Investigate: Events View

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Oct 24, 2017
Version 8Show Document
  • View in full screen mode

In the Events view a list of events associated with a session is available. There are two ways to display the Events view:

  • Select Investigate > Events. NetWitness Suite runs a default query on the last three hours for the default service (if one is set) or displays a dialog in which you can select a service and then runs the default query. The default query selects all events and the Events view displays events on the selected service, with the oldest events first.
  • From within the Navigate view, click an event. The Events view displays the events on the selected service based on the drill point in the Navigate view.


the Investigate workflow, with View Query Results highlighted

What do you want to do?

User RoleI want to ...Documentation
Threat Huntersubmit a query* Beginning an Investigation of a Service or Collection

Threat Hunter

set user preferences for the Events view*

Configure Navigate View and Events View

Threat Hunterfilter and search results in the Events view* Examining Events
Threat Hunter combine events from split sessions* Combine Events from Split Sessions  
Threat Hunter add events to an incident for response* Conducting an Investigation
Threat Hunter reconstruct an event*

Reconstruct an Event

Threat Hunter

view interactive Event Analysis*

Analyze Events in the Event Analysis View

Threat Hunterexport files from an event* Export Events
Threat Huntermanage column groups* Manage Column Groups in the Events View
Threat Hunterlook up additional context for a meta value* View Additional Context for a Data Point
Threat Hunterconduct malware analysisConducting Malware Analysis

Incident Responder

investigate an incident

NetWitness Respond User Guide

*You can perform this task in the current view.

Related Topics

Quick Look

The Events view provides three built-in presentations of event data: the Detail view, the List view, and the Log view. The List view and Detail view are intended for viewing packet data events, and they provide more information for each event including the timestamp, event type, event theme, and size.

  • The List View shows corresponding source and destination address and port information for events in summary form in a grid.
  • The Detail View shows all metadata collected for the event in a paged view.
  • The Log View is optimized for viewing log information, and provides more information for each log including the timestamp, event type, service type, service class, and the logs.

You can use queries, the time range setting, and profiles to filter the events listed in the Events view. From any view type in Events view, you can extract files; export events, logs, and meta values; open the Event Reconstruction panel, and open Event Analysis.

The following figure is an example of events in the Detail View. The Context Lookup panel is visible only if the Context Hub service is configured.

Event Detail View

The following figure is an example of events in the List View.

Event List View

The following figure is an example of the Log View.

This is the Event Log view

Detailed Description

The Events view has a toolbar at the top with the following options.

Select ServiceDisplays the selected service name next to the icon. Opens the Select a Service dialog, in which you can select a service for which the event list is displayed.
Time RangeDisplays a drop-down menu for selecting the time range to apply to the event list. You can choose one of the standard options or specify a custom time range.
QueryDisplays the Create Filter dialog, in which you can enter a custom query directly instead of drilling down the data (see Create a Custom Query)
ProfileDisplays the Use Profile menu; the currently selected profile is displayed in the toolbar. A profile allows you to manage and use profiles that can include custom meta groups, a default column group, and a beginning query. The Profiles apply to the Navigate view (meta groups and queries) and the Events view (column groups and queries).
View Type Drop-downDisplays a drop-down menu for selecting the event view type.
  • Detail View shows events in a paged format with detailed information for each event.
  • List view shows the events in grid form with a summary of each event in a separate row.
  • Log View shows a log-oriented events grid with a summary of each log in a separate row.
  • Custom Column Groups displays the event list using a column group selected from a drop-down list of custom column groups.
  • Manage Column Groups displays the dialog for creating and editing custom column groups.
ActionsDisplays a drop-down menu with actions in the Events view:
  • Extract Files, export events as a PCAP file, export logs, or export meta values.
  • View an event reconstruction in a popup window or in a new tab.
  • View Event Analysis
  • Reset all filters in the Events view.


Create a new incident in Respond and add the selected events, or add selected events to an existing incident in Respond.

SearchDisplays the Search Events options, which allow you to specify the export log and export meta value format with additional options explained in Search for Text Patterns in the Investigate View
SettingsDisplays the Investigation settings for the Events view (which are also available in the Profile view) so that you can change Investigation settings without navigating away from the Events view. When you change a setting In the Events view the setting is also changed in the Profile view (see Configure Navigate View and Events View).
You are here
Table of Contents > Investigation Reference Materials > Events View