In the Events view analysts can view a sequential list of network, log and endpoint events, select an event for reconstruction and analysis, and view the raw event and metadata with interactive features that enhance the ability to see meaningful patterns in the data. In Version 11.5 and later, you can drill into metadata for the listed events. The Events view offers packet, file, host, text, log, and email reconstruction. When you open a web reconstruction of an event, the same web reconstruction used in the Legacy Events view is displayed.
The following figure is a high-level workflow illustrating the tasks you can do in NetWitness Investigate, with the Events view tasks highlighted in red.
What do you want to do?
|User Role||I want to ...||Show me how|
Incident Responder or Threat Hunter
review detections and signals seen in my environment
NetWitness Platform Getting Started Guide
|Incident Responder|| |
review critical incidents or alerts
NetWitness Respond User Guide
|Threat Hunter||query a service, metadata, and time range*|
|Threat Hunter|| |
|Threat Hunter|| |
view sequential events*
reconstruct and analyze an event*
|Threat Hunter||examine files and associated hosts*|
|Threat Hunter||perform lookups*|
|Threat Hunter||create an incident or add to an incident*|
add a meta value to a Context Hub list*
*You can perform this task in the current view.
- How NetWitness Investigate Works
- Events View - Packet Tab
- Events View - Text Tab
- Events View - File Tab
- Events View - Email Tab
- Events View - Host Tab
There are multiple access points to this view, which are described in Begin an Investigation in the Events View. If you access the Events view from the Respond view, you can see the analysis for a selected event in an incident. The options are a subset of the options available when you open an event from within the Investigate view. To get complete functionality and examine other events, you can go to the Event view directly (INVESTIGATE > Event ).
The Events view lists events in ascending order by time in the Events panel. The events displayed can be results for the drill point in the Navigate view or Legacy Events view, or results for a query entered in the Events view query bar.
Input fields for a query are displayed so that you can select a service and time range, and type an optional query. When you submit a query, the service being investigated counts the results up to a limit of 10,000 events, and 10,000 network, log, and endpoint events are loaded in the Events panel. Different columns are displayed, depending on the selected column group. You can rearrange and resize the columns, choose a built-in or custom column group, and choose individual columns that you want to see. When you find an event of interest, clicking the event opens the reconstruction in a new panel (Packet, Text , or File).
This figure illustrates the changed elements in Version 11.5 and later.
|1||Query Bar: When a service is selected, displays the service selector, time range selector, and the queries you have entered. You can select a service as described in Begin an Investigation in the Events View and refine the query as described in Filter Results in the Events View. Clicking submits the query and sends a request to the selected service to load the data. In Version 11.3 and later, clicking the (console icon) opens the query console, where detailed status of the query is provided (see Events View below).|
The type of event being analyzed and the type of reconstruction are reflected in the heading.
|3||Reopens the Events panel if you have closed it. For details, see Analyze Events in the Events View.|
|4||Sets preferences for the Event view (see Configure the Events View).|
The Events panel title.
|6||The Column Group drop-down lists built-in and custom column groups that you can apply to the Events panel. Built-in column groups are sometimes updated between one version and the next. Some examples of built-in column groups are Email, Endpoint Analysis, Malware Analysis, Outbound HTTP, Outbound SSL/TLS, and Summary List. Summary List is the default column group. For details, see Use Columns and Column Groups in the Events List.|
|7||The Download drop-down menu lists the available options for downloading event data. The options are Log, Visible Meta, and Network (see Downloading and Acting Upon Results. You can change the preferred format of the event type data in the Event Preferences dialog (see Configure the Events View).|
The Create Incident button enables you to create incidents from events. The Add to Incident button enables you to add selected events to an open and existing incident (see Add Events to an Incident in the Events View and Add Events to an Incident in the Legacy Events View).
|9||Displays the column selection settings to select the individual columns displayed in the Events panel. For details, see Use Columns and Column Groups in the Events List.|
Controls to show or hide the Event Header, show or hide requests and responses, and open the Event Meta panel. For details, see Analyze Events in the Events View.
|11||Controls to change the size of the panel and close the panel. For details, see Analyze Events in the Events View.|
The Event Header provides summary information about the event you are currently analyzing. The selected event is highlighted in the Events panel with a blue background. The summary information is different for the different event types (packet, log, and endpoint). In Version 11.5, the redundant NW Service is removed.
The event data for the event you are currently analyzing.
The Event Meta panel is redesigned in Version 11.5, but has the same functions as in Version 11.4. The Event Meta panel lists the meta keys and values found in the data. This data can be sorted in two ways - Alphabets or Sequence. Some metadata are searchable; they have a binoculars icon, which you can click to see the associated data highlighted in the event data (see Analyze Events in the Events View).
|15||The Version 11.5 main menu for RSA NetWitness Platform has relocated Hosts, Files, and Users (Entities) options for easier access.|
Filter Events Panel
The Filter Events panel is a beta feature added to Version 11.5. Clicking the Filter button () in the Events panel. opens the panel to provide a view of meta keys and meta values found in the data set. See Drill into Metadata in the Events View (BETA) for more information about drilling into metadata.
|Meta Groups Menu|| |
With the Filter Events panel open, you can select a meta group to define the meta keys displayed in the Filter Events panel.The Default Meta Keys meta group is in effect the first time you log in. If you selected a different meta group the last time you logged in, it remains in effect until browser cache is cleared. In Version 11.5.1, the meta group you selected previously is stored in browser cache so it remains in effect until you change it. See Use Meta Groups to Focus on Relevant Meta Keys for details about meta groups.
|Ordering Menu|| |
With the Filter Events panel open, you can look at two parameters for each value: the event count or the event size. Each meta key entry includes either the event count or the event size in parentheses after the value. In both cases, there are four options for ordering:
|Meta Key options button |
The Meta Key options button offers actions that you can take on an individual meta key. In Version 11.5.1, the available options are: Open Only This Key, Copy Values, and Show Debug Info. Show Debug Info displays the time taken to display the meta values, the total time taken to retrieve the meta values from all services, the time taken to retrieve each service, and each service status.
|Meta Key List|| |
An icon before each meta key name identifies the indexing method for the key. The indexing method determines the types of interactions and queries possible using that meta key.
In the query console, you can see which service, time range, and metadata was queried as well as real-time information about the status of the query and the services being queried. A progress bar indicates the query's completion percentage at the bottom of the console. The statuses let you know details about what is happening; for example, you can tell when the query is executing, queued, reading the index file for the queried service, retrieving events, and complete. All statuses and non-fatal messages are displayed as they come in, and the border color changes if a non-fatal error occurs. View Status of a Query provides additional details on this subject.
Several messages that may be displayed in the query console require additional explanation.
Message: Maximum value limit (valueMax) of %1% reached on meta key %2% in index slice %3%
Explanation: The valueMax property on the specified meta key has been reached in the index being queried. An administrator configures this inside the index files available in ADMIN > Services > [Service Name] > Files > index-[service type].xml or index-[service type]-custom.xml. As an example, the statement below from the index file states the meta key called client has a limit of 250,000 values by default.
<key description="Client Application" level="IndexValues" name="client" format="Text" valueMax="250000" />
Message: The query on channel %2% was auto-canceled by the system for exceeding time usage limits. Check timeout values.
The server has a per-operation limit on execution time, and the requested operation exceeded the limit. To avoid this error, split the operation into smaller pieces, such as smaller time ranges.
Memory limit of %1% reached, controlled by setting max.query.memory
The server has a per-operation limit on memory utilization, and the requested operation exceeded the limit. The limit is related to the amount of memory in the server, which an administrator can adjust in ADMIN > Services > [Service Name] > sdk > config. To avoid this error, split the operation into smaller pieces, such as smaller time ranges.
Quick Look for Version 11.0.0.x (End-Of-Life)
The following figure highlights the major features of the Event Analysis view for Version 11.0.0.x.
|1||The read-only breadcrumb displays the selected service, time range, and query entered in the Navigate view or Events view.|
|2||This is a read-only list of events based on the query made in the Navigate or Events view. The Events panel includes a count of the events. You can rearrange and resize columns. You can scroll to the bottom of the list, and load more events (see Analyze Events in the Events View).|
|3, 8||Controls to change the size of the panel and close the panel.|
|4||The type of event being analyzed is reflected in the heading: Network Event Details, Log Event Details, or Endpoint Event Details. Each view is discussed in detail in Analyze Events in the Events View.|
|5||The types of analysis available for the event type. Network events can use all three types of analysis: text, packet, and file. Log and endpoint events use only text analysis.|
|6||These options vary for the different types of analysis. They are discussed in detail in Analyze Events in the Events View.|
Controls to show or hide the Event Header, show or hide requests and responses, and open the Event Meta panel (12). These controls are described in Analyze Events in the Events View.
|9||Reopens the Events panel or the Event Meta panel if you have closed it.|
|10||The Event Header provides summary information about the event. This information is different for the different event types (packet, log, and endpoint).|
|11||The event data (sometimes called a payload for packets). The event data for a log event or endpoint event is typically a line of text from the raw log rather than request and response shown for a packet.|
|12||The Event Meta panel lists the meta keys and values found in the data. Some meta data are searchable; they have a binoculars icon, which you can click to see the associated data highlighted in the event data (see Analyze Events in the Events View.|