Investigate: Open an Event in the Events List

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on May 8, 2018
Version 14Show Document
  • View in full screen mode

Analysts can view a list of events associated with a session in the Investigate > Events view or in the Event Analysis view.

To display events in the Events view do one of the following:

  1. To use the default query for the default service, go to INVESTIGATE > Events.
    NetWitness Suite runs a default query on the last three hours for the default service (if one is set) or displays a dialog in which you can select a service and then runs the default query. The default query selects all events and the Events view displays events on the selected service, with the oldest events first. 

This figure is an example of the Detail view.
Events Detail view
You can use queries, the time range setting, and profiles to filter the events listed in the Events view. From any view type in Events view, you can extract files, export events, export logs, and open the Event Reconstruction panel by double-clicking an event. See Analyzing Raw Events and Metadata in the Event Analysis View for detailed information about these capabilities.

You are here
Table of Contents > Investigating Metadata in the Navigate View > Open an Event in the Events List