Investigate: Legacy Event Reconstruction View

Document created by RSA Information Design and Development on Sep 18, 2017•Last modified by RSA Information Design and Development on Jan 30, 2020

Version 18Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

The Event Reconstruction view provides a reconstruction of a selected event from the Legacy Events view. By default, NetWitness Platform displays the best reconstruction for the event determined by the event content, or the default reconstruction that you have selected in the Default Session View setting for Investigate. You can use the options in the Event Reconstruction toolbar to change the reconstruction method, view top-to-bottom or side-by-side results, select request and response views, export an event, export meta values, extract files, open an email attachment, and open the event in a new tab.

To access this view, do one of the following:

In any Legacy Events view, double-click an event.
In the Legacy Events view with Detail View selected, right-click Events at the end of the event, and select Event Reconstruction.
In the Event Reconstruction toolbar of previewed reconstruction, click Open Event in New Tab.
In the Navigate view, select Actions > Go to event in Event Reconstruction, and enter an event ID.

Workflow

This workflow has references to several views that were renamed in Version 11.4: Event Analysis --> Events, Events --> Legacy Events.

What do you want to do?

User Role	I want to ...	Show me how
Incident Responder	review critical incidents or alerts	NetWitness Respond User Guide
Threat Hunter	query a service, metadata, and time range	Filter Results in the Events View Filter Results in the Navigate View Create a Query in the Navigate and Legacy Events Views Filter Results in the Legacy Events View
Threat Hunter	view metadata	Analyze Events in the Events View Refining the Results Set
Threat Hunter	view raw event data*	Filter Results in the Events View Analyze Events in the Events View Filter Results in the Legacy Events View
Threat Hunter	reconstruct the event*	Analyze Events in the Events View Reconstruct an Event in the Events View Reconstruct an Event in the Legacy Events View
Threat Hunter	examine files*	Download Data in the Events View Export or Print a Drill Point in the Navigate View Export Events in the Legacy Events View
Threat Hunter	perform lookups	Look Up Additional Context for Results Launch a Lookup of a Meta Key
Threat Hunter	create an incident or add to an incident	Add Events to an Incident in the Legacy Events View Add Events to an Incident in the Events View
Threat Hunter	add a meta value to a Context Hub list	Look Up Additional Context for Results

*You can perform this task in the current view.

Quick Look

This figure is an example of the Event Reconstruction view. The following table describes the toolbar options.

Feature	Description
Request & Response	Displays a drop-down menu for selecting whether the view displays: Request & Response Request Response
Organization	Displays a drop-down menu for selecting whether the information is displayed top to bottom or side by side.
Reconstruction View	Displays a drop-down menu for selecting what information is displayed. By default, Best Reconstruction is selected. Other options are: View Meta View Text View Hex View Packets View Web View Mail View Files
Actions	Displays a drop-down menu with the actions available in the Event Reconstruction view (Export PCAP, Extract Files, and Export Meta).
Open Event in New Tab	Opens the event in a new browser tab.
Event Analysis	Open the event in the Event Analysis view.

Beneath the toolbar is a list of meta keys and values. Some of the keys offer a drop-down menu with available actions.

The bar at the bottom of the view offers several options.

Feature	Description
	Displays the previous event.
	Displays the next event.
Show Reconstruction Log	Displays the reconstruction log at the bottom of the view. Once you click this button, it changes to Hide Reconstruction Log.