Investigate: Query Dialog

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on May 8, 2018
Version 14Show Document
  • View in full screen mode
 

In the Navigate view or Events view, you can create a query rather than clicking through the meta keys and values to drill down into the meta data. The dialogs for creating a query offer syntax help with drop-down lists of applicable meta keys and operators. To access this dialog in the Navigate or Events view toolbar, select Query.

Workflow

high-level Investigate workflow with Browse Event Metadata and Browse Raw Events highlighted

What do you want to do?

                                                     
User RoleI want to ...11.1 Documentation
Threat Hunter

browse event metadata*

Begin an Investigation in the Navigate or Events View

Threat Hunter

browse raw events*

Begin an Investigation in the Navigate or Events View

Threat Hunter

analyze raw events and metadata

Begin an Investigation in the Event Analysis View

Threat Hunterinvestigate endpoints (Version 11.1)Investigate Hosts

Threat Hunter

find suspicious endpoint files (Version 11.1)

Investigate Files

Threat Hunterscan files and events for malwareConducting Malware Analysis

Incident Responder

triage an incident in Investigate

NetWitness Respond User Guide

Threat Huntercreate a custom query*Create a Custom Query

*You can perform this task in the current view.

Related Topics

Quick Look

This is the Simple Query drop-down

The Query dialog has three views:

  • Simple
  • Advanced
  • Recent

In the Simple view, you can create a query using the options displayed in the dialog. In the Advanced view, you can create a query without guidance. In the Recent view, you can select a query from a drop-down list of recent queries.

Simple View

This is the Simple view

Advanced View

This is the Advanced view

Recent View

This is the Recent view

The following table describes features of the Query dialogs.

                                                     
FeatureDescription
Select MetaDisplays a drop-down list of meta groups.
OperatorDisplays a drop-down list of operators (=,NetWitness Suite!=,NetWitness Suiteexists,NetWitness Suite!exists)
ValueAllows you to enter a value to complete the query.
NetworkLimits the query to packets if Log is not selected.
LogLimits the query to logs if Network is not selected.
Query box Allows you to enter a query in the Advanced view. When you begin typing, a drop-down list of available meta keys for the service is displayed, then a drop-down of operators is displayed as you type. If the expression currently entered in the query box is invalid, a warning appears near the box. When the query is valid, the warning is removed.
Query listAllows you to select a query from a list of recent queries in the Recent view. Double-clicking a query automatically applies it.
ApplyApplies the new query to the current Investigation view.
Cancel Closes the dialog without applying changes.
ResetResets all fields.
Previous Topic:Navigate View
You are here
Table of Contents > Investigate Reference Materials > Query Dialog

Attachments

    Outcomes