Investigate: Event Reconstruction View

Document created by RSA Information Design and Development on Sep 18, 2017•Last modified by RSA Information Design and Development on May 8, 2018

Version 14Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

The Event Reconstruction view provides a reconstruction of a selected event from the Events view. By default, NetWitness Suite displays the best reconstruction for the event determined by the event content, or the default reconstruction that you have selected in the Default Session View setting for Investigate. You can use the options in the Event Reconstruction toolbar to change the reconstruction method, view top-to-bottom or side-by-side results, select request and response views, export an event, export meta values, extract files, open an email attachment, and open the event in a new tab.

To access this view, do one of the following:

In any Events view, double-click an event.
In the Events view with Detail View selected, right-click Event Analysis at the end of the event, and select Event Reconstruction.
In the Event Reconstruction toolbar of previewed reconstruction, click Open Event in New Tab.
In the Navigate view, select Actions > Go to event in Event Reconstruction, and enter an event ID.

Workflow

What do you want to do?

User Role	I want to ...	11.1 Documentation
Threat Hunter	browse event metadata	Begin an Investigation in the Navigate or Events View
Threat Hunter	browse raw events	Begin an Investigation in the Navigate or Events View
Threat Hunter	analyze raw events and metadata	Begin an Investigation in the Event Analysis View
Threat Hunter	investigate endpoints (Version 11.1)	Investigate Hosts
Threat Hunter	find suspicious endpoint files (Version 11.1)	Investigate Files
Threat Hunter	scan files and events for malware	Conducting Malware Analysis
Incident Responder	triage an incident in Investigate	NetWitness Respond User Guide
Threat Hunter	reconstruct an event	Reconstruct an Event
Threat Hunter	extract files from a reconstructed event	Reconstruct an Event

*You can perform this task in the current view.

Quick Look

This figure is an example of the Event Reconstruction view. The following table describes the toolbar options.

Feature	Description
Request & Response	Displays a drop-down menu for selecting whether the view displays: Request & Response Request Response
Organization	Displays a drop-down menu for selecting whether the information is displayed top to bottom or side by side.
View	Displays a drop-down menu for selecting what information is displayed. By default, Best Reconstruction is selected. Other options are: View Meta View Text View Hex View Packets View Web View Mail View Files
Actions	Displays a drop-down menu with the actions available in the Event Reconstruction view.
Open Event in New Tab	Opens the event in a new browser tab.

Beneath the toolbar is a list of meta keys and values. Some of the keys offer a drop-down menu with available actions.

The bar at the bottom of the view offers several options.

Feature	Description
	Displays the previous event.
	Displays the next event.
Show Reconstruction Log	Displays the reconstruction log at the bottom of the view. Once you click this button, it changes to Hide Reconstruction Log.