Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Investigate: Analyze Events in the Events View

Document created by RSA Information Design and Development on Mar 27, 2018Last modified by RSA Information Design and Development on Jan 30, 2020
Version 11Show Document
  • View in full screen mode
 

Note: In Version 11.4, the Event Analysis view was renamed as the Events view, replacing the Legacy Events view as the default view for the Events list. Any information regarding features prior to 11.4 also applies to the 11.3 and earlier Event Analysis view. The Legacy Events view is disabled by default, but the administrator can enable it as described in "Configure Investigation Settings" in the System Configuration Guide. You can view the details about prior versions as PDF documents here: https://community.rsa.com/docs/DOC-81328.

After a query is submitted in the Events view, the Events panel opens; you can select an event to analyze in the Events panel. The events listed here meet two conditions:

  • They match the submitted query.
  • They include a value for one or more meta keys required by the selected column group. (If you change the column group while viewing the Events list, the original query with the new column group is resubmitted. Any unsubmitted query changes made to service, time range, or filter, are ignored.)

There is a configurable limit on the number of events that can be loaded; the default value is 5,000. Administrators set the limit as described in the System Configuration Guide. The events begin loading into the Events panel; a progress bar at the top of the list tracks progress while events are loaded. Events with the earliest collection time are loaded first and a row number indicator of the form " EVENTS xxx - xxx" is inserted in the list after every group of 100 events as shown in the following figure.

the event count and row number highlighted in the Events list

A spinner is displayed while the events are loaded. If that count is greater than or equal to the threshold, a message under the spinner advises that fact and directs you to the Query Console for more details. As data begins loading, the message is removed and the spinner remains until all events are loaded. When all events have loaded, one of these messages is added to the bottom of the list:

  • "All events loaded."
  • "Reached the 5,000 event limit. Consider refining your query."
  • "Retrieved 4,000 of 5,000 events prior to query cancellation."

In version 11.3 and later, you can set the sort sequence for the events listed in the Events panel in the Event Preferences dialog, either earliest collection time or latest collections time first. The default setting is earliest collection time first, which is well suited to most investigations. When investigating logs, you may want to change the sort sequence to latest collection time first. This user setting from the Events Preferences dialog is saved in the database and persists after logging out and logging back in.

If the number of events that match the query exceeds the limit of 5,000 events, the newest or oldest 5,000 events in the time window are loaded in ascending order. The portion of events loaded is based on the sort order. For example, if 300,000 events match your query and the sort sequence is set to Ascending, the oldest 5,000 events are loaded by default. You can change this by changing the sort order to Descending and the newest 5,000 events are loaded.

Ascending sort, which loads the oldest events first is usually the best setting for investigating network events. If you want to view the newest 5,000 events in the time window, you can change the user preference sort order to Descending in the Event Preferences panel. Any change in the setting goes into effect the next time you submit a query.

A message at the top of the list indicates the total number of events loaded and if the 5,000 event limit has been reached:

  • The message when less than 5,000 events are listed is: "xx,xxx Events (Asc)"
  • The message when more than 5,000 events are listed is: "Oldest 10,000 Events (Asc)"

From this view, you can select a column for sorting events in the Events panel and select a set of meta keys that help with a specific type of investigation (column group). You can download events and create an incident in Respond. Clicking an event opens a reconstruction of the event in different formats (Packet, Text, File, Web, and Email). The Events panel and the reconstruction panel can be open at the same time. Within the Packet panel and the Text panel, you can use additional features to adjust the way the reconstruction is displayed and bring interesting data into focus.

Find a Text String in the Events Panel (Version 11.4 and Later)

With the Events panel open, you can search for a text string in the list of events. This search is similar to the CTRL-F search in a browser window. The search scans all text in every row of the table, visible columns only, to find matching text and highlights the matches. Columns that are not displayed are not searched. The search function is disabled if the Summary column is part of the table.

  1. With events loaded in the Events panel, click the search button on the right side of the toolbar.
    the Find in Text dialog in the Events panel
  2. In the Find Text in Table dialog, start typing a text string.
    After you type two characters, exact matches of the text string without regard to case are highlighted in the Events panel. As you type more text, highlighted events are further refined. The following figure is an example of the results found after entering "logon" in the Find Text in Table dialog. The text string was found in 10 events. The first event is highlighted in blue with the text string within the event also highlighted. Icons are available for navigating the search results and closing the dialog.
    example of search results in the Events panel
  3. To navigate through the search results, click the up and down arrows.
    • To view the next event that contains the text string and navigate downward through the search results, click the down arrow. If you click the down arrow when viewing the last result, the first result is highlighted.
    • To view the immediately prior event that contains the text string and navigate upward through the search results, click the up arrow. If you click the up arrow while viewing the first result, the last result is highlighted.
  4. To close the search dialog, click X or press the ESCAPE key. The dialog also closes if you open a reconstruction, select a new column group, or execute a new query.

Open, Close, and Adjust the Size of the Panels in the Events View

Initially, the Network Event Details, Log Event Details, or Endpoint Event Details panel occupies 75% of the window width by default.

example of the packet reconstruction using 75% of the browser window width

You can adjust the size ratio of the Events panel in relation to the details panels to improve readability by expanding one of the panels, contracting one of the panels, and closing one of the panels. After closing either panel you can reopen it. The ratio you select persists until you change it or refresh the browser.

To optimize your view:

  1. To adjust the size ratio of the two panels, do any of the following:
    1. Click in the tool bar of the panel that you want to expand.
    2. Click the reduce panel icon in the tool bar of the panel that you want to contract.
  2. To close either panel, restoring the open panel to its full width, click the close icon.
    This is an example of the reconstruction displayed using the full width of the browser window.
    example of the packet reconstruction expanded to the full width of the browser window
  3. To reopen the Events panel after closing, click the open events panel icon in the top right corner of the Events view.
    The Events panel opens to the last state (25%-75% or 50%-50%).
  4. To reopen the Event Details panel, click an event in the Events panel.

Select the Analysis Type for an Event

To select the analysis type for an event, do one of the following:

  1. In the Events view toolbar, click the analysis type in the toolbar.
  2. In the drop-down menu, select the analysis type: File, Text, Packet, Email , or Web.
    If you chose File, Text, or Packet, the data is displayed in the selected panel.
    If you chose Email or Web, the reconstruction of the single event opens in a new tab. This is the same reconstruction of an email or web session used in the Legacy Events view. The Legacy Events view provides more functionality when viewing a web reconstruction, allowing you to page through events in that view instead of viewing only one event (see Reconstruct an Event in the Legacy Events View).

Note: The packet reconstruction is only available for network events.

Adjust the Display of Requests and Responses

For analysis types that have requests and responses, you can make several adjustments.

Note: If the analysis type does not have requests and responses, the option is not selectable. The File panel is an example of a reconstruction type without requests and responses. A reconstructed log event in the Text panel is another example.

To select which side of the conversation to show, Request (the Request side icon, Response the Response side icon, or both, click one or both of the direction icons. The reconstruction is refreshed with the selected information.

Note: If you do not see any data, you may have deselected both Request and Response. You must select one of the two to see data displayed.

View Associated Metadata for an Event

When examining events in the Text panel, Packet panel, or File panel, you can click the Metadata icon to show the associated metadata in an adjacent panel, the Event Meta panel.

Analysts reviewing the metadata associated with results in the Events view can change the order of the metadata listed to better track down what they are looking for. The layout of the list of metadata has been changed to be more intuitive, and metadata can optionally be grouped by the sequence they were generated or alphabetically.

Sort options in the Event Meta panel

When viewing a Text analysis and the Event Meta panel, hovering over the meta key/meta value pairs reveals a pair of binoculars if the meta value is searchable in the raw text. This is an example of the binoculars icon when hovering over the Directory and / meta key/meta value pair.

binoculars icon in the Event Meta panel

Clicking the icon triggers a search for the meta key/meta value pair (case-insensitive) in the Text panel and each instance is highlighted. In the Event Meta panel, the highlighted row has a count of the results and a scroller that you can use to quickly find each result in the Text panel. You can view each highlighted location of the data that triggered generation of the meta key, going forward to view the next, and back to view the previous.

Only meta keys that have relevant values inside the RAW text are searchable. You can search only one meta key at a time. If the value is currently hidden due to truncation of a text entry with more than 3000 characters, the text entry is expanded to reveal the found meta value.

To search the raw text for meta values that triggered a meta key:

  1. Open a network event in the Text panel.
    example of the text reconstruction with Event Meta panel open
  2. In the toolbar, click the expand iconto open the Event Meta panel. As you hover over the meta key:value pairs in the list, a binoculars icon identifies values that are searchable in the Text panel.
  3. To search for the value in the raw text, click a row that has the binoculars icon, indicating it is searchable.
    If no relevant occurrence of the value is in the text, the value that you are searching for is highlighted in the Event Meta panel and nothing is highlighted in the Text panel.
    If one or more relevant instances of the value is found in the Text panel, each occurrence is highlighted. The value that you are searching for is highlighted in the Event Meta panel and the scroller is visible.
    searching for a value in the text reconstruction from the Event Meta panel
  4. To remove the highlighting, close the Event Meta panel, click the same meta key/meta value pair in the Event Meta panel, or click a different meta key/meta value pair in the Event Meta panel.
    The highlighting is removed from the raw text.

Note: When a meta value is more than 255 characters, you can hover over that meta key to view the complete value.

Show or Hide the Event Header

To hide the Event Header in the Packet panel, Text panel, or File panel, providing more vertical space for the data, click the Show/Hide header icon. Clicking the icon again shows the Event Header.

Page Through Events in the Packet and Text Panels

Pagination controls allow more flexibility in paging through a list of packets or text. In the Packet panel, you can select the number of packets to display per page, and your selection is saved across logins to the NetWitness Platform application. When a control is unavailable, the control is dimmed; for example, when you are viewing page 1, the previous page icon and first page icon controls are dimmed.

Note: Pagination controls are available in Version 11.2 and later of the Text panel.

To use pagination controls:

  1. With an event open in the Events view, click the current number of packets per page (50, 100, 300, or 500), and select the new number of packets per page from the drop-down menu.
    packets per page selector
  2. To page forward or back, use the page control icons:
    Click go to the next page icon to go to the next page.
    Click last page icon to go to the last page.
    Click previous page icon to go the previous page.
    Click first page icon to go to the first page.
  3. To go to a specific page, type a page number in the page number field page number field.

Note: When in the Text panel, you must navigate manually to the last page before the last page control icon is available.

Expand Truncated Text Entries in the Text Panel

A reconstruction of a network event in the Text panel may include requests and responses of many hundred thousands of characters and scrolling through a long entry of more than 6000 characters that is not of interest can waste time. To improve the experience for analysts, all text entries that have more than 6000 characters are truncated to show only the first 2000 characters. This example shows an entry that has more than 2000 characters and a message in the header indicates the percentage of total characters that is being displayed.

an example of a truncated text reconstruction

You can see that 60% of the characters (the first 2000) are displayed, and click Show Remaining 40% to reveal the rest of the entry.

an example of the fully expanded response

If you search for metadata seen in the Event Meta panel while text is truncated in the Text panel, the truncated text is searched. If the metadata exists inside hidden text, the text entry expands to reveal the text with the found metadata.

Perform URL and Base64 Encoding and Decoding in the Text Analysis Panel

If a network session being reconstructed in the Text panel contains Base64 or URL encoded strings, you can decode a string to better understand the session. If the session contains decoded strings for Base64 or URL, you can view a string in its encoded form in order to search for additional instances of the encoded text in other sessions.

When viewing any network session that contains encoded text in the Text panel, you can select a subset of the text within a single Request or Response to view in either encoded or decoded form. Depending on the content loaded on the Decoder, there may be additional metadata outlining that Base64 or URL encoded data is contained within the session.

Below are examples of a hover box that is displaying URL encoding and Base 64 encoded text.

Text Analysis displaying encoded text

an example of decoded text

To perform encoding and decoding in the Text panel:

  1. In the Events view, go to the Text panel of a session that contains encoded or decoded content.
  2. To view some decoded text in encoded form, drag to select the text within a single Request or Response.
    A menu offers options to encode and decode.
    the popup menu for decoding and encoding text
  3. Click Encode Selected Text.
    The encoded text is displayed in a hover box, which remains in place until you click the close icon, select different text in the Text panel, close the Events panel, select another event for reconstruction, or switch to a different reconstruction view.
    an encoded URL
    When a longer text is selected, the hover box is scrollable and large enough to fit the entire selected text and the decoded text.
  4. If the session contains encoded text that you want to see in decoded form, drag to select the text within a single Request or Response.
    A menu offers options to encode and decode.
  5. Click Decode Selected Text.
    The decoded text is displayed in a hover box, which remains in place until you click the close icon, select different text in the Text panel, close the Events panel, select another event for reconstruction, or switch to a different reconstruction view.
  6. If you want to copy some text from the text reconstruction, do one of the following:
    1. Drag to select some text, right-click, and select Copy Selected Text from the popup menu.
      selected data with the copy, decode, and encode menus
    2. Drag to select some text, then select either Decode Selected Text or Encode Selected Text. Within the popup, select the desired text and type Control-C.
      The selected text is copied to the clipboard and available to paste in a query.
  7. When finished, click the Close icon to close the hover box.

View Decompressed Text in an HTTP Network Session in the Text Panel

When the content of an HTTP network session is compressed and you are viewing the Text panel, NetWitness Platform displays decompressed content by default. This helps you to determine if there are any patterns and view the readable characters. You can switch between a compressed and decompressed view of compressed text.

Note: Decompressed text is not available for the Packet panel, the File panel, non-HTTP network sessions, and log data.

The toggle for changing between compressed and decompressed text is only displayed in the Text panel, and is enabled only if there is compressed text content.

  1. Open the Text panel of an HTTP session that contains compressed content.
    By default the session is reconstructed with the text decompressed, and above the reconstruction, is the Display Compressed Payloads toggle switch.
    an example of an uncompressed payload
  2. To view the same text in its compressed form, click the toggle switch.
    The view changes so that the compressed text is no longer readable, and the switch indicates the Display Compressed Packets is on.
    an example of a compressed payload
  3. To return to the view of decompressed text, click the switch again.

Use the Payload Only Option in the Packet Panel of a Network Session

When viewing a reconstruction of a network session in the Packet panel, you can choose to view only the main payload for each packet. By default, packet header and footer bytes are displayed for each packet. You can hide these by clicking the Display Payloads Only toggle switch. If you are viewing only the payload bytes, you can revert to the default setting by setting the Display Payloads Only toggle switch to off. This setting persists until you change it or refresh the browser.

  • With the Display Payloads Only option off, the number of packets, packet header, packet footer, and payload are displayed.
  • With the Display Payloads Only option on, no packet header and footer bytes are displayed. Only the packet content of 16 hexadecimal bytes per line and the corresponding ASCII per line is displayed.
  1. In the Events view, go to the Packet panel of a network session.
    By default the session is reconstructed with the packet header, footer, and payload displayed.
    Display Payloads Only option is off
  2. To change the view to show only the payload for each packet, click the Display Payloads Only toggle switch.
    The view changes so that only the payload is visible and contiguous same-side packets are concatenated together to make the payload more readable and understandable.
    Display Payloads only option on

View Highlighted Bytes in the Packet Panel

When you first open a reconstruction in the Packet panel, the significant header bytes in each packet are highlighted in blue, and the payload bytes are distinguished using shading to help you understand the contents of the packet. This figure shows the default Packet with highlighting and byte shading.


The Shade Bytes option adds shading to identify the different hexadecimal bytes (00 to FF) using degrees of highlighting. Bytes near the lower range are more transparent, and bytes near 255 are more opaque. Both hexadecimal and ASCII bytes are shaded. This is an example of the shading applied to each hexadecimal byte.

example of shading applied to hexadecimal bytes

The Shade Bytes switch controls the shading of bytes. When you set Shade Bytes on or off, your setting persists until you change it or refresh the browser.

Highlight Common File Types in the Packet Panel

In the Packet panel, analysts can show or hide highlighting of certain common file types based on the file signature. When the Common File Patterns feature is turned on, the magic number bytes in the file signature are highlighted in the payload and you can hover over the highlighting to see the potential type of file. In this example, 89 50 4e 47 is highlighted in the hexadecimal payload and PNG is highlighted in the ASCII payload. When you hover over the highlighted bytes, the potential file type associated with the magic number is provided in a hover box.

These are the file types and corresponding magic numbers that are highlighted if present in the payload:

                                                                                                  
File TypeHexadecimal SignatureASCII Encoding
DOS Executable / Windows PE4D 5AMZ
Portable Network Graphics (PNG) 89 50 4E 47 0D 0A 1A 0APNG
JPEG FF D8 FFJPEG
JPEG/JFIF4A 46 49 46JFIF
JPEG/Exif45 78 69 66Exif
GIF47 49 46 38 37 61GIF87a
GIF47 49 46 38 39 61GIF89a

Non-portable Executable

5A 4D

ZM

BMP42 4DBM
PDF25 50 44 46%PDF
Old Office Document (doc, xls, ppt, msg, and other)D0 CF 11 E0 A1 B1 1A E1ÐÏ.ࡱ.á
ZIP file formats and formats based on it, such as JAR, ODF, OOXML50 4BPK..
7-Zip File Format (7z)37 7A BC AF 27 1C7z¼¯'
Java Class File, Mach-O Fat BinaryCA FE BA BEÊþº¾
Postscript 25 21 50 53%!PS
Unix/Linux Shell script23 21#!
Executable and Linkable Format (ELF) executables7F 45 4C 46 .ELF

To view common file signatures in the Packet Analysis panel:

  1. Go to the Packet Analysis panel, and turn on the Common File Patterns option.
    If there is more then one highlight in view, all are shown.
  2. To view the hover box, place the cursor over the highlighting.

You are here
Table of Contents > Reconstructing and Analyzing Events > Analyze Events in the Events View

Attachments

    Outcomes