Investigate: Event Reconstruction View

Document created by RSA Information Design and Development on Sep 18, 2017•Last modified by RSA Information Design and Development on Apr 25, 2019

Version 17Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

The Event Reconstruction view provides a reconstruction of a selected event from the Events view. By default, NetWitness Platform displays the best reconstruction for the event determined by the event content, or the default reconstruction that you have selected in the Default Session View setting for Investigate. You can use the options in the Event Reconstruction toolbar to change the reconstruction method, view top-to-bottom or side-by-side results, select request and response views, export an event, export meta values, extract files, open an email attachment, and open the event in a new tab.

To access this view, do one of the following:

In any Events view, double-click an event.
In the Events view with Detail View selected, right-click Event Analysis at the end of the event, and select Event Reconstruction.
In the Event Reconstruction toolbar of previewed reconstruction, click Open Event in New Tab.
In the Navigate view, select Actions > Go to event in Event Reconstruction, and enter an event ID.

Workflow

What do you want to do?

User Role	I want to ...	Show me how
Incident Responder	review critical incidents or alerts	NetWitness Respond User Guide
Threat Hunter	query a service, metadata, and time range	Filter Results in the Event Analysis View Filter Results in the Navigate View Create a Custom Query Filter and Search Results in the Events View
Threat Hunter	view metadata	Examine Events in the Event Analysis View Investigating Metadata in the Navigate View
Threat Hunter	view raw event data*	Examine Events in the Event Analysis View Examine Events in the Event Analysis View Examining Raw Events in the Events View
Threat Hunter	reconstruct the event*	Examine Events in the Event Analysis View Reconstruction Types in the Event Analysis View Reconstruct an Event
Threat Hunter	examine files*	Download Data in the Event Analysis View Reconstruct an Event
Threat Hunter	perform lookups	Act on Data in the Event Analysis View Look Up Additional Context in the Event Analysis View Launch an External Lookup of a Meta Key Look Up Additional Context for a Data Point
Threat Hunter	create an incident or add to an incident	Add Events to an Incident for Response
Threat Hunter	add a meta value to a Context Hub list	Look Up Additional Context in the Event Analysis View Look Up Additional Context for a Data Point Manage Context Hub Lists and List Values in the Navigate and Events Views

*You can perform this task in the current view.

Quick Look

This figure is an example of the Event Reconstruction view. The following table describes the toolbar options.

Feature	Description
Request & Response	Displays a drop-down menu for selecting whether the view displays: Request & Response Request Response
Organization	Displays a drop-down menu for selecting whether the information is displayed top to bottom or side by side.
Reconstruction View	Displays a drop-down menu for selecting what information is displayed. By default, Best Reconstruction is selected. Other options are: View Meta View Text View Hex View Packets View Web View Mail View Files
Actions	Displays a drop-down menu with the actions available in the Event Reconstruction view (Export PCAP, Extract Files, and Export Meta).
Open Event in New Tab	Opens the event in a new browser tab.
Event Analysis	Open the event in the Event Analysis view.

Beneath the toolbar is a list of meta keys and values. Some of the keys offer a drop-down menu with available actions.

The bar at the bottom of the view offers several options.

Feature	Description
	Displays the previous event.
	Displays the next event.
Show Reconstruction Log	Displays the reconstruction log at the bottom of the view. Once you click this button, it changes to Hide Reconstruction Log.