Investigate: Configure the Navigate View and Events View

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Sep 11, 2018
Version 15Show Document
  • View in full screen mode
 

Analysts can set preferences that affect performance and behavior of NetWitness Platform when analyzing data using the Navigate view and Events view. Some of the same settings are available in two places in NetWitness Platform, and changes made in either location are applied in the other view:

  • Investigate view > Settings dialog for the Navigate view and the Events view.
  • Profiles > Preferences panel > Investigation tab. 
  • Navigate view and Events view Search Options drop-down.

Access the Navigate View and Events View Settings

To access the settings, do one of the following:

  • In the Navigate view toolbar, select the Settings option.
    The Settings dialog for the Navigate view is displayed.

    Navigate view Settings dialog

    Note: Version 11.0 included a setting to Append Events in Events Panel, which was moved to the Events view settings panel in Version 11.1.

  • In the Events view toolbar, select the Settings option.
    The Settings dialog for the Events view is displayed.
    Event view settings for Version 11.1

    Note: Version 11.1 and later includes the Append Events in Events Panel setting.

  • In the top right corner of NetWitness Platform, go to Profile drop-down menu > , Profile option, and in the Preferences panel click the Investigation tab.
    The Investigation panel is displayed. The first figure below illustrates the Version 11.1 Investigation panel, and the second figure illustrates the 11.2 panel with improved layout of search options.
    User Profile Preferences > Investigation tab (Version 11.1)

    User Profile Preferences > Investigation tab (Version 11.2)

Calibrate Navigate View Value Loading Parameters

Several settings influence the performance of NetWitness Platform when loading values in the Values panel. Default values are set based on common usage, and individual analysts can adjust these settings for their own investigations. To adjust these settings:

  1. Go to the Investigation tab or to the Settings dialog for the Navigate view.
  2. Adjust the following parameters:
    • Threshold: Set the threshold for the maximum number of sessions loaded for a meta key value in the Values panel. A higher threshold allows accurate counts for a value, and also causes longer load times. The default value is 100000.
    • Max Values Results: Set the maximum number of values to load in the Navigate View when the Max Results option is selected in the Meta Key Menu for an open Meta Key. The default value is 1000.
    • Max Session Export: Specify the number of events that can be exported in a single PCAP or Log file.
    • Max Log View Characters: Set the maximum number of characters to be displayed on Investigate > Events > Log Text. The default value is 1000.
    • Max Meta Value characters: Set the maximum number of characters in a meta value name displayed in the Navigate view Values panel. The default value is 60.
    • Show Debug Information: If you want NetWitness Platform to display the where clause beneath the breadcrumb in the Navigate view and the elapsed load time for each aggregated service on a Broker, check this option. The default value is Off.
    • Append Events in Events Panel: This option affects paging in the Events view and is described below under "Calibrate Events View Retrieval and Default Reconstruction."
    • Autoload Values: If you want NetWitness Platform to automatically load values for the selected service in the Navigate view, check this option. When not selected, NetWitness Platform displays a Load Values button, allowing the opportunity to modify options. The default value is Off.
  1. Click Apply.

The settings become effective immediately and are visible the next time you load values.

Configure Navigate View and Events View Parameters

Several settings influence the performance of NetWitness Platform when loading values in the Navigate view and the Events view. Default values are set based on common usage, and individual analysts can adjust these settings for their own investigations. You can set these parameters separately in the Navigate view and the Events view. When configured in one view, the setting does not automatically apply to the other view. To adjust these settings:

  1. Go to the Investigation tab or to the Settings dialog for the Navigate view or the Events view.
  2. Adjust the following parameters:
    • Live Connect: Highlight Risky Values: If you want NetWitness Platform to highlight and display only IP addresses that are considered as risky by RSA community, check this option. When not selected, NetWitness Platform displays all IP addresses. By default, this option is not selected (Off).
    • Use Per Device Local Cache: You can specify the use of locally cached data from the selected service. By default, this option is not selected (Off). When unchecked, Investigate sends a fresh query to the database rather than displaying cached data in the Investigate views after the initial load. If checked, Investigate uses the data from local cache.
    • Download Completed PCAPs: You can automate the downloading of extracted PCAPs in the Navigate view and Events view so that the browser downloads the extracted PCAP and opens it in the default application for opening PCAP files, such as Wireshark. By default, this option is not selected (Off). If you are going to enable this option, ensure that an application that can open PCAPs is installed on your local file system and that the application is set as the default application to handle PCAP file formats.
    • Live Connect: Highlight Risky Values: If this option is unchecked, all the meta values that have context available in Live Connect are highlighted in the Navigate view Values panel. If the option is checked, among the values that have context in Live Connect, only those values deemed Risky/Suspicious/Unsafe by the community are highlighted. By default this option is unchecked (Off).
  1. Click Apply.
    The settings become effective immediately.

Configure the Default Log Export Format

You can export logs from the Navigate view and the Events view in different formats. Available options are Text, XML, comma-separated values (CSV), and JSON. There is no built-in default value for the log export format. If you do not select a format here, NetWitness Platform displays a selection dialog when you invoke export of logs. To select the format for exported logs:

  1. Go to the Investigation tab or to the Settings dialog for the Navigate view or Events view.
  2. Select one of the options from the Export Log Format drop-down menu.
  3. Click Apply.
    The setting goes into effect immediately.

Configure the Default Meta Export Format

You can export meta values from the Navigate view and Events view in different formats. Available options are Text, CSV, tab-separated values (TSV), and JSON. There is no built-in default value for the meta export format. If you do not select a format here, NetWitness Platform displays a selection dialog when you invoke export of meta values. To select the format for exported meta values:

  1. Go to the Investigation tab or to the Settings dialog for the Navigate view or Events view.
  2. Select one of the options from the Export Meta Format drop-down menu.
  3. Click Apply.
    The setting goes into effect immediately.

Calibrate Events View Retrieval and Default Reconstruction

You can configure several parameters that control the how NetWitness Platform retrieves events and reconstructs events in the Events view. To adjust these paramaters:

  1. Go to the Investigation tab or to the Settings dialog for the Events view.
  2. Configure the following parameters.
    • Optimize Investigation page loads: Set a paging option. When optimized, results are returned as quickly as possible, sacrificing the original ability to go to a specific page in the event list. Unchecking this box changes the Events list pagination to allow you to go to a specific page in the list (or to the last page). The default value is enabled.
    • Default Session View: Selects the default reconstruction type for the initial reconstruction in the Events view. The default value isBest Reconstruction in which events are reconstructed using the reconstruction method most appropriate to the event.
  3. Navigate to the Investigation tab, or to the Settings dialog for the Navigate view (11.1) or the Events view (11.2), and set the Append Events in Events Panel option. When this option is selected, the events displayed in the Events Panel are added incrementally. For example, each time you click the next page icon, the next increment of events is added, at first you see 1 to 25, then 1 to 50, then 1 to 75 and so on. This option is available only if the Optimize Investigation Page Loads option is enabled.
  4. To activate the changes immediately, click Apply.

Enable or Disable Cascading Style Sheet Rendering in Web Content Reconstructions

Analysts can enable the use of cascading style sheets (CSS) when reconstructing web content. If enabled, the web reconstruction includes CSS styles and images so that its appearance matches the original view in a web browser. This includes scanning and reconstructing related events, and searching for style sheets and images used in the target event. The option is enabled by default. Disable this option if there are problems viewing specific websites. 

Note: The appearance of the reconstructed content may not match the original web page perfectly if related images and style sheets could not be found or were loaded from the web browser's cache. Also, any layout or styling that is performed dynamically through the client side javascript is not rendered in the reconstruction because all client side javascript is removed for security purposes.

To enable or disable this option:

  1. Go to the Investigation tab .
  2. Select the Enable CSS Reconstruction for Web View checkbox.
  3. Click Apply.
    The setting becomes effective immediately and is visible in the next web content reconstruction.

Configure Search Options

You can configure search options to apply when you type a search string in the Search field. Edit the Search Options in the Profile > Preferences panel > Investigation tab or in the Navigate and Events view Search Options drop-down menu. To configure search options:

  1. Navigate to the Search Options.
    The following figure illustrates the Search Options drop-down menu for Version 11.2.
    the search options
  2. Select one or more search options to apply to the search. Search for Text Patterns provides detailed information about each option.
  3. To save the search settings, click Apply.
    The preferences are saved and effective immediately. 
You are here
Table of Contents > Configuring NetWitness Investigate Views and Preferences > Configure the Navigate View and Events View

Attachments

    Outcomes