Investigate: Settings Dialogs for Investigate Views

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Sep 11, 2018
Version 15Show Document
  • View in full screen mode
 

NetWitness PlatformVersion 11.0 has two settings dialogs, one for the Navigate view and one for the Events view. With the addition of the settings dialog for the Event Analysis view in Version 11.1, Investigate has three settings dialogs.

The settings in the Navigate view and Events view Settings dialogs are a subset of the Investigation settings made in the Profiles > Preferences panel > Investigations tab. By providing the settings within the Investigation view, NetWitness Platform saves time for analysts. If you change a setting here, the same setting is changed in the Profiles view, and if you change a setting in the Profiles view, the same setting is changed here.

To access this dialog, go to the Navigate or Events view, and select the Settings option in the toolbar.

The settings in the Event Analysis view have no corresponding settings in the Profiles > Preferences panel.

What do you want to do?

                                                     
User RoleI want to ...Show me how
Threat Hunter

browse event metadata

Begin an Investigation in the Navigate or Events View

Threat Hunter

browse raw events

Begin an Investigation in the Navigate or Events View

Threat Hunter

analyze raw events and metadata

Begin an Investigation in the Event Analysis View

Threat Hunterinvestigate endpoints (Version 11.1)Investigate Hosts

Threat Hunter

find suspicious endpoint files (Version 11.1)

Investigate Files

Threat Hunterscan files and events for malwareConducting Malware Analysis

Incident Responder

triage an incident in Investigate

NetWitness Respond User Guide

Threat Hunter

configure preferences for Investigate*

Configuring NetWitness Investigate Views and Preferences

*You can perform this task in the current view.

Related Topics

Quick Look

The Settings dialogs in the Navigate view and Events view have several features in common.

Several Investigation settings in the Navigate view influence the performance of when loading values in the Values panel. Default values are set based on common usage, and individual analysts can adjust these settings for their own investigations. The image below is an example of the dialog, and the following table describes the features.
This is the Navigate view Settings dialog.

                                                               
FeatureDescription
ThresholdSets the threshold for the maximum number of sessions loaded for a meta key value in the Values panel. A higher threshold allows accurate counts for a value, and also causes longer load times. The default value is 100000.
Max Values ResultsSets the maximum number of values to load in the Navigate View when the Max Results option is selected in the Meta Key Menu for an open Meta Key. The default value is 1000.
Max Session ExportSets the maximum number of sessions able to be exported. The default value is 100000.
Export Log FormatSets the file format of exported logs. There are four formats available:
  • Text
  • SML
  • CSV
  • JSON

Export Meta Format

Sets the file format of exported meta values. There are four formats available:

  • Text
  • SML
  • CSV
  • JSON
Use Per Device Local CacheWhen unchecked, Investigate sends a fresh query to the database rather than displaying cached data in the Investigate views after the initial load. If checked, Investigate uses the data from local cache.
Show Debug InformationThis option controls the display of the where clause beneath the breadcrumb in the Navigate view and the elapsed load time for each aggregated service on a Broker. When checked the debug information is displayed. The default value is Off (unchecked).
Append Events in Event PanelThis option affects paging in the Events panel. When checked, the next group of events is appended to the already displayed events. When unchecked, the previous page of events is replaced by the next page. The default value is Off (unchecked)
Autoload ValuesThis option controls automati loading of values for the selected service in the Navigate view. When checked, values are automatically loaded when you select a service to investigate. When not checked, Investigate displays a Load Values button, allowing the opportunity to modify options. The default value is Off.
Download Completed PCAPsThis setting automates the downloading of extracted PCAPs in the Investigation module so that you do not have to manually download and open extracted PCAP files in an application, such as Wireshark, that can handle viewing data in a PCAP form.
Live Connect: Highlight Risky IPs If this option is unchecked, all the meta values that have context available in Live Connect are highlighted in the Navigate view Values panel. If the option is checked, among the values that have context in Live Connect, only those values deemed Risky/Suspicious/Unsafe by the community are highlighted. By default this option is unchecked (Off).
ApplyApplies the settings immediately and they are visible the next time you load values. The same changes are also applied in the Profiles view.
CancelCancels the editing operation and closes the dialog, leaving the settings unchanged.

Events View Settings Dialog

The following image is an example of the Settings dialog for the Events view, and the following table describes the features.

This is the Events view Settings dialog

                                               
FeatureDescription
Export Log FormatSets the file format of exported logs. There are four formats available:
  • Text
  • SML
  • CSV
  • JSON

Export Meta Format

Sets the file format of exported meta values. There are four formats available:

  • Text
  • SML
  • CSV
  • JSON
Download Completed PCAPsThis setting automates the downloading of extracted PCAPs in the Investigation module so that you do not have to manually download and open extracted PCAP files in an application, such as Wireshark, that can handle viewing data in a PCAP form.
Live Connect: Highlight Risky IPs When checked, Investigate uses a filter to fetch only IP addresses that are considered as risky by RSA community. When not selected, NetWitness Platform displays all IP addresses. By default, this option is not selected (Off).
Optimize Investigation page loadsSets a paging option. When optimized, results are returned as quickly as possible, sacrificing the original ability to go to a specific page in the event list. Unchecking this box changes the Events list pagination to allow you to go to a specific page in the list (or to the last page). The default value is enabled.
Default Session ViewSelects the default reconstruction type for the initial reconstruction in the Events view. The default value is Best Reconstruction in which events are reconstructed using the reconstruction method most appropriate to the event.
Enable CSS Reconstruction for Web ViewThis setting controls how web content reconstruction is performed. If enabled, the web reconstruction includes cascaded style sheet (CSS) styles and images so that its appearance matches the original view in a web browser. This includes scanning and reconstructing related events, and searching for style sheets and images used in the target event. The option is enabled by default. Uncheck this option if there are problems viewing specific websites.
ApplyApplies the settings immediately and they are visible the next time you view events. The same changes are also applied in the Profiles view.
CancelCancels the editing operation and closes the dialog, leaving the settings unchanged.

Event Analysis View Preferences Panel

Beginning with Version 11.1, the Event Analysis view has user preferences that you can configure in the Event Analysis view > Event Preferences panel. These settings persist so that they are applied each time log in and go to the Event Analysis view. The following figure is an example of the dialog, and the table below describes the options.

Event Preferences for the Event Analysis view

                               
FeatureDescription
Default Event Analysis View

Selects the default event analysis view that is displayed every time you open the Event Analysis view. For example, if you select File Analysis, the File Analysis panel is highlighted and displayed every time you investigate an event in the Event Analysis view. These are following options:

  • Text Analysis: View and analyze the raw text payload of an event.
  • Packet Analysis: View and interactively analyze the packets and payload of an event.
  • File Analysis: View a list of files and download one or more files in an event.
Default Log Format

Selects the default format for downloading logs:

  • Download Log: Raw log (log) using this option.
  • Download CSV: Comma-separated values (CSV) using this option.
  • Download XML: The Extensible Markup Language (XML) file using this option.
  • Download JSON: The JavaScript Object Notation (JSON) file using this option.
Default Packet Format

Selects the default packet format for downloading packets.

  • Download PCAP: To download the entire event as a packet capture (*.pcap) file.
  • Download All Payloads: To download the payload as a *.payload file.
  • Download Request Payload: To download the request payload as a *.payload1 file.
  • Download Response Payload: To download the response payload as a *.payload2 file.
Time Format for Query

The Event Analysis view can display results based on the database time or the current clock time. The default setting for this preference is Database Time, which is the same time format used to display query results in the Navigate view and Events view.
When Database Time is selected, the start and end time for a query is based on the time that the event was captured.

When Wall Clock Time is selected, the query is executed using the end time based on the current browser time; the start time is calculated based on that end time and the time range.

Download extracted files automatically

Enables the automatic download of files if they are in the selected default format in the Default Log Format and Default Packet format fields from the Event Preferences panel.

Select the checkbox to enable downloading the selected format automatically to local folder. Otherwise, the download job goes to the job queue, and you can download it manually.

 

You are here
Table of Contents > Investigate Reference Materials > Settings Dialog for Investigate Views

Attachments

    Outcomes