After a query is submitted in the Event Analysis view, the Events panel opens; you can select an event to analyze in the Events panel. The events listed here meet two conditions:
- They match the submitted query.
- They include a value for one or more meta keys required by the selected column group. (If you change the column group while viewing the Events list, the original query with the new column group is resubmitted. Any unsubmitted query changes made to service, time range, or filter, are ignored.)
There is a fixed limit of 50,000 on the number of events that can be loaded. The events begin loading into the Events panel; a progress bar at the top of the list tracks progress while events are loaded. Events with the earliest collection time are loaded first and a row number indicator of the form " EVENTS xxx - xxx" is inserted in the list after every group of 100 events as shown in the following figure.
If you scroll to the bottom of the list as the events are loading, a spinner is displayed. When all events have loaded, one of these messages is added to the bottom of the list:
- "All events loaded"
- "Reached the 50,000 event limit. Consider refining your query."
- "Retrieved 44,000 of 50,000 events prior to query cancellation."
If the number of events that match the query exceeds the limit of 50,000 events, the oldest 50,000 events in the time window are loaded in ascending order. For example, if 300,000 events match your query, the oldest 50,000 events are loaded.
A message at the top of the list indicates the total number of events loaded and if the 50,000 event limit has been reached:
- The message when less than 50,000 events are listed is: "xx,xxx Events (Asc)"
- The message when more than 50,000 events are listed is: "Oldest 50,000 Events (Asc)"
When you select an event, the Network Event Details, Log Event Details, or Endpoint Event Details panel opens on the right. The selected event in the Events panel is highlighted and pinned to the top of the list. You can make simple adjustments in the visibility and size of the panels.
You can choose different reconstruction formats (Packet Analysis, Text Analysis, File Analysis, Web, and Email). Within the Packet Analysis panel and the Text Analysis panel, you can use additional features to adjust the way the reconstruction is displayed and bring interesting data into focus.
Open, Close, and Adjust the Size of the Panels in the Event Analysis View
Initially, the Network Event Details, Log Event Details, or Endpoint Event Details panel occupies 75% of the window width by default.
You can adjust the size ratio of the Events panel in relation to the details panels to improve readability by expanding one of the panels, contracting one of the panels, and closing one of the panels. After closing either panel you can reopen it. The ratio you select persists until you change it or refresh the browser.
To optimize your view:
- To adjust the size ratio of the two panels, do any of the following:
- To close either panel, restoring the open panel to its full width, click .
This is an example of the reconstruction displayed using the full width of the browser window.
- To reopen the Events panel after closing, click in the top right corner of the Event Analysis view.
The Events panel opens to the last state (25%-75% or 50%-50%).
- To reopen the Event Details panel, click an event in the Events panel.
Select a Column Group and Columns in Event Analysis
In Version 11.1 and later, you can use built-in or custom column groups in the Events panel. The column groups are created and managed in the Events view (see Manage Column Groups in the Events View); these groups are reflected in the Event Analysis view. When you change the column group, the changes you make to a column group are for the current view only. When you navigate away and come back to the Event Analysis view, the column changes do not persist in the Events panel.
These are the built-in column groups.
- Email Analysis: Includes meta keys that are useful when investigating email-related metadata.
- Endpoint Analysis: Includes meta keys that are useful when investigating endpoint-related metadata.
- Malware Analysis: Includes meta keys that are useful when investigating malware-related metadata.
- Outbound HTTP: Includes meta keys that are useful when investigating Outbound HTTP- related metadata.
- Outbound SSL/TLS: Includes meta keys that are useful when investigating Outbound SSL/TTS analysis-related metadata.
- Summary List: Includes meta keys that are useful in a general investigation. This is the default column group.
- Threat Analysis: Includes meta keys that mark potential threats in the data set.
- User and Entity Behavior Analysis: Includes meta keys that are useful when investigating UEBA data.
- Web Analysis: Includes meta keys that mark anomalies in web traffic.
A column group may contain more columns that are only visible when you scroll to the right. The order of the columns reflects the order in the Events view of the default column group. By default, the first 15 columns are displayed when you select a column group. For optimized viewing, view only 15 columns at a time; however, you can select additional columns to display and remove columns displayed.
To select a column group:
- From the drop-down menu next to Events, select a column group (for example, Summary List). You can also start typing the name of the column group and select a group as the groups appear in the drop-down menu.
The Events panel displays data in the columns that belong to the selected column group.
To select columns to display:
- While working in the Event Analysis view, with a column group selected, click to display the column selector.
- Select the meta keys or enter the name of a meta key that you want to display in additional columns.
- If you do not want to see a meta key displayed in a column, deselect the meta key.
The data is redisplayed using the selected columns.
Select the Event Analysis Type
To select the event analysis type for an event, do one of the following:
- In the Event Analysis view toolbar, click the analysis type in the toolbar.
- In the drop-down menu, select the analysis type: File Analysis, Text Analysis, Packet Analysis, Email , or Web.
If you chose File Analysis, Text Analysis, or Packet Analysis, the data is displayed in the selected panel.
If you chose Email or Web, the Events view email or web recontruction of the single event opens in a new tab. This is the same reconstruction of an email or web session used in the Events view. The Events view provides more functionality when viewing an email or web reconstruction, allowing you to page through events in that view instead of viewing only one event (see Reconstruct an Event).
Adjust the Display of Requests and Responses
For Event types that have requests and responses, you can make several adjustments.
View Event Metadata for an Event
When viewing Text Analysis and the Event Meta panel, hovering over the meta key/meta value pairs reveals a pair of binoculars if the meta value is searchable in the raw text. This is an example of the binoculars icon when hovering over the Directory and / meta key/meta value pair.
Clicking the icon triggers a search for the meta key/meta value pair (case-insensitive) in the Text Analysis panel and each instance is highlighted. In the Event Meta panel, the highlighted row has a count of the results and a scroller that you can use to quickly find each result in the Text Analysis panel. You can view each highlighted location of the data that triggered generation of the meta key, going forward to view the next, and back to view the previous.
Only meta keys that have relevant values inside the RAW text are searchable. You can search only one meta key at a time. If the value is currently hidden due to truncation of a text entry with more than 3000 characters, the text entry is expanded to reveal the found meta value.
To search the raw text for meta values that triggered a meta key:
- Open a network event in the Text Analysis panel.
- In the toolbar, click to open the Event Meta panel. As you hover over the meta key:value pairs in the list, a binoculars icon identifies values that are searchable in the Text Analysis panel.
- To search for the value in the raw text, click a row that has the binoculars icon, indicating it is searchable.
If no relevant occurrence of the value is in the text, the value that you are searching for is highlighted in the Event Meta panel and nothing is highlighted in the Text Analysis panel.
If one or more relevant instances of the value is found in the Text Analysis panel, each occurrence is highlighted. The value that you are searching for is highlighted in the Event Meta panel and the scroller is visible.
- To remove the highlighting, close the Event Meta panel, click the same meta key/meta value pair in the Event Meta panel, or click a different meta key/meta value pair in the Event Meta panel.
The highlighting is removed from the raw text.
Show or Hide the Event Header
Page Through Events in the Packet and Text Analysis Panels
Pagination controls allow more flexibility in paging through a list of packets or text. In the Packet Analysis panel, you can select the number of packets to display per page, and your selection is saved across logins to the NetWitness application. When a control is unavailable, the control is dimmed; for example, when you are viewing page 1, the and controls are dimmed.
To use pagination controls:
- (Packet Analysis only) With an event open in the Event Analysis view, click the current number of packets per page (100, 300, or 500), and select the new number of packets per page from the drop-down menu.
- To page forward or back, use the page control icons:
Click to go to the next page.
Click to go to the last page.
Click to go the previous page.
Click to go to the first page.
- (Packet Analysis only) To go to a specific page, type a page number in the page number field .
Expand Truncated Text Entries in the Text Analysis Panel
A reconstruction of a network event in the Text Analysis panel may include requests and responses of many hundred thousands of characters and scrolling through a long entry of more than 6000 characters that is not of interest can waste time. To improve the experience for analysts, all text entries that have more than 6000 characters are truncated to show only the first 2000 characters. This example shows an entry that has more than 2000 characters and a message in the header indicates the percentage of total characters that is being displayed.
You can see that 60% of the characters (the first 2000) are displayed, and click Show Remaining 40% to reveal the rest of the entry.
If you search for metadata seen in the Event Meta panel while text is truncated in the Text Analysis panel, the truncated text is searched. If the metadata exists inside hidden text, the text entry expands to reveal the text with the found metadata.
Perform URL and Base64 Encoding and Decoding in the Text Analysis Panel
If a network session being reconstructed in the Text Analysis panel contains Base64 or URL encoded strings, you can decode a string to better understand the session. If the session contains decoded strings for Base64 or URL, you can view a string in its encoded form in order to search for additional instances of the encoded text in other sessions.
When viewing any network session that contains encoded text in the Text Analysis panel, you can select a subset of the text within a single Request or Response to view in either encoded or decoded form. Depending on the content loaded on the Decoder, there may be additional metadata outlining that Base64 or URL encoded data is contained within the session.
Below are examples of a hover box that is displaying URL encoding and Base 64 encoded text.
To perform encoding and decoding in the Text Analysis panel:
- In the Event Analysis view, go to the Text Analysis panel of a session that contains encoded or decoded content.
- To view some decoded text in encoded form, drag to select the text within a single Request or Response.
A menu offers options to encode and decode.
- Click Encode Selected Text.
The encoded text is displayed in a hover box, which remains in place until you click , select different text in the Text Analysis panel, close the Events panel, select another event for reconstruction, or switch to a different reconstruction view.
When a longer text is selected, the hover box is scrollable and large enough to fit the entire selected text and the decoded text.
- If the session contains encoded text that you want to see in decoded form, drag to select the text within a single Request or Response.
A menu offers options to encode and decode.
- Click Decode Selected Text.
The decoded text is displayed in a hover box, which remains in place until you click , select different text in the Text Analysis panel, close the Events panel, select another event for reconstruction, or switch to a different reconstruction view.
- If you want to copy some text from the text reconstruction, do one of the following:
- Drag to select some text, right-click, and select Copy Selected Text from the popup menu.
- Drag to select some text, then select either Decode Selected Text or Encode Selected Text. Within the popup, select the desired text and type Control-C.
The selected text is copied to the clipboard and available to paste in a query.
- Drag to select some text, right-click, and select Copy Selected Text from the popup menu.
- When finished, click to close the hover box.
View Decompressed Text in an HTTP Network Session in the Text Analysis Panel
When the content of an HTTP network session is compressed and you are viewing the Text Analysis panel, NetWitness Platform displays decompressed content by default. This helps you to determine if there are any patterns and view the readable characters. You can switch between a compressed and decompressed view of compressed text.
The toggle for changing between compressed and decompressed text is only displayed in the Text Analysis panel, and is enabled only if there is compressed text content.
- Open the Text Analysis panel of an HTTP session that contains compressed content.
By default the session is reconstructed with the text decompressed, and above the reconstruction, is the Display Compressed Payloads toggle switch.
- To view the same text in its compressed form, click the toggle switch.
The view changes so that the compressed text is no longer readable, and the switch indicates the Display Compressed Packets is on.
- To return to the view of decompressed text, click the switch again.
Use the Payload Only Option in the Packet Analysis Panel of a Network Session
When viewing a reconstruction of a network session in the Packet Analysis panel, you can choose to view only the main payload for each packet. By default, packet header and footer bytes are displayed for each packet. You can hide these by clicking the Display Payloads Only toggle switch. If you are viewing only the payload bytes, you can revert to the default setting by setting the Display Payloads Only toggle switch to on. This setting persists until you change it or refresh the browser.
- With the Display Payloads Only option off, the number of packets, packet header, packet footer, and payload are displayed.
- With the Display Payloads Only option on, no packet header and footer bytes are displayed. Only the packet content of 16 hexadecimal bytes per line and the corresponding ASCII per line is displayed.
- In the Event Analysis view, go to the Packet Analysis panel of a network session.
By default the session is reconstructed with the packet header, footer, and payload displayed.
- To change the view to show only the payload for each packet, click the Display Payloads Only toggle switch.
The view changes to that only the payload is visible and contiguous same-side packets are concatenated together to make the payload more readable and understandable.
View Highlighted Bytes in the Packet Analysis Panel
When you first open a reconstruction in the Packet Analysis panel, the significant header bytes in each packet are highlighted in blue, and the payload bytes are distinguished using shading to help you understand the contents of the packet. This figure shows the default Packet Analysis with highlighting and byte shading.
The Shade Bytes option adds shading to identify the different hexadecimal bytes (00 to FF) using degrees of highlighting. Bytes near the lower range are more transparent, and bytes near 255 are more opaque. Both hexadecimal and ASCII bytes are shaded. This is an example of the shading applied to each hexadecimal byte.
The Shade Bytes switch controls the shading of bytes. When you set Shade Bytes on or off, your setting persists until you change it or refresh the browser.
Highlight Common File Types in the Packet Analysis Panel
In the Packet Analysis panel, analysts can show or hide highlighting of certain common file types based on the file signature. When the Common File Patterns feature is turned on, the magic number bytes in the file signature are highlighted in the payload and you can hover over the highlighting to see the potential type of file. In this example, 89 50 4e 47 is highlighted in the hexadecimal payload and PNG is highlighted in the ASCII payload. When you hover over the highlighted bytes, the potential file type associated with the magic number is provided in a hover box.
These are the file types and corresponding magic numbers that are highlighted if present in the payload:
To view common file signatures in the Packet Analysis panel:
- Go to the Packet Analysis panel, and turn on the Common File Patterns option.
If there is more then one highlight in view, all are shown.
- To view the hover box, place the cursor over the highlighting.