Investigate: Investigate Dialog

Document created by RSA Information Design and Development on Sep 18, 2017•Last modified by RSA Information Design and Development on Jan 30, 2020

Version 22Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

In the Investigate dialog, analysts can select a service or a collection to investigate. The dialog is automatically displayed when you first go to the Navigate view or Legacy Events view and have not selected a default service to investigate. To access the dialog from a current investigation, select the current service name in the toolbar.

Workflow

This workflow has references to several views that were renamed in Version 11.4: Event Analysis --> Events, Events --> Legacy Events.

What do you want to do?

User Role	I want to ...	Show me how
Incident Responder	review critical incidents or alerts	NetWitness Respond User Guide
Threat Hunter	query a service, metadata, and time range*	Filter Results in the Events View Filter Results in the Navigate View Create a Query in the Navigate and Legacy Events Views Filter Results in the Legacy Events View
Threat Hunter	view metadata	Analyze Events in the Events View Refining the Results Set
Threat Hunter	view raw event data	Filter Results in the Events View Analyze Events in the Events View Filter Results in the Legacy Events View
Threat Hunter	reconstruct the event	Analyze Events in the Events View Reconstruct an Event in the Events View Reconstruct an Event in the Legacy Events View
Threat Hunter	examine files	Download Data in the Events View Export or Print a Drill Point in the Navigate View Export Events in the Legacy Events View
Threat Hunter	perform lookups	Look Up Additional Context for Results Launch a Lookup of a Meta Key
Threat Hunter	create an incident or add to an incident	Add Events to an Incident in the Legacy Events View Add Events to an Incident in the Events View
Threat Hunter	add a meta value to a Context Hub list	Look Up Additional Context for Results

*You can perform this task in the current view.

Quick Look

The Investigate dialog has two tabs: Services and Collections.

Note: Collections are also known as workbench collections. You can only view workbench collections that you have created, and only administrators can create a workbench collection.

The Services tab includes a list of services available for investigation, and three buttons. All features are described in the following table.

Feature	Description
Default Service	Clicking this button sets or clears the default service to investigate. When a service has been set as the default service, the word (Default) is appended to the service name.
Name	The name of the service.
Address	The IP address of the service.
Type	The type of service.
Cancel	Closes the dialog.
Navigate	Opens the selected service in the Navigate or Legacy Events view.

The Collections tab has two buttons and two panels: Workbench and Collections.

The Workbench panel lists available Workbench services by name. After a Workbench service is selected, you can select a collection from the Collections panel.

The Collections panel lists available collections to investigate. After a collection is selected, you can click Navigate to view the collection.

The following table describes the features of the Collections panel.

Feature	Description
Name	The name of the collection.
Type	The type of collection.
Size	The size of the collection.
Data Type	The type of data within the collection.
Date Created	The date the collection was created.