Investigation: Investigation Tab - User Preferences Panel

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Oct 24, 2017
Version 8Show Document
  • View in full screen mode
 

In the Profile view > Preferences panel > Investigation tab, users can set several preferences that affect the performance and behavior of NetWitness Suite when analyzing data, viewing events, and reconstructing events in Investigation. To access this tab, select the User Drop-down menu > the Profile option. When the Profile view is displayed, select Preferences > Investigation tab. You can change user preferences at any time when you are working in NetWitness Suite.

What do you want to do?

                                                
User RoleI want to ...Documentation

Threat Hunter

view and change user preferences for Investigate* Configure Navigate View and Events View.
Threat Huntersubmit a queryBeginning an Investigation of a Service or Collection
Threat Hunterview query results Conducting an Investigation
Threat Hunterreconstruct an eventReconstruct an Event

Threat Hunter

conduct interactive event analysis

Analyze Events in the Event Analysis View

Incident Responder

investigate an incident

NetWitness Respond User Guide

Threat Hunterconduct malware analysisConducting Malware Analysis

*You can perform this task in the current view.

Related Topics

Quick Look

This figure is an example of the Investigation tab, and the following table describes the Investigation preferences.

                                                                             
FeatureDescription
ThresholdThis setting controls the count shown for a Meta Key value in the Navigate view during the load. A higher threshold allows more accurate counts for a value. However, a higher threshold causes longer load times. When the threshold is reached, NetWitness Suite displays the count and the percentage of time used to reach the count in comparison to the time necessary to load all sessions with that value.
For example, (>100000 - 18%) indicates that the threshold was set at 100000 and this load took only 18% of the time it would have taken with no threshold set. The default value is 100000.
Max Values ResultsThis setting controls the maximum number of values to load in the Navigate View when the Max Results option is selected in the Meta Key Menu for an open Meta Key. The default value is 1000.
Max Session ExportThis setting controls the maximum number of sessions that can be exported. The default value is 100000.
Max Log View Characters This setting controls the maximum number of characters to be displayed on Investigation > Events > Log Text. The default value is 1000.
Export Log FormatThis setting specifies the default format for exporting logs from Investigation. Available options are Text, XML, CSV, and JSON. There is no built-in default value for the log export format. If you do not select a format here, NetWitness Suite displays a selection dialog when you invoke export of logs. When you select one of the options from the Export Log Format drop-down menu and click Apply, the setting goes into effect immediately.
Export Meta FormatThis setting specifies the default format for exporting meta values from Investigation. Available options are Text, XML, CSV, and JSON. There is no built-in default value for the meta export format. If you do not select a format here, NetWitness Suite displays a selection dialog when you invoke export of meta. When you select one of the options from the Export Meta Format drop-down menu and click Apply, the setting goes into effect immediately.

Use Per Device Local Cache

 

Show Debug InformationWhen this option is selected, NetWitness Suite displays the where clause beneath the breadcrumb in the Navigate view. For each meta value load, the load time is displayed. If the service is a Broker, then the elapsed time for each aggregated service is reported. The default value is Off.
Append Events in Events Panel When this option is selected, the events displayed in the Events Panel are added incrementally rather than overwriting the currently displayed events. Each time you click the next page icon, the additional events are appended to the previous events; 1 -25, then 1 -50, then 1 -75 and so on.

Note: This option is available, only if the Optimize Investigation Page Loads option is enabled

Autoload ValuesWhen this option is selected, the service values are automatically loaded in the Navigate view. When not selected, NetWitness Suite displays a Load Values button, allowing the user the opportunity to modify the options. The default value is Off.
Download Completed PCAPsThis setting automates the downloading of extracted PCAPs in the Investigate so that you do not have to manually download and open extracted PCAP files in an application, such as Wireshark, that can handle viewing data in a PCAP format.
Live Connect: Highlight Risky Values 
Optimize Investigation Page LoadsThis option is enabled by default (checked) and controls how the Events view retrieves events. When optimized, results are returned as quickly as possible. This sacrifices the original ability to go to a specific page in the event list. Unchecking this box changes the Events list pagination to allow you to go to a specific page in the list (or to the last page). Being able to go to any page in the list sacrifices some speed in returning the results due to additional overhead determining the events in advance.
Default Session ViewThis setting selects the default reconstruction type for the initial reconstruction view. By default events are reconstructed using the reconstruction type most appropriate to the event.
Enable CSS Reconstruction for Web ViewThis setting controls how web content reconstruction is performed. If enabled, the web reconstruction includes cascaded style sheet (CSS) styles and images so that its appearance matches the original view in a web browser. This includes scanning and reconstructing related events, and searching for stylesheets and images used in the target event. The option is enabled by default. Uncheck this option if there are problems viewing specific websites.

Note: The appearance of the reconstructed content may not match the original web page perfectly if related images and stylesheets could not be found or were loaded from the web browser's cache. Also, any layout or styling that is performed dynamically via client side javascript will not render in the reconstruction because all client side javascript is removed for security purposes.

Search OptionsThis setting sets the default search options to apply to a search in the Navigate and Events views. Search for Text Patterns in the Investigate View provides detailed information.
ApplySaves your preferences and puts them into effect immediately.
Previous Topic:Investigate Dialog
You are here
Table of Contents > Investigation Reference Materials > Investigation Tab - User Preferences Panel

Attachments

    Outcomes