Investigate: Event Analysis View - Text Analysis Panel

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Oct 24, 2017
Version 8Show Document
  • View in full screen mode

In the Text Analysis panel (Event Analysis > Text Analysis), you can safely view and analyze the raw text payload of an event that you found in the Navigate view or the Events view. The Text Analysis panel includes features that can show decompressed or compressed text, expand truncated entries, perform URL and Base64 encoding and decoding, and download network events, logs, and endpoint events. The Text Analysis panel is available for all types of events: network, log, and endpoint.


the Investigate workflow with Conduct Interactive Analysis highlighted

What do you want to do?

User RoleI want to ...Documentation

Threat Hunter

submit a queryBeginning an Investigation of a Service or Collection
Threat Hunterview query resultsExamining Events

Threat Hunter

reconstruct an event

Reconstruct an Event

Threat Hunter analyze an event*

Analyze Events in the Event Analysis View

Threat Hunterexport files from an event* Analyze Events in the Event Analysis View
Threat Hunterconduct malware analysisConducting Malware Analysis

Incident Responder

investigate an incident

NetWitness Respond User Guide

*You can perform this task in the current view.

Related Topics

Quick Look

The Event Analysis view displays the text of a single event in the Text Analysis panel. When you click an event in the Event list panel, the adjacent panel shows the Text Analysis. Only the raw log for log events and endpoint events is shown in the Text Analysis panel. For network events, the direction of the packet (Request or Response) and contents of each packet are provided in text format.

Text Analysis with important features called out

1Options for exporting a log, a PCAP, or files for deeper analysis and to share with others. This download menu is for network data.
2The event header information.
3Click to view the network payload in compressed or decompressed form.
4The payload for a network event includes requests and responses. This is the request side of the packet.
5This is the response side of the packet. Only 1% of the response is displayed because it has been truncated to allow viewing of more packets. When you scroll down, you can click an option to display the rest of the payload.
6This message is displayed when the threshold of 2500 packets is reached, a measure to optimize performance. Additional packets will not be displayed. You may want to download the event to view all of the packets.
You are here
Table of Contents > Investigation Reference Materials > Event Analysis View - Text Analysis Panel