Investigate: Investigate Dialog

Document created by RSA Information Design and Development on Sep 18, 2017•Last modified by RSA Information Design and Development on Apr 25, 2019

Version 17Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

In the Investigate dialog, analysts can select a service or a collection to investigate. The dialog is automatically displayed when you first go to the Navigate view or Events view and have not selected a default service to investigate. To access the dialog from a current investigation, select the current service name in the toolbar.

Workflow

What do you want to do?

User Role	I want to ...	Show me how
Incident Responder	review critical incidents or alerts	NetWitness Respond User Guide
Threat Hunter	query a service, metadata, and time range*	Filter Results in the Event Analysis View Filter Results in the Navigate View Create a Custom Query Filter and Search Results in the Events View
Threat Hunter	view metadata	Examine Events in the Event Analysis View Investigating Metadata in the Navigate View
Threat Hunter	view raw event data	Examine Events in the Event Analysis View Examine Events in the Event Analysis View Examining Raw Events in the Events View
Threat Hunter	reconstruct the event	Examine Events in the Event Analysis View Reconstruction Types in the Event Analysis View Reconstruct an Event
Threat Hunter	examine files	Download Data in the Event Analysis View Reconstruct an Event
Threat Hunter	perform lookups	Act on Data in the Event Analysis View Look Up Additional Context in the Event Analysis View Launch an External Lookup of a Meta Key Look Up Additional Context for a Data Point
Threat Hunter	create an incident or add to an incident	Add Events to an Incident for Response
Threat Hunter	add a meta value to a Context Hub list	Look Up Additional Context in the Event Analysis View Look Up Additional Context for a Data Point Manage Context Hub Lists and List Values in the Navigate and Events Views

*You can perform this task in the current view.

Quick Look

The Investigate dialog has two tabs: Services and Collections.

Note: Collections are also known as workbench collections. You can only view workbench collections that you have created, and only administrators can create a workbench collection.

The Services tab includes a list of services available for investigation, and three buttons. All features are described in the following table.

Feature	Description
Default Service	Clicking this button sets or clears the default service to investigate. When a service has been set as the default service, the word (Default) is appended to the service name.
Name	The name of the service.
Address	The IP address of the service.
Type	The type of service.
Cancel	Closes the dialog.
Navigate	Opens the selected service in the Navigate or Events view.

The Collections tab has two buttons and two panels: Workbench and Collections.

The Workbench panel lists available Workbench services by name. After a Workbench service is selected, you can select a collection from the Collections panel.

The Collections panel lists available collections to investigate. After a collection is selected, you can click Navigate to view the collection.

The following table describes the features of the Collections panel.

Feature	Description
Name	The name of the collection.
Type	The type of collection.
Size	The size of the collection.
Data Type	The type of data within the collection.
Date Created	The date the collection was created.

Previous Topic:Events View

Next Topic:Investigation Tab - User Preferences Panel

You are here

Table of Contents > Investigate Reference Materials > Investigate Dialog

Investigate: Investigate Dialog

Workflow

What do you want to do?

Related Topics

Quick Look

Attachments

Outcomes

Related Content

Recommended Content

Incoming Links