Investigate: Investigate Dialog

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Sep 11, 2018
Version 15Show Document
  • Comment0
  • View in full screen mode
 

In the Investigate dialog, analysts can select a service or a collection to investigate. The dialog is automatically displayed when you first go to the Navigate view or Events view and have not selected a default service to investigate. To access the dialog from a current investigation, select the current service name in the toolbar.

Workflow

high-level Investigate workflow with Browse Event Metadata and Browse Raw Events highlighted

What do you want to do?

                                                     
User RoleI want to ...Show me how
Threat Hunter

browse event metadata

Begin an Investigation in the Navigate or Events View

Threat Hunter

browse raw events

Begin an Investigation in the Navigate or Events View

Threat Hunter

analyze raw events and metadata

Begin an Investigation in the Event Analysis View

Threat Hunterinvestigate endpoints (Version 11.1)Investigate Hosts

Threat Hunter

find suspicious endpoint files (Version 11.1)

Investigate Files

Threat Hunterscan files and events for malwareConducting Malware Analysis

Incident Responder

triage an incident in Investigate

NetWitness Respond User Guide

Threat Hunterselect a service to investigate*Begin an Investigation in the Navigate or Events View

 

*You can perform this task in the current view.

Related Topics

Quick Look

This is the Investigate dialog

The Investigate dialog has two tabs: Services and Collections.

Note: Collections are also known as workbench collections. You can only view workbench collections that you have created, and only administrators can create a workbench collection.

The Services tab includes a list of services available for investigation, and three buttons. All features are described in the following table.

                                   
FeatureDescription
Default ServiceClicking this button sets or clears the default service to investigate. When a service has been set as the default service, the word (Default) is appended to the service name.
NameThe name of the service.
AddressThe IP address of the service.
TypeThe type of service.
CancelCloses the dialog.
NavigateOpens the selected service in the Navigate or Events view.

The Collections tab has two buttons and two panels: Workbench and Collections.

The Workbench panel lists available Workbench services by name. After a Workbench service is selected, you can select a collection from the Collections panel.

The Collections panel lists available collections to investigate. After a collection is selected, you can click Navigate to view the collection.

The following table describes the features of the Collections panel.

                                
FeatureDescription
NameThe name of the collection.
TypeThe type of collection.
SizeThe size of the collection.
Data TypeThe type of data within the collection.
Date CreatedThe date the collection was created.
Previous Topic:Files View
You are here
Table of Contents > Investigate Reference Materials > Investigate Dialog

Attachments

    Outcomes