Investigate: Events View

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Sep 11, 2018
Version 15Show Document
  • View in full screen mode

In the Events view a list of events associated with a session is available; this view is optimized for viewing raw events in sequence by time. You can display the events list in several forms, filter events, search for events, and open a reconstruction of an event.

There are two ways to display the Events view:

  • Go to INVESTIGATE > Events. NetWitness Platform runs a default query on the last three hours for the default service (if one is set) or displays a dialog in which you can select a service and then runs the default query. The default query selects all events and the Events view displays events on the selected service, with the oldest events first.
  • From within the Navigate view, double-click an event. The Events view displays the events on the selected service based on the drill point in the Navigate view.


high-level Investigate workflow with Browse Raw Events and associated actions highlighted

What do you want to do?

User RoleI want to ...Show me how
Threat Hunter

browse event metadata

Begin an Investigation in the Navigate or Events View

Threat Hunter

browse raw events*

Begin an Investigation in the Navigate or Events View

Threat Hunter

analyze raw events and metadata

Begin an Investigation in the Event Analysis View

Threat Hunterinvestigate endpoints (Version 11.1)Investigate Hosts

Threat Hunter

find suspicious endpoint files (Version 11.1)

Investigate Files

Threat Hunterscan files and events for malwareConducting Malware Analysis

Incident Responder

triage an incident in Investigate

NetWitness Respond User Guide

Threat Hunterset user preferences for the Events view*Configure the Navigate View and Events View
Threat Hunterreconstruct an event*Reconstruct an Event
Threat Hunterexport events and Files*Export Events in the Events View
Threat Hunter

perform internal lookups

Look Up Additional Context in the Navigate and Events Views

Threat Hunterperform external lookupsLaunch an External Lookup of a Meta Key
Threat Hunter or Incident Responderadd one or more events to an existing incident or to a new incident*Add Events to an Incident for Response

*You can perform this task in the current view.

Related Topics

Quick Look

The Events view provides three built-in presentations of event data: the Detail view, the List view, and the Log view. The List view and Detail view are intended for viewing packet data events, and they provide more information for each event including the timestamp, event type, event theme, and size.

  • The List View shows corresponding source and destination address and port information for events in summary form in a grid.
  • The Detail View shows all metadata collected for the event in a paged view.
  • The Log View is optimized for viewing log information, and provides more information for each log including the timestamp, event type, service type, service class, and the logs.

You can use queries, the time range setting, and profiles to filter the events listed in the Events view. From any view type in Events view, you can extract files; export events, logs, and meta values; open the Event Reconstruction panel, and open Event Analysis.

The following figure is an example of events in the Detail View. The Context Lookup panel is visible only if the Context Hub service is configured.

the Detail View

The following figure is an example of events in the List View.

the List view

The following figure is an example of the Log View.

example of the Log View

Detailed Description

The Events view has a toolbar at the top with the following options.

Select ServiceDisplays the selected service name next to the icon. Opens the Select a Service dialog, in which you can select a service for which the event list is displayed.
Time RangeDisplays a drop-down menu for selecting the time range to apply to the event list. You can choose one of the standard options or specify a custom time range.
QueryDisplays the Create Filter dialog, in which you can enter a custom query directly instead of drilling down the data (see Create a Custom Query)
ProfileDisplays the Use Profile menu; the currently selected profile is displayed in the toolbar. A profile allows you to manage and use profiles that can include custom meta groups, a default column group, and a beginning query. The Profiles apply to the Navigate view (meta groups and queries) and the Events view (column groups and queries).
View Type Drop-downDisplays a drop-down menu for selecting the event view type.
  • Detail View shows events in a paged format with detailed information for each event.
  • List view shows the events in grid form with a summary of each event in a separate row.
  • Log View shows a log-oriented events grid with a summary of each log in a separate row.
  • Custom Column Groups displays the event list using a column group selected from a drop-down list of custom column groups.
  • Manage Column Groups displays the dialog for creating and editing custom column groups.
ActionsDisplays a drop-down menu with actions in the Events view:
  • Extract Files, export events as a PCAP file, export logs, or export meta values.
  • View an event reconstruction in a popup window or in a new tab.
  • View Event Analysis
  • Reset all filters in the Events view.


Create a new incident in Respond and add the selected events, or add selected events to an existing incident in Respond.

SearchDisplays the Search Events options, which allow you to specify the export log and export meta value format with additional options explained in Search for Text Patterns
SettingsDisplays the Investigation settings for the Events view (which are also available in the Profile view) so that you can change Investigation settings without navigating away from the Events view. When you change a setting In the Events view the setting is also changed in the Profile view (see Configure the Navigate View and Events View).
Next Topic:Files View
You are here
Table of Contents > Investigate Reference Materials > Events View