The Legacy Events view is deprecated in favor of the Events view. In the Legacy Events view a list of events associated with a session is available; this view is optimized for viewing raw events in sequence by time. You can display the events list in several forms, filter events, search for events, and open a reconstruction of an event.
There are two ways to display the Legacy Events view:
- Go to Investigate > Legacy Events. NetWitness Platform runs a default query on the last three hours for the default service (if one is set) or displays a dialog in which you can select a service and then runs the default query. The default query selects all events and the Legacy Events view displays events on the selected service, with the oldest events first.
- From within the Navigate view, double-click an event. The Legacy Events view displays the events on the selected service based on the drill point in the Navigate view.
What do you want to do?
|User Role||I want to ...||Show me how|
Incident Responder or Threat Hunter
review detections and signals seen in my environment
NetWitness Platform Getting Started Guide
|Incident Responder|| |
review critical incidents or alerts
NetWitness Respond User Guide
|Threat Hunter||query a service, metadata, and time range*|
|Threat Hunter|| |
|Threat Hunter|| |
view sequential events*
reconstruct and analyze an event*
|Threat Hunter||examine files and associated hosts*|
|Threat Hunter||perform lookups*|
|Threat Hunter||create an incident or add to an incident*|
add a meta value to a Context Hub list*
*You can perform this task in the current view.
- How NetWitness Investigate Works
- Filter Results in the Legacy Events View
- Downloading and Acting Upon Results
The Legacy Events view provides three built-in presentations of event data: the Detail view, the List view, and the Log view. The List view and Detail view provide more information for each event including the timestamp, event type, event theme, and size.
- The List View shows corresponding source and destination address and port information for events in summary form in a grid.
- The Detail View shows all metadata collected for the event in a paged view.
- The Log View is optimized for viewing log and endpoint information, and provides more information for each log including the timestamp, event type, service type, service class, and the logs.
You can use queries, the time range setting, and profiles to filter the events listed in the Legacy Events view. From any view type in Legacy Events view, you can extract files; export network events, endpoint events, logs, and meta values, and open the Event Reconstruction panel. In the Detail View you can also open the event in the Events view.
The following figure is an example of events in the Detail View. The Context Lookup panel is visible only if the Context Hub service is configured.
The following figure is an example of events in the List View.
The following figure is an example of the Log View.
The following figure shows the information added to the footer for Version 11.3 and later.
The Legacy Events view has a toolbar at the top with the following options.
|Select Service||Displays the selected service name next to the icon. Opens the Investigate dialog, in which you can select a service for which the event list is displayed.|
|Time Range||Displays a drop-down menu for selecting the time range to apply to the event list. You can choose one of the standard options or specify a custom time range.|
|Query||Displays the Query dialog, in which you can enter a custom query directly instead of drilling down the data (see Create a Query in the Navigate and Legacy Events Views).|
|Profile||Displays the Profile menu; the currently selected profile is displayed in the toolbar. The menu options include built-in (Default) profiles and custom profiles, as well as an option to manage profiles. Each profile can include a meta group, a column group, and a beginning query that is applied to the Navigate view (meta groups and queries) and the Legacy Events view (column groups and queries) as you investigate events. (see Use Query Profiles to Encapsulate Common Areas for Investigation).|
|View Type Drop-down||Displays a drop-down menu for selecting the event view type. |
|Actions||Displays a drop-down menu with actions in the Legacy Events view: |
Create a new incident in Respond and add the selected events, or add selected events to an existing incident in Respond.
|Search||Displays the Search Events options, which allow you to specify the export log and export meta value format with additional options explained in Search for Text Patterns in the Navigate and Legacy Events Views.|
|Settings||Displays the Investigation settings for the Legacy Events view (which are also available in the Profile view) so that you can change Investigation settings without navigating away from the Legacy Events view. When you change a setting In the Legacy Events view, the setting is also changed in the Profile view (see Configure the Navigate View and Legacy Events View).|
Other features of the Legacy Events view are described in this table.