Investigate: Event Analysis View

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Oct 24, 2017
Version 8Show Document
  • View in full screen mode

In the Event Analysis view, interactive features enhance your ability to find meaningful patterns in the data. This is an alternative to the static Event Reconstruction view. Analysts who are assigned a user role with access to the Event Analysis view can examine network, log, and endpoint events in the Event Analysis view. You can choose between this view or the Event Reconstruction view.

The Event Analysis view lists the events associated with the current drill point in the Navigate view in order by time. When you click an event, the Network Event Details, Log Event Details, or the Endpoint Event Details panel opens in the same browser window. Each type of event has one or more types of analysis: Text Analysis, Packet Analysis, and File Analysis.

To access this window, do one of the following:

  • In the Events view with Detail View selected, click Event Analysis at the end of the event,
  • In the Event Reconstruction toolbar, click Event Analysis.


the Investigate workflow with Conduct Interactive Analysis highlighted

What do you want to do?

User RoleI want to ...Documentation

Threat Hunter

submit a queryBeginning an Investigation of a Service or Collection
Threat Hunter view query results Conducting an Investigation

Threat Hunter

reconstruct an event

Reconstruct an Event

Threat Hunter analyze an event*

Analyze Events in the Event Analysis View

Threat Hunterconduct malware analysisConducting Malware Analysis

Incident Responder

investigate an incident

NetWitness Respond User Guide

*You can perform this task in the current view.

Related Topics

Quick Look

When you open a drill point in the Event Analysis view, the service being investigated counts the results of the initial query up to a limit of 100,000 events, and the first 1,000 events, packets ,logs, and endpoint events are loaded in the Event list panel. The columns in the Event list panel list the Event Time, Event Type (Network, Log, or Endpoint), Event Size, and Summary. You can:

  • Scroll through the list and click Load More to see the next 100000 events.
  • Drag the columns to rearrange the order.
  • Make columns wider or narrower.
  • View the event analysis of an event.

1The read-only breadcrumb shows the query used to produce this data set. All queries are done in the Navigate view or the Events view.

This is a read-only list of events based on the query made in the Navigate or Events view.

The Event list includes a count of the events. You can rearrange and resize columns. You can scroll to the bottom of the list, and load more events (see Analyze Events in the Event Analysis View).

3 and 8Controls to change the size of the panel and close the panel.
4The type of event being analyzed is reflected in the heading: Network Event Details, Log Event Details, or Endpoint Event Details. Each view is discussed in detail in Analyze Events in the Event Analysis View.
5The types of analysis available for the event type. Network events can use all three types of analysis: text, packet, and file. Log and endpoint events use only text analysis.
6These options vary for the different types of analysis. They are discussed in detail in Analyze Events in the Event Analysis View.

Controls to show or hide the Event Header, show or hide requests and responses, and open the Event Meta panel (12). These controls are described in Analyze Events in the Event Analysis View.

the Display Header icon Click this icon to hide the Event Header or display it. Hiding the header allows more space for the packet list, reducing the amount of scrolling required to view more packets.

Click to display the Event Meta panel for the event in another panel.

9Reopen the Event list panel or the Event Meta panel if you have closed it.
10Event Header, which provides summary information about the event. This information is different for the different event types (packet, log, and endpoint).
11The event data (sometimes called a payload for packets). The event data for a log event or endpoint event is typically a line of text from the raw log rather than request and response shown for a packet.
12The Event Meta panel lists the meta keys and values found in the data. Some meta data are searchable; they have a binoculars icon, which you can click to see the associated data highlighted in the event data (see Analyze Events in the Event Analysis View.
You are here
Table of Contents > Investigation Reference Materials > Event Analysis View