In the Profile view > Preferences panel > Investigation tab, users can set several preferences that affect the performance and behavior of NetWitness Platform when analyzing data, viewing events, and reconstructing events in NetWitness Investigate. To access this tab, select > from the Navigate view or the Legacy Events view. When the Profile view is displayed, select Preferences > Investigation. You can change user preferences at any time when you are working in NetWitness Platform.
This figure is an example of the Investigation tab, and the following table describes the preferences that affect Investigate. There are slight differences between the 11.1 search settings and later versions of the search settings and these are explained in Search for Text Patterns in the Navigate and Legacy Events Views.
|Threshold||This setting controls the count shown for a meta key value in the Navigate view during the load. A higher threshold allows more accurate counts for a value. However, a higher threshold causes longer load times. When the threshold is reached, NetWitness Platform displays the count and the percentage of time used to reach the count in comparison to the time necessary to load all sessions with that value.|
For example, (>100000 - 18%) indicates that the threshold was set at 100000 and this load took only 18% of the time it would have taken with no threshold set. The default value is 100000.
|Max Values Results||This setting controls the maximum number of values to load in the Navigate View when the Max Results option is selected in the Meta Key Menu for an open meta key. The default value is 1000.|
|Max Session Export||This setting controls the maximum number of sessions that can be exported. The default value is 100000.|
|Max Log View Characters||This setting controls the maximum number of characters to be displayed on Investigate > Legacy Events > Log Text. The default value is 1000.|
|Export Log Format||This setting specifies the default format for exporting logs from Investigate. Available options are Text, XML, CSV, and JSON. There is no default value for the log export format. If you do not select a format for logs here, NetWitness Platform displays a selection dialog when you invoke export of logs. When you select one of the options from the Export Log Format drop-down menu and click Apply, the setting goes into effect immediately.|
|Export Meta Format||This setting specifies the default format for exporting meta values from Investigate. Available options are Text, XML, CSV, and JSON. There is no default value for the meta export format. If you do not select a format for exporting meta values here, NetWitness Platform displays a selection dialog when you invoke export of meta values. When you select one of the options from the Export Meta Format drop-down menu and click Apply, the setting goes into effect immediately.|
Use Per Device Local Cache
Allows you to specify the use of locally cached data from the selected service. By default, this checkbox is cleared (Off), which means that Investigate sends a fresh query to the database rather than displaying cached data in the Investigate views after the initial load. If the option is set, Investigate uses the data from local cache.
|Show Debug Information||When this option is set, NetWitness Platform displays the where clause beneath the breadcrumb in the Navigate view. For each meta value load, the load time is displayed. If the service is a Broker, the elapsed time for each aggregated service is reported. The default value is Off.|
|Append Events in Events Panel||When this option is set, the events displayed in the Events Panel are added incrementally rather than overwriting the currently displayed events. Each time you click the next page icon, the additional events are appended to the previous events; 1 -25, then 1 -50, then 1 -75 and so on.|
|Autoload Values||When this option is set, the service values are automatically loaded in the Navigate view. When not set, NetWitness Platform displays a Load Values button, allowing the user the opportunity to modify the options. The default value is Off.|
|Download Completed PCAPs||This setting automates the downloading of extracted PCAPs in the Investigate so that you do not have to manually download and open extracted PCAP files in an application, such as Wireshark, that can handle viewing data in a PCAP format.|
|Live Connect: Highlight Risky Values||If you want NetWitness Platform to highlight and display only IP addresses that are considered to be risky by the RSA community, set this option. When not enabled, NetWitness Platform displays all IP addresses. By default, this option is cleared (Off).|
|Optimize Investigation Page Loads||This option is enabled by default (checked) and controls how the Legacy Events view retrieves events. When enabled, results are returned as quickly as possible, but you cannot go to a specific page in the event list. Clearing the checkbox changes the Events list pagination to allow you to go to a specific page in the list (or to the last page). Being able to go to any page in the list costs additional overhead to determine the events in advance.|
|Default Session View||This setting selects the default reconstruction type for the initial reconstruction view. By default events are reconstructed using the reconstruction type most appropriate to the event.|
|Enable CSS Reconstruction for Web View||This setting controls how web content reconstruction is performed. If enabled, the web reconstruction includes cascaded style sheet (CSS) styles and images so that its appearance matches the original view in a web browser. This includes scanning and reconstructing related events, and searching for stylesheets and images used in the target event. The option is enabled by default. Clear the checkbox if there are problems viewing specific websites.|
|Search Options||This setting specifies the default search options to apply to a search in the Navigate and Legacy Events views. Search for Text Patterns in the Navigate and Legacy Events Views provides detailed information.|
|Apply||Saves your preferences and puts them into effect immediately.|