is displayed: Forbidden. You cannot access the requested page. For example, if you are viewing a reconstruction from the Events view and attempt to view the same reconstruction in the Event Analysis view, you will see the Forbidden message.

Workflow

The following figure is a high-level workflow illustrating the tasks you can do in NetWitness Investigate, with the Event Analysis view tasks highlighted in red.

the workflow for investigating in the Event Analysis view

What do you want to do?

                                                          

*You can perform this task in the current view.

Related Topics

Quick Look

There are multiple access points to this view, which are described in Begin an Investigation in the Event Analysis View. If you access Event Analysis from the Respond view, you can see the analysis for a selected event in an incident. The options are a subset of the options available when you open an event from within the Investigate view. To get complete functionality and examine other events, you can go to the Event Analysis view directly (INVESTIGATE > Event Analysis).

The Event Analysis view lists events in ascending order by time in the Events panel. The events displayed can be results for the drill point in the Navigate view or Events view, or results for a query entered in the Event Analysis view breadcrumb.

Input fields for a query are displayed so that you can select a service and time range, and type an optional query. When you submit a query, the service being investigated counts the results up to a limit of 50,000 events, and 50,000 network, log, and endpoint events are loaded in the Events panel. Different columns are displayed, depending on the selected column group. You can rearrange and resize the columns, choose a built-in or custom column group, and choose individual columns that you want to see. When you find an event of interest, clicking the event opens the reconstruction in a new panel (Packet Analysis, Text Analysis, or File Analysis).

Note: For versions earlier than 11.3, the first 100 events are loaded. You can scroll through the list and click Show Next 100 Events at the bottom of the list. If the next page contains fewer than 100 events, the button changes to reflect the number of remaining events.

The following figure highlights the major features of the Event Analysis view for Versions 11.3 and later.

the 11.3 Event Analysis view with features identified

                                                                     
1Query Bar: When a service is selected, displays the service selector, time range selector, and the queries you have entered. You can select a service as described in Begin an Investigation in the Event Analysis View and refine the query as described in Filter Results in the Event Analysis View. Clicking the submit query icon submits the query and sends a request to the selected service to load the data. In Version 11.3, clicking the the query console icon (console icon) opens the query console, where detailed status of the query is provided (see Query Console below).
2The type of event being analyzed is reflected in the heading: Network Event Details, Log Event Details, or Endpoint Event Details. For details, see Reconstruction Types in the Event Analysis View.
3The types of analysis available for the event type. Network events can use all types of analysis: text, packet, and file. Log and endpoint events use only text analysis.
4The Email and Web analysis types open the current event as an email or web reconstruction in the Events view.
5These options vary for the different types of analysis. For details, see Examine Events in the Event Analysis View.
6

Controls to show or hide the Event Header, show or hide requests and responses, and open the Event Meta panel (16). For details, see Examine Events in the Event Analysis View.

7, 11Controls to change the size of the panel and close the panel. For details, see Examine Events in the Event Analysis View.
8Reopens the Events panel or the Event Meta panel if you have closed it. For details, see Examine Events in the Event Analysis View.
9 Sets preferences for the Event Analysis view (see Configure the Event Analysis View.
10

The Events panel title. In Version 11.3 and later, the Events panel title is slightly different than the title in prior versions, and a row number indicator has been added. The title lists the number of events and sort order; for example, 24,000 Events (Asc) means that 24,000 events were found and they are listed in ascending order by time. If more than 50,000 events are found, only the oldest 50,000 events are displayed in ascending order, and an amber triangle highlights the fact that not all events were loaded. This may indicate that you need to refine the query.(For more information about refining the events listed here, see Filter Results in the Event Analysis View. Versions prior to 11.3 simply list the number of events found, and you can load 100 of them at a time. .

12The Column Group drop-down lists built-in and custom column groups that you can apply to the Events panel. Built-in column groups are sometimes updated between one version and the next. Some examples of built-in column groups are Email Analysis, Endpoint Analysis, Malware Analysis, Outbound HTTP, Outbound SSL/TLS, and Summary List. Summary List is the default column group.
13Settings to select the individual columns displayed in the Events panel.
14The Event Header provides summary information about the event you are currently analyzing. The selected event is highlighted in the Events panel with a blue background. The summary information is different for the different event types (packet, log, and endpoint).
15

The event data for the event you are currently analyzing.

  • For a packet, the data is called a payload and is displayed in the form of a request and response.
  • For a log event, the data is a line of text from the raw log.
  • For an endpoint event, the event data is relevant to data from the NetWitness Endpoint Insights Agents running on hosts in the network. It may be a single process, driver, DLL, file (executable), service, or autorun, and information related to logged-in users. (See the NetWitness Endpoint User Guide for complete information about endpoint event data.)
16The Event Meta panel lists the meta keys and values found in the data. Some metadata are searchable; they have a binoculars icon, which you can click to see the associated data highlighted in the event data (see Examine Events in the Event Analysis View).
17(Version 11.3) Because the number of events can be up to 50,000, a row number indicator appears at the beginning of every hundred events, beginning with 200.

Query Console

Clicking the query console icon (the console icon) opens the query console, where detailed status of the query is provided.

example of the query console after a query has completed

In the query console, you can see which service, time range, and metadata was queried as well as real-time information about the status of the query and the services being queried. A progress bar indicates the query's completion percentage at the bottom of the console. The statuses let you know details about what is happening; for example, you can tell when the query is executing, queued, reading the index file for the queried service, retrieving events, and complete. All statuses and non-fatal messages are displayed as they come in, and the border color changes if a non-fatal error occurs. View Status of a Query provides additional details on this subject.

Several messages that may be displayed in the query console require additional explanation.

Message: Maximum value limit (valueMax) of %1% reached on meta key %2% in index slice %3%

Explanation: The valueMax property on the specified meta key has been reached in the index being queried. An administrator configures this inside the index files available in ADMIN > Services > [Service Name] > Files > index-[service type].xml or index-[service type]-custom.xml. As an example, the statement below from the index file states the meta key called client has a limit of 250,000 values by default.

<key description="Client Application" level="IndexValues" name="client" format="Text" valueMax="250000" />

Message: The query on channel %2% was auto-canceled by the system for exceeding time usage limits. Check timeout values.

The server has a per-operation limit on execution time, and the requested operation exceeded the limit. To avoid this error, split the operation into smaller pieces, such as smaller time ranges.

Memory limit of %1% reached, controlled by setting max.query.memory

The server has a per-operation limit on memory utilization, and the requested operation exceeded the limit. The limit is related to the amount of memory in the server, which an administrator can adjust in ADMIN > Services > [Service Name] > sdk > config. To avoid this error, split the operation into smaller pieces, such as smaller time ranges.

Quick Look for Version 11.0.0.x (End-Of-Life)

The following figure highlights the major features of the Event Analysis view for Version 11.0.0.x.

the Event Analysis view in Version 11.0

                                                 
1 The read-only breadcrumb displays the selected service, time range, and query entered in the Navigate view or Events view.
2This is a read-only list of events based on the query made in the Navigate or Events view. The Events panel includes a count of the events. You can rearrange and resize columns. You can scroll to the bottom of the list, and load more events (see Examine Events in the Event Analysis View).
3, 8Controls to change the size of the panel and close the panel.
4The type of event being analyzed is reflected in the heading: Network Event Details, Log Event Details, or Endpoint Event Details. Each view is discussed in detail in Examine Events in the Event Analysis View.
5The types of analysis available for the event type. Network events can use all three types of analysis: text, packet, and file. Log and endpoint events use only text analysis.
6These options vary for the different types of analysis. They are discussed in detail in Examine Events in the Event Analysis View.
7

Controls to show or hide the Event Header, show or hide requests and responses, and open the Event Meta panel (12). These controls are described in Examine Events in the Event Analysis View.

9Reopens the Events panel or the Event Meta panel if you have closed it.
10The Event Header provides summary information about the event. This information is different for the different event types (packet, log, and endpoint).
11The event data (sometimes called a payload for packets). The event data for a log event or endpoint event is typically a line of text from the raw log rather than request and response shown for a packet.
12The Event Meta panel lists the meta keys and values found in the data. Some meta data are searchable; they have a binoculars icon, which you can click to see the associated data highlighted in the event data (see Examine Events in the Event Analysis View.

You are here
Table of Contents > Investigate Reference Materials > Event Analysis View

Attachments

    Outcomes