Investigate: Event Reconstruction View

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Sep 11, 2018
Version 15Show Document
  • View in full screen mode

The Event Reconstruction view provides a reconstruction of a selected event from the Events view. By default, NetWitness Platform displays the best reconstruction for the event determined by the event content, or the default reconstruction that you have selected in the Default Session View setting for Investigate. You can use the options in the Event Reconstruction toolbar to change the reconstruction method, view top-to-bottom or side-by-side results, select request and response views, export an event, export meta values, extract files, open an email attachment, and open the event in a new tab.

To access this view, do one of the following:

  • In any Events view, double-click an event.
  • In the Events view with Detail View selected, right-click Event Analysis at the end of the event, and select Event Reconstruction.
  • In the Event Reconstruction toolbar of previewed reconstruction, click Open Event in New Tab.
  • In the Navigate view, select Actions > Go to event in Event Reconstruction, and enter an event ID.


high-level Investigate workflow with Reconstruct an Event highlighted

What do you want to do?

User RoleI want to ...Show me how
Threat Hunter

browse event metadata

Begin an Investigation in the Navigate or Events View

Threat Hunter

browse raw events

Begin an Investigation in the Navigate or Events View

Threat Hunter

analyze raw events and metadata

Begin an Investigation in the Event Analysis View

Threat Hunterinvestigate endpoints (Version 11.1)Investigate Hosts

Threat Hunter

find suspicious endpoint files (Version 11.1)

Investigate Files

Threat Hunterscan files and events for malwareConducting Malware Analysis

Incident Responder

triage an incident in Investigate

NetWitness Respond User Guide

Threat Hunterreconstruct an eventReconstruct an Event

Threat Hunter

extract files from a reconstructed event

Reconstruct an Event

*You can perform this task in the current view.

Related Topics

Quick Look

This figure is an example of the Event Reconstruction view. The following table describes the toolbar options.

The Event Reconstruction window

Request & ResponseDisplays a drop-down menu for selecting whether the view displays:
  • Request & Response
  • Request
  • Response
OrganizationDisplays a drop-down menu for selecting whether the information is displayed top to bottom or side by side.
ViewDisplays a drop-down menu for selecting what information is displayed. By default, Best Reconstruction is selected. Other options are:
  • View Meta
  • View Text
  • View Hex
  • View Packets
  • View Web
  • View Mail
  • View Files
ActionsDisplays a drop-down menu with the actions available in the Event Reconstruction view.
Open Event in New TabOpens the event in a new browser tab.

Beneath the toolbar is a list of meta keys and values. Some of the keys offer a drop-down menu with available actions.

The bar at the bottom of the view offers several options.

Left arrow Displays the previous event.
Right arrow Displays the next event.
Show Reconstruction LogDisplays the reconstruction log at the bottom of the view. Once you click this button, it changes to Hide Reconstruction Log.
Next Topic:Events View
You are here
Table of Contents > Investigate Reference Materials > Event Reconstruction View