Investigate: Event Analysis View - Text Analysis Panel

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on May 8, 2018
Version 14Show Document
  • View in full screen mode
 

In the Text Analysis panel (Event Analysis > Text Analysis), you can safely view and analyze the raw text payload of an event. The Text Analysis panel includes features that can show decompressed or compressed text, expand truncated entries, perform URL and Base64 encoding and decoding, and download network events, logs, and endpoint events. The Text Analysis panel is available for all types of events: network, log, and endpoint.

Workflow

the Investigate Workflow with Analyze Raw Events and Metadata highlighted

What do you want to do?

                                                                              
User RoleI want to ...11.1 Documentation
Threat Hunter

browse event metadata

Begin an Investigation in the Navigate or Events View

Threat Hunter

browse raw events

Begin an Investigation in the Navigate or Events View

Threat Hunter

analyze raw events and metadata

Begin an Investigation in the Event Analysis View

Threat Hunter

query events in the Event Analysis view (Version 11.1)

Filter Results in the Event Analysis View

Threat Hunterexport events and files in the Event Analysis view*Download Data in the Event Analysis View

Threat Hunter

reconstruct events in Event Analysis view*

Analyzing Raw Events and Metadata in the Event Analysis View

Threat Hunterperform external lookups from the Event Analysis view (Version 11.1)*Act on Data in the Event Analysis View
Threat Hunter query events in the Navigate view Investigating Metadata in the Navigate View

Threat Hunter

query events in the Events view

Examining Raw Events in the Events View

Threat Hunterinvestigate endpoints (Version 11.1)Investigate Hosts

Threat Hunter

find suspicious endpoint files (Version 11.1)

Investigate Files

Threat Hunterscan files and events for malwareConducting Malware Analysis

Incident Responder

triage an incident in Investigate

NetWitness Respond User Guide

*You can perform this task in the current view.

Related Topics

Quick Look

The Event Analysis view displays the text of a single event in the Text Analysis panel. When you click an event in the Event list panel, the adjacent panel shows the Text Analysis. Only the raw log for log events and endpoint events is shown in the Text Analysis panel. For network events, the direction of the packet (Request or Response) and contents of each packet are provided in text format. For more examples of the Text Analysis, see Analyzing Raw Events and Metadata in the Event Analysis View. For detailed procedures, see Examine Events in the Event Analysis View.

Text Analysis with important features labeled

                             
1Options for exporting a log, a PCAP, or files for deeper analysis and to share with others. This download menu is for network data.
2The event header information.
3Click to view the network payload in compressed or decompressed form.
4The payload for a network event includes requests and responses. This is the request side of the packet.
5This is the response side of the packet. Only 1% of the response is displayed because it has been truncated to allow viewing of more packets. When you scroll down, you can click an option to display the rest of the payload.
6This message is displayed when the threshold of 2500 packets is reached, a measure to optimize performance. Additional packets will not be displayed. You may want to download the event to view all of the packets.
You are here
Table of Contents > Investigate Reference Materials > Event Analysis View - Text Analysis Panel

Attachments

    Outcomes