on Sep 18, 2017The Event Reconstruction view is deprecated in favor of the Events view. The Legacy Events view provides a reconstruction of a selected event from the Legacy Events view. By default, NetWitness Platform displays the best reconstruction for the event determined by the event content, or the default reconstruction that you have selected in the Default Session View setting for Investigate. You can use the options in the Event Reconstruction toolbar to change the reconstruction method, view top-to-bottom or side-by-side results, select request and response views, export an event, export meta values, extract files, open an email attachment, and open the event in a new tab.
To access this view, do one of the following:
- In any Legacy Events view, double-click an event.
- In the Legacy Events view with Detail View selected, right-click Events at the end of the event, and select Event Reconstruction.
- In the Event Reconstruction toolbar of previewed reconstruction, click Open Event in New Tab.
- In the Navigate view, select Actions > Go to event in Event Reconstruction, and enter an event ID.
What do you want to do?
| User Role | I want to ... | Show me how |
|---|---|---|
| Incident Responder or Threat Hunter | review detections and signals seen in my environment | NetWitness Platform Getting Started Guide |
| Incident Responder | review critical incidents or alerts | NetWitness Respond User Guide |
| Threat Hunter | query a service, metadata, and time range | Begin an Investigation in the Events View Begin an Investigation in the Navigate or Legacy Events View |
| Threat Hunter | view metadata | |
| Threat Hunter | view sequential events* | |
| Threat Hunter | reconstruct and analyze an event* | |
| Threat Hunter | examine files and associated hosts* | Download Data in the Events View |
| Threat Hunter | perform lookups | |
| Threat Hunter | create an incident or add to an incident* | |
| Threat Hunter | add a meta value to a Context Hub list |
*You can perform this task in the current view.
Related Topics
Quick Look
This figure is an example of the Event Reconstruction view. The following table describes the toolbar options.
| Feature | Description |
|---|---|
| Request & Response | Displays a drop-down menu for selecting whether the view displays:
|
| Organization | Displays a drop-down menu for selecting whether the information is displayed top to bottom or side by side. |
| Reconstruction View | Displays a drop-down menu for selecting what information is displayed. By default, Best Reconstruction is selected. Other options are:
|
| Actions | Displays a drop-down menu with the actions available in the Event Reconstruction view (Export PCAP, Extract Files, and Export Meta). |
| Open Event in New Tab | Opens the event in a new browser tab. |
| Event Analysis | Open the event in the Event Analysis view. |
Beneath the toolbar is a list of meta keys and values. Some of the keys offer a drop-down menu with available actions.
The bar at the bottom of the view offers several options.
| Feature | Description |
|---|---|
 | Displays the previous event. |
 | Displays the next event. |
| Show Reconstruction Log | Displays the reconstruction log at the bottom of the view. Once you click this button, it changes to Hide Reconstruction Log. |
