on Sep 18, 2017In the Investigate dialog, analysts can select a service or a collection to investigate. The dialog is automatically displayed when you first go to the Navigate view or Legacy Events view and have not selected a default service to investigate. To access the dialog from a current investigation, select the current service name in the toolbar.
Workflow
What do you want to do?
| User Role | I want to ... | Show me how |
|---|---|---|
| Incident Responder or Threat Hunter | review detections and signals seen in my environment | NetWitness Platform Getting Started Guide |
| Incident Responder | review critical incidents or alerts | NetWitness Respond User Guide |
| Threat Hunter | query a service, metadata, and time range* | Begin an Investigation in the Events View Begin an Investigation in the Navigate or Legacy Events View |
| Threat Hunter | view metadata | |
| Threat Hunter | view sequential events | |
| Threat Hunter | reconstruct and analyze an event | |
| Threat Hunter | examine files and associated hosts | Download Data in the Events View |
| Threat Hunter | perform lookups | |
| Threat Hunter | create an incident or add to an incident | |
| Threat Hunter | add a meta value to a Context Hub list |
*You can perform this task in the current view.
Related Topics
Quick Look
The Investigate dialog has two tabs: Services and Collections.
Note: Collections are also known as workbench collections. You can only view workbench collections that you have created, and only administrators can create a workbench collection.
The Services tab includes a list of services available for investigation, and three buttons. All features are described in the following table.
| Feature | Description |
|---|---|
| Default Service | Clicking this button sets or clears the default service to investigate. When a service has been set as the default service, the word (Default) is appended to the service name. |
| Name | The name of the service. |
| Address | The IP address of the service. |
| Type | The type of service. |
| Cancel | Closes the dialog. |
| Navigate | Opens the selected service in the Navigate or Legacy Events view. |
The Collections tab has two buttons and two panels: Workbench and Collections.
The Workbench panel lists available Workbench services by name. After a Workbench service is selected, you can select a collection from the Collections panel.
The Collections panel lists available collections to investigate. After a collection is selected, you can click Navigate to view the collection.
The following table describes the features of the Collections panel.
| Feature | Description |
|---|---|
| Name | The name of the collection. |
| Type | The type of collection. |
| Size | The size of the collection. |
| Data Type | The type of data within the collection. |
| Date Created | The date the collection was created. |
