Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Investigate: Query Dialog

Document created by RSA Information Design and Development Employee on Sep 18, 2017Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 21Show Document
  • View in full screen mode
 

In the Navigate view or Legacy Events view, you can create a query rather than clicking through the meta keys and values to drill down into the meta data. The dialogs for creating a query offer syntax help with drop-down lists of applicable meta keys and operators. To access this dialog in the Navigate or Legacy Events view toolbar, select Query.

What do you want to do?

                                                               
User RoleI want to ...Show me how

Incident Responder or Threat Hunter

review detections and signals seen in my environment

NetWitness Platform Getting Started Guide

Incident Responder

review critical incidents or alerts

NetWitness Respond User Guide

Threat Hunterquery a service, metadata, and time range*

Begin an Investigation in the Events View

Begin an Investigation in the Navigate or Legacy Events View

Threat Hunter

view metadata

Filter Results in the Navigate View

Drill into Metadata in the Events View (BETA)

Threat Hunter

view sequential events

Filter Results in the Events View

Filter Results in the Legacy Events View

Threat Hunter

reconstruct and analyze an event

Examine Event Details in the Events View

Reconstruct an Event in the Legacy Events View

Threat Hunterexamine files and associated hosts

Download Data in the Events View

Export or Print a Drill Point in the Navigate View

Export Events in the Legacy Events View

Threat Hunterperform lookups

Look Up Additional Context for Results

Launch a Lookup of a Meta Key

Threat Huntercreate an incident or add to an incident

Add Events to an Incident in the Legacy Events View

Add Events to an Incident in the Events View

Threat Hunter

add a meta value to a Context Hub list

Look Up Additional Context for Results

*You can perform this task in the current view.

Related Topics

Quick Look

This is the Simple Query drop-down

The Query dialog has three views:

  • Simple
  • Advanced
  • Recent

In the Simple view, you can create a query using the options displayed in the dialog. In the Advanced view, you can create a query without guidance. In the Recent view, you can select a query from a drop-down list of recent queries.

Simple View

This is the Simple view

Advanced View

This is the Advanced view

Recent View

This is the Recent view

The following table describes features of the Query dialogs.

                                                       
FeatureDescription
Select MetaDisplays a drop-down list of meta groups.
OperatorDisplays a drop-down list of operators (=,NetWitness Platform!=,NetWitness Platformexists,NetWitness Platform!exists)
ValueAllows you to enter a value to complete the query.
NetworkLimits the query to packets if Log is not selected.
LogLimits the query to logs if Network is not selected.
Query box Allows you to enter a query in the Advanced view. When you begin typing, a drop-down list of available meta keys for the service is displayed, then a drop-down of operators is displayed as you type. If the expression currently entered in the query box is invalid, a warning appears near the box. When the query is valid, the warning is removed.
Query listAllows you to select a query from a list of recent queries in the Recent view. Double-clicking a query automatically applies it.
ApplyApplies the new query to the current Investigation view.
Cancel Closes the dialog without applying changes.
ResetResets all fields.

Previous Topic:Navigate View
You are here
Table of Contents > Investigate Reference Materials > Query Dialog

Attachments

    Outcomes