The Navigate view ( INVESTIGATE > Navigate) is the primary entry point to NetWitness .Investigate. The Navigate view displays the activity and values for the selected service in accordance with the Investigation options set: profile, time range, meta group, and query. As analysts investigate events of interest, the meta keys and values are displayed.
The workflow below depicts the high-level steps and subtasks for investigating events.
These are the tasks that you can perform in the Navigate view:
- Select a service to investigate and load data.
- View query results and filter by time range, profile, meta group.
- Sort the results and select a quantification method.
- Save events, go to an event using the event ID, visualize an event, and print the event.
- View additional contextual data for specific meta keys and values.
- Go to the Events view, where you can see a chronological list of events, reconstruct an event, and conduct an interactive analysis of an event. When viewing and analyzing events, you can export events, files, and logs to your local file system.
*You can perform this task in the current view.
The Navigate view consists of these features:
- Pause/reload button and breadcrumb
- Time banner
- Optional debug information.
- Collapsible Visualization panel
- Values panel
- Context Lookup panel
- Context menus
The toolbar provides a way to:
- Change the service being investigated.
- Control the range of data displayed: You can select use profiles, set a time range, use meta groups, and create queries to apply to the data.
- Set the quantification method and sorting method for data in the Values panel.
- Perform actions on the results. You can export and print results, navigate to an event for which you have an event ID, and pass a query to Informer.
- Configure Investigation settings without navigating away from the Investigation views.
Some of the toolbar options are labeled with the default value or the selected value rather than displaying the name of the option. For example, the time range option in the example above is labeled Last 5 Minutes to reflect the currently selected value. These are the toolbar options.
Pause/Reload Button and Breadcrumb
The breadcrumb tracks each query as you drill down through the metadata for the service. Each query is listed with a drop-down menu in a pipe separated string. The last point is the current point, also called the tip. The icon in front of the breadcrumb allows you to pause the loading of meta values and to reload meta values.
The breadcrumb does not include the service name and appears only if a query is in effect. If too many drill points exist for display, the overflow is shown as double angle brackets, >>, at the end of the breadcrumb.
Each drop-down menu in the breadcrumb is the same, with slight variation based on the position of the crumb.
The following table describes the controls and menu options in the breadcrumb.
(Optional) Debug Information
If you have activated the Show Debug Information setting and the service you are navigating is a 10.4 or later Broker, NetWitness Suite displays the debug information beneath the breadcrumb.
The debug information is the where clause from the current query. The only time there is no where clause is when the time range is all data and there are no drill points. If the Broker has at least one aggregate service that is offline, the debug information also lists the offline service.
(attachment exists)&&(tcp.dstport = '80')&&(risk.info exists)$$time='2014-05-04 18:50:00"-"2014-05-09 18:59:59(attachment exists) && (tcp.dstport = '80') && (risk.info exists) && time="2014-05-04 18:50:00"-"2014-05-09 18:50:59"
In addition, the time taken to load is displayed at the end of each meta key in the Values panel.
Just below the breadcrumb and debug information (if present), the time banner shows the time range used to create the chart.
At the top of the Navigate view is a visualization of the current drill point. You can use this to drill into data from the Visualization panel (see Drill into Data in the Navigate View Time Chart). You can show or hide the visualization, and choose one of the the visualization options: Timeline or Coordinates. The Visualization opens initially to the last saved Visualization.
The timeline is the count of the number of events that occur at a specific instance. The timeline provides event counts so that you can see if the number of events increases drastically at a given point in time. The timeline displays activity for the specified service and time range as a line chart or a bar chart based on your choice in the Options menu. The second figure illustrates a line chart and third figure illustrates a bar chart.
The timeline displays activity for the specified service and time range, as a line chart or a bar chart based on your choice in the Options menu.
Parallel Coordinates Chart
The Parallel Coordinates chart is one of the choices in the Options menu for visualizing the current drill point. With Coordinates selected in the Visualization Options dialog, you can select the meta data to be displayed (see Visualize Metadata as Parallel Coordinates).
In the Visualization Options dialog for Coordinates, you can select the meta keys to chart.
In the Add Keys to Parallel Coordinates Visualization dialog, you can select the meta keys or meta groups to use as axes the Parallel Coordinates visualization.
The major feature of the Navigate view is the Values panel, which you can use to analyze data (see Drill into Data in the Values Panel).
The default view is for the last 3 hours of collection, using the default meta keys and non-indexed meta keys closed. The meta keys within the meta groups are displayed in the order that NetWitness Suite queries the keys. As the data loads into the Values panel, NetWitness Suite is optimized to show partial results, loading progress, and service status as the data loads.
The loading behavior is determined by several configuration settings. The highest level settings are configured by the administrator for each user. These are:
- The maximum amount of time allowed for this user to run a query (Query Timeout).
- The limit at which NetWitness Suite stops counting the number of meta values in a sess(Session Threshold). If a threshold is set for a session, the Navigation view shows that the threshold was reached and the percentage of results loaded. Any session that does not show a percentage is accurate and was processed to completion. If there is a percentage, that reflects how much processing was completed. The percentage displayed is estimated by extrapolating from the value at the time processing finished, considering the amount of work remaining. Larger percentages are generally more accurate because they require less extrapolating
- The limit at which NetWitness Suite stops counting the number of meta values in a session (Session Threshold). If a threshold is set for a session, the Navigation view shows that the threshold was reached and the percentage of query time used to reach the threshold.
When you have launched an investigation of a service, NetWitness Suite displays results in the Values panel.
- NetWitness Suite loads meta keys and meta values in the Values panel. For each meta key load, the stages of load are:
- Waiting to Be Loaded or Closed. If Closed, no data for that key is loaded.
- Loading progress: NetWitness Suite is receiving and displaying progress messages.
- Partial results: NetWitness Suite is receiving values messages and partial results are displayed in the Values panel.
- Load Complete: All results are finished loading.
- As each meta key load is completed, and final values are displayed, the next meta key is started. The number or values rendered for each meta key is specified by the Render Threads value in the Investigation Preference settings. Loading continues until all keys to be loaded have finished.
- If Show Debug Information is active and the service you are navigating is a 10.4 or later Broker, NetWitness Suite displays load time information beneath the values for each meta key and displays additional load details for the aggregated services. NetWitness Suite also displays the debug information beneath the breadcrumb.
Iterative results provide feedback on the status of queries within the interfaces to provide additional context for how long the data load will take and if any service data is missing. For example, if you are querying a Broker that is aggregating from two Concentrators, NetWitness Suite starts displaying the results from the first Concentrator as soon as it is available, even if the second Concentrator is still waiting for results.
Iterative results also include a notification that service data is missing because the service is unreachable.
When partial values from the Core service are returned but not completed, a message at the end of the meta key listing shows the progress of values loaded. For example, Currently looking at 38 ip.src values 71% indicates that loading of values for the meta key is 71% complete.
If the Show Debug Information setting is in effect, a field at the end of the values displays the status for the different systems against which you are querying within NetWitness Suite. For example, when you are querying against a 10.4 broker pulling from multiple concentrators, NetWitness Suite displays the status of the query on each of the Concentrators, which provides insight into the relative speed of data loading from each of the Concentrators. Each service that participated in the query is listed with the total elapsed time for the query.
Each service that participated in the query is listed with the total elasped time for the query. In the example above, two services returned in 3.207 seconds, localhost:50005 took 2 seconds to return the results. In addition, the where clause of the query is displayed below the breadcrumb. You can copy this syntax directly into an application rule or Reporting where clause of a rule.
For each meta key, there is a list of values (blue text) and counts (green text) found in the current drill point. When you click a value to drill down into a subset of the currently selected data, the display is updated and the new drill point is recorded in the breadcrumb. You can specify the sorting and quantification methods for the values list using the option in the toolbar.
Meta Key Context Menus
The Meta Keys in the Values panel have context menus. Next to each meta label, a drop-down arrow displays the options that can apply to that item. You can use these to change the way the results for the meta key are displayed in the current view. Changes made to meta keys are displayed in the current view during drill points persist until you refresh the page or select a new service in the Navigate view toolbar. Manage and Apply Default Meta Keys in an Investigation refresh reverts the current view of meta keys as defined in the Manage Default Meta Keys dialog (see Manage and Apply Default Meta Keys in an Investigation). If you have never made modifications in the Manage Default Meta Keys dialog, NetWitness Suite restores the default meta keys from the core service.
- More Results
- Max Results
- Hide Results
- Meta Key Info
Context Lookup Panel
The Navigate view and the Events view have a panel on the right side called the Context Lookup panel. The Context Lookup panel is displayed only if you have installed and configured the Context Hub service. For more information on configuring the Context Hub service, see the Context Hub Configuration Guide.
The Context Lookup panel displays relevant data when an analyst looks up contextual data for a meta value in the Values panel.
After the administrator configures the Context Hub service, you can view the contextual information for the meta values in the Navigate view and the Events view. For more information on configuring the Context Hub service, see the Context Hub Configuration Guide. For information about performing Context Lookup for meta values, see View Additional Context for a Data Point.
The Context Hub service is pre-configured with default meta type and meta key mapping. For information about the mapping of the context hub meta value with investigation meta key, see "Manage Meta Type and Meta Key Mapping" in the Context Hub Configuration Guide
You can view the type of context data that is available for a highlighted meta value by hovering the mouse over a highlighted meta value. An inline indicator shows which type of context data is available for the meta: Endpoint, Incidents, Alerts, or Lists.
Right-clicking a meta value opens a menu with the context lookup option. The following figure illustrates the Context Lookup option when you right-click a meta value.
For meta keys such as IP, Host and Mac Address, the details of the values that are flagged are collected from Endpoint, Incident, Alerts, and Lists.
For meta keys such as File, File Hash, Domain, User, the details of the values that are flagged are collected from Incidents, Alerts, and Lists.
The data is displayed in the context panel, only if there is any data available .
For more information about the lookup results and contextual information for different data sources, see Context Lookup Panel.