In the Event Analysis view analysts can view raw events and meta data with interactive features that enhance the ability to find meaningful patterns in the data. This is an alternative to the static Event Reconstruction view. You can examine network, log, and endpoint events in the Event Analysis view. The Event Analysis view offers packet, text, and log reconstruction, and does not support email and web reconstruction directly. However, in Version 11.1 and later, you can open an email or web reconstruction of the current results in the Events view email or web reconstruction.
Note: The administrator sets permission for analysts to access this view. If your administrator has not given you access, and you navigate to the Event Analysis view by any means, the following message is displayed: Forbidden. You cannot access the requested page. For example, if you are viewing a reconstruction from the Events view and attempt to view the same reconstruction in the Event Analysis view, you will see the Forbidden message.
The events displayed in the Events Analysis view are for the current drill point in the Navigate view or Events view. Beginning with Version 11.1, the events can be the results of a query entered in the Event Analysis view breadcrumb. Whatever the source of the query, the Event Analysis view lists events in order by time. You can rearrange and resize the columns, In Version 11.1 and later, you can also choose the columns that you want to see and select one of the built-in column groups or a custom column group.
When you click an event, the Network Event Details, Log Event Details, or the Endpoint Event Details panel opens in the same browser window. Each type of event has one or more types of analysis: Text Analysis, Packet Analysis, and File Analysis.
There are multiple access points to this view, which are described in Begin an Investigation in the Event Analysis View.
Note: If you access Event Analysis from the Respond view, you can see the Event Analysis for a selected event in an incident; the options are a subset of the options available when you open an event from within the Investigate view. To get complete functionality and examine other events, you can go to the Event Analysis view directly (INVESTIGATE > Event Analysis).
Workflow
The following figure is a high-level workflow illustrating the tasks you can do in NetWitness Investigate, with the Event Analysis view tasks highlighted in red.
What do you want to do?
*You can perform this task in the current view.
Related Topics
- How NetWitness Investigate Works
- Event Analysis View - Packet Analysis Panel
- Event Analysis View - Text Analysis Panel
- Event Analysis View - File Analysis Panel
Quick Look
When you first open Investigate, input fields for a query are displayed so that you can select a service and time range, and type an optional query.
- Version 11.0 has the input fields in the Navigate view and the Events view.
- Version 11.1 has the input fields in the Navigate view, the Events view, and the Event Analysis view.
When you open a drill point in the Event Analysis view, the service being investigated counts the results of the initial query up to a limit of 100,000 events, and the first 100 events (packets, logs, and endpoint) are loaded in the Events panel. The columns in the Events panel are the Event Time, Event Type (Network, Log, or Endpoint), Event Size, and Summary. You can:
- Scroll through the list and click Load More to see the next 100 events.
- Select a column group (Version 11.1 and later).
- Select the columns that you want to include (Version 11.1 and later).
- Drag the columns to rearrange the order.
- Make columns wider or narrower.
- View the event analysis of an event.
The following figure highlights the major features of the Event Analysis view for Version 11.1 and later.
Note: Version 11.2 included an undocumented beta feature, called Next Gen mode, in the Event Analysis view query builder that was still being developed and tested; Next Gen mode was disabled in the 11.2.0.1 patch. If you see Next Gen mode do not use it; you should use only the Guided Mode and Free-Form Mode in the query builder to ensure consistent and predictable results. 
| 1 | Interactive Breadcrumb: When a service is selected, displays the service selector, time range selector, and the queries you have entered. In Version 11.1 and later, you can select a service as described in Begin an Investigation in the Event Analysis View and refine the query as described in Filter Results in the Event Analysis View. Clicking the Submit Query button submits the query and sends a request to the selected service to load the data. |
| 2 | The type of event being analyzed is reflected in the heading: Network Event Details, Log Event Details, or Endpoint Event Details. Each view is discussed in detail in Examine Events in the Event Analysis View. |
| 3 | The types of analysis available for the event type. Network events can use all types of analysis: text, packet, and file. Log and endpoint events use only text analysis. |
| 4 | The Email and Web analysis types open the current event as an email or web reconstruction in the Events view. |
| 5 | These options vary for the different types of analysis. They are discussed in detail in Examine Events in the Event Analysis View. |
| 6 | Controls to show or hide the Event Header, show or hide requests and responses, and open the Event Meta panel (16). These controls are described in Examine Events in the Event Analysis View. |
| 7, 11 | Controls to change the size of the panel and close the panel. |
| 8 | Reopens the Events panel or the Event Meta panel if you have closed it. |
| 9 | Sets preferences for the Event Analysis view (see Configure the Event Analysis View. |
| 10 | The Events panel for Version 11.1 is interactive, displaying query results as you submit updated queries. The Events panel includes a count of the events. You can rearrange and resize columns. You can scroll to the bottom of the list, and load more events (see Examine Events in the Event Analysis View). |
| 12 | The Column Group drop-down lists built-in and custom column groups that you can apply to the Events panel. The built-in column groups are Email Analysis, Endpoint Analysis, Malware Analysis, Outbound HTTP, Outbound SSL/TLS, and Summary List. Summary List is the default column group. |
| 13 | Settings to select the columns included in the Events panel. |
| 14 | The Event Header provides summary information about the event. This information is different for the different event types (packet, log, and endpoint). |
| 15 | The event data (sometimes called a payload for packets). The event data for a log event or endpoint event is typically a line of text from the raw log rather than request and response shown for a packet. |
| 16 | The Event Meta panel lists the meta keys and values found in the data. Some metadata are searchable; they have a binoculars icon, which you can click to see the associated data highlighted in the event data (see Examine Events in the Event Analysis View. |
The following figure highlights the major features of the Event Analysis view for Version 11.0.0.x.
| 1 | The read-only breadcrumb displays the selected service, time range, and query entered in the Navigate view or Events view. |
| 2 | This is a read-only list of events based on the query made in the Navigate or Events view. The Events panel includes a count of the events. You can rearrange and resize columns. You can scroll to the bottom of the list, and load more events (see Examine Events in the Event Analysis View). |
| 3, 8 | Controls to change the size of the panel and close the panel. |
| 4 | The type of event being analyzed is reflected in the heading: Network Event Details, Log Event Details, or Endpoint Event Details. Each view is discussed in detail in Examine Events in the Event Analysis View. |
| 5 | The types of analysis available for the event type. Network events can use all three types of analysis: text, packet, and file. Log and endpoint events use only text analysis. |
| 6 | These options vary for the different types of analysis. They are discussed in detail in Examine Events in the Event Analysis View. |
| 7 | Controls to show or hide the Event Header, show or hide requests and responses, and open the Event Meta panel (12). These controls are described in Examine Events in the Event Analysis View. |
| 9 | Reopens the Events panel or the Event Meta panel if you have closed it. |
| 10 | The Event Header provides summary information about the event. This information is different for the different event types (packet, log, and endpoint). |
| 11 | The event data (sometimes called a payload for packets). The event data for a log event or endpoint event is typically a line of text from the raw log rather than request and response shown for a packet. |
| 12 | The Event Meta panel lists the meta keys and values found in the data. Some meta data are searchable; they have a binoculars icon, which you can click to see the associated data highlighted in the event data (see Examine Events in the Event Analysis View. |