Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Investigate: Legacy Events View

Document created by RSA Information Design and Development Employee on Sep 18, 2017Last modified by RSA Information Design and Development Employee on Oct 16, 2020
Version 23Show Document
  • View in full screen mode
 

The Legacy Events view is deprecated in favor of the Events view. In the Legacy Events view a list of events associated with a session is available; this view is optimized for viewing raw events in sequence by time. You can display the events list in several forms, filter events, search for events, and open a reconstruction of an event.

There are two ways to display the Legacy Events view:

  • Go to Investigate > Legacy Events. NetWitness Platform runs a default query on the last three hours for the default service (if one is set) or displays a dialog in which you can select a service and then runs the default query. The default query selects all events and the Legacy Events view displays events on the selected service, with the oldest events first.
  • From within the Navigate view, double-click an event. The Legacy Events view displays the events on the selected service based on the drill point in the Navigate view.

Note: The Legacy Events view was the original Events view (11.0 to 11.3.x.x). The Legacy Events is no longer needed and it is hidden unless the administrator enables it. By default only the Events view appears in the menu, but when the Legacy Events view is enabled, both the Events view and the Legacy Events view are visible in the menu bar.

What do you want to do?

                                                               
User RoleI want to ...Show me how

Incident Responder or Threat Hunter

review detections and signals seen in my environment

NetWitness Platform Getting Started Guide

Incident Responder

review critical incidents or alerts

NetWitness Respond User Guide

Threat Hunterquery a service, metadata, and time range*

Begin an Investigation in the Events View

Begin an Investigation in the Navigate or Legacy Events View

Threat Hunter

view metadata

Filter Results in the Navigate View

Drill into Metadata in the Events View (BETA)

Threat Hunter

view sequential events*

Filter Results in the Events View

Filter Results in the Legacy Events View

Threat Hunter

reconstruct and analyze an event*

Examine Event Details in the Events View

Reconstruct an Event in the Legacy Events View

Threat Hunterexamine files and associated hosts*

Download Data in the Events View

Export or Print a Drill Point in the Navigate View

Export Events in the Legacy Events View

Threat Hunterperform lookups*

Look Up Additional Context for Results

Launch a Lookup of a Meta Key

Threat Huntercreate an incident or add to an incident*

Add Events to an Incident in the Legacy Events View

Add Events to an Incident in the Events View

Threat Hunter

add a meta value to a Context Hub list*

Look Up Additional Context for Results

*You can perform this task in the current view.

Related Topics

Quick Look

The Legacy Events view provides three built-in presentations of event data: the Detail view, the List view, and the Log view. The List view and Detail view provide more information for each event including the timestamp, event type, event theme, and size.

  • The List View shows corresponding source and destination address and port information for events in summary form in a grid.
  • The Detail View shows all metadata collected for the event in a paged view.
  • The Log View is optimized for viewing log and endpoint information, and provides more information for each log including the timestamp, event type, service type, service class, and the logs.

You can use queries, the time range setting, and profiles to filter the events listed in the Legacy Events view. From any view type in Legacy Events view, you can extract files; export network events, endpoint events, logs, and meta values, and open the Event Reconstruction panel. In the Detail View you can also open the event in the Events view.

The following figure is an example of events in the Detail View. The Context Lookup panel is visible only if the Context Hub service is configured.

an example of the Events view with the Context Lookup panel open

The following figure is an example of events in the List View.

the List view

The following figure is an example of the Log View.

example of the Log View

The following figure shows the information added to the footer for Version 11.3 and later.

the Events view footer with result limit and services queried

Detailed Description

The Legacy Events view has a toolbar at the top with the following options.

                                               
FeatureDescription
Select ServiceDisplays the selected service name next to the icon. Opens the Investigate dialog, in which you can select a service for which the event list is displayed.
Time RangeDisplays a drop-down menu for selecting the time range to apply to the event list. You can choose one of the standard options or specify a custom time range.
QueryDisplays the Query dialog, in which you can enter a custom query directly instead of drilling down the data (see Create a Query in the Navigate and Legacy Events Views).
ProfileDisplays the Profile menu; the currently selected profile is displayed in the toolbar. The menu options include built-in (Default) profiles and custom profiles, as well as an option to manage profiles. Each profile can include a meta group, a column group, and a beginning query that is applied to the Navigate view (meta groups and queries) and the Legacy Events view (column groups and queries) as you investigate events. (see Use Query Profiles to Encapsulate Common Areas for Investigation).
View Type Drop-downDisplays a drop-down menu for selecting the event view type.
  • Detail View shows events in a paged format with detailed information for each event.
  • List view shows the events in table form with a summary of each event in a separate row.
  • Log View shows a log-oriented events grid with a summary of each log in a separate row.
  • Custom Column Groups displays the event list using a column group selected from a drop-down list of custom column groups.
  • Manage Column Groups displays the dialog for creating and editing custom column groups.
ActionsDisplays a drop-down menu with actions in the Legacy Events view:
  • Export an events as PCAP files, export logs, export endpoint events, or export meta values.
  • View an event reconstruction in a popup window or in a new tab.
  • Reset all filters in the Legacy Events view.

Incidents

Create a new incident in Respond and add the selected events, or add selected events to an existing incident in Respond.

SearchDisplays the Search Events options, which allow you to specify the export log and export meta value format with additional options explained in Search for Text Patterns in the Navigate and Legacy Events Views.
SettingsDisplays the Investigation settings for the Legacy Events view (which are also available in the Profile view) so that you can change Investigation settings without navigating away from the Legacy Events view. When you change a setting In the Legacy Events view, the setting is also changed in the Profile view (see Configure the Navigate View and Legacy Events View).

 

Other features of the Legacy Events view are described in this table.

                           
FeatureDescription
Show Additional Meta icon
(in the Detail View of an event)
Displays the rest of the metadata for the event.
the Event Analysis icon (in the Detail View of an event)Opens the selected event in the Events view.
the Events view page controls
(in the footer)

Pagination controls allow more flexibility in paging through a list of events. When a control is unavailable, the image is dimmed; for example, when you are viewing page 1, the the first page control and the previous page control controls are dimmed.

the first page control - Go to the first page

the previous page control - Go to the previous page

the page number control - Go to a specific page

the next page contorl - Go to the next page

the last page control - Go to the last page

the events per page control - Select the number of packets per page

When you select a number of events per page, the setting is saved in browser cache so that you do not have to select your preferred number of events each time you log in. The setting applies to all views: Log View, List View, and Details View.

Displaying 1-100 of 100,000 events (in the footer)

Displaying 1-25 of 100+ event matches (result limit of 100 events reached)
(in the footer)

Displays the count of events displayed versus the total number of matching events. In Version 11.3 and later, the footer includes a notification if the results limit configured by the administrator has been reached to let you know that more results are available but not viewable. To view the additional results, you need to refine the filter to get fewer results. Clicking the information icon the info icon in the footer displays the IP address and connecting port number for all services queried.
 

You are here
Table of Contents > Investigate Reference Materials > Legacy Events View

Attachments

    Outcomes