Investigate: Export Events and Extract Files

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Oct 24, 2017
Version 8Show Document
  • View in full screen mode
 

In the Events view, the Actions menu has an option to export events from the event being viewed to an archive.

Note: You can only export files that you have permission to view or access.

The export function queries the service for all sessions inside the selected time range and drill point to extract the content of each session. The details being exported are affected by both the time range and drill point at the time of exporting. In the File Extraction dialog, you can choose to export:

  • PCAPs
  • Logs
  • NetWitness Endpoint event
  • Meta values

The format of the exported archive: ZIP or GZIP file. After you send the request, a job is scheduled and you can track the job in in the Jobs tray. If there is an error retrieving the log or PCAP from the service, NetWitness Suite displays an error notification.

To extract files from an event:

  1. While in the Event view, click an event.
  2. Click Actions > Export..
    Events view Export menu
  3. Select the export option.
    A message informs you that the PCAP is being downloaded.
You are here
Table of Contents > Conducting an Investigation > Examining Events > Export Events and Extract Files

Attachments

    Outcomes