Investigate: Filter Results in the Navigate View

Document created by RSA Information Design and Development on Mar 27, 2018Last modified by RSA Information Design and Development on May 8, 2018
Version 3Show Document
  • View in full screen mode
 

When conducting an investigation in the Navigate view, there are several methods available to refine the results displayed when meta key values are loaded in the Navigate view. Basic filtering methods available to analysts are:

The rest of this topic is focused on the basic methods of filtering data. In addition, more advanced methods allow configuration of meta groups, profiles, and parellel coordinates visualizations.

A separate topic is provided for each of the more advanced methods.

Set the Time Range

When conducting an investigation in the Navigate view, the time range options limit the results returned. You can select:

  • A time range relative to the collection. Ranges relative to the collection are based on the last collection time for data.
  • A time range relative to the calendar.
  • A custom date range.
  • All data.

The selected Date Range (type) is shown in the Navigate view tool bar as the Time Range label; by default the label is Last 3 Hours. The Time Range display shows the first and last timestamp for the date range being used for the metadata.

Note:  Time range is based on the Time Zone configured in the Profile Preferences panel as described in "Setting User Preferences" in the RSA NetWitness Suite Getting Started Guide.

To select a built-In time range:

  1. Click the Time Range option in the Navigate view toolbar. The default time range is for the Last 3 Hours, but a different value from the selection list, for example, All Data or Last Hour, may already be selected and used as the label in the options panel.
    The Time Range selection list is displayed.
    Time Range Selection List
  2. Do one of the following:
    • If you want to see all data, select All Data.
    • If you want to set a time range in minutes, hours, or days that is relative to the collection, select a value such as Last 10 minutes, Last 3 Hours, or Last 5 days.
    • If you want to set a time range relative to today, select Yesterday,This Week(Version 11.1), Last Week (Version 11.1), All Day, or a part of the day such as Early Morning, Morning, Afternoon, or Evening.
    • If you want to set a time range relat
    • If you want to set a unique date range, select Custom in the Time Range menu and follow the procedure below.
      The selected time range is applied to the current results in the Values panel.

To specify a custom time range:

  1. Select Custom in the Time Range menu.
    Date selection options are displayed in the toolbar.
    Custom Time Range
  2. Within the time Start Date and End Date fields, do the following to specify the date and time:
    1. Click a date from the calendar.
    2. (Optional) Select the time from the Hour, Minute, Second fields or click Now. The time selection defaults to the current time of day.

Note: If you specify custom start or end times in seconds, the value for start time in seconds always defaults to :00, and the value for end time in seconds always defaults to :59. For example, if you are using time to drill down into an issue, the drill time is interpreted as "HH:MM:00 - HH:MM:59." Seconds display in this format in Investigation > Navigate functions.

  1. To apply the range, click Go.
    The selected time range is applied to the current results in the Values panel.

Set the Quantification Method and Sort Sequence of Meta Key Results

You can select the way results for each meta key are quantified and sequenced in the Navigate view.

Note: If meta entities (Version 11.1 and later) are used in meta groups, the results will show the top 20 values that matched any of the meta keys contained in the meta entity.

Each meta key section in the Navigate view contains an ordered list of values showing each meta key value (Value) and its count (Total). You can specify whether:

  • The results in each meta key section are sorted based on Value or Total.
  • The results are sorted in ascending or descending order.
  • The values shown for each meta key are quantified by number of packets (Packet Count), number of sessions or logs (Quantify by Event Count) or by the size of events (Quantify by Event Size).

Note:  If you have both a log decoder and a packet decoder for which you are viewing the metadata, the calculation of what is actually being counted is dependent on the type of key. If you select to Quantify by Packet Count and are looking at logs, the Navigate view output is the same output as if you had selected Quantify by Event Count (see Navigate View for details).

This image shows the Event Type meta key presented in order by Total in Descending order. The value with the greatest count of matches is presented first. The value failure audit has 71 matches and is listed first. The value logon has only one match and is presented last. The quantification method is Event Count.

Meta key in order descending by total

This image shows the Event Type meta keys presented in order by Value in Descending order. The value names are presented in alphabetical order starting at the end of the alphabet. The value success audit  is listed first. The value connect  is presented last. The quantification method is Event Count.

Meta key in order descending alphabetically

To select the quantification method of meta key count and ordering of meta key results displayed in the Navigate view:

  1. In the toolbar, select Event Count, Event Size, or Packet Count and choose one of the quantification options in the drop-down menu. The label for the menu displays the selected option.
    Quantification Menu
    The current view is reloaded according to your selection.
  2. In the toolbar, select Total or Value and choose one of the ordering methods in the drop-down menu. The label for the menu displays the selected option.
    Order Menu
    The current view is reloaded according to your selection.
  3. In the toolbar, select Ascending or Descending and choose one of the sort order options in the drop-down menu. The label for the menu displays the selected option.
    The current view is reloaded according to your selection.
    Sort Menu

Manage and Apply Default Meta Keys in an Investigation

When analysts are conducting an investigation of captured data in Investigation, a default set of meta keys is loaded and displayed in a default sequence in the Navigate view > Values panel. The default content and sequence is based on the meta keys for the service being investigated. Analysts can specify the meta keys to display during navigation by selecting the default meta keys or by selecting a user-defined group of meta keys, which provides great flexibility to define meta keys. This can help to drill down more directly to the desired data and to reduce the load time by preventing the loading of meta that is not of interest in the current investigation.

Note: In Version 11.1 and later, wherever meta keys are used, you can also use configured meta entities.

If no custom meta groups are in effect, the Navigate view is displayed with the meta key visibility specified in the Default Meta Keys dialog. To optimize loading of meta keys in the Navigate view > Values panel, NetWitness Suite does not open non-indexed meta keys by default. When you open a non-indexed meta key in the Values view, NetWitness Suite begins loading values for that meta key. If the load time is excessive, the load of the meta key times out with a message. Title, values, and counts for non-indexed meta keys are not drillable in the Values panel. Additional labeling in Investigation identifies the non-indexed meta keys.

To select the meta keys to apply to your investigation, you can.

  • Select the default meta keys.
  • Select a user-defined set of meta keys, called a meta group.

Note:  Once created, user-defined meta groups can be edited, deleted, exported for use on other services, and imported to the service you are investigation. All of these procedures are provided in a separate topic: Manage Meta Groups.

The Default Meta Keys dialog allows you to specify the default view and display sequence for meta keys during navigation in the Investigate > Navigate view for a specific service. For each key or for all keys, you can set the default view to:

  • Hidden: Results for default meta key are hidden and are not available to load.
  • Open: Results for default meta key are open with all values and counts displayed.
  • Close: Results for default meta key are closed with only the meta name visible.
  • Auto: The loading of default meta keys is controlled by the index level, which must be Indexed By Value. 

When using the default meta keys, be aware that these can be modified for different services, and you may not be seeing the same set of default meta keys when navigating to a drill point on different services. If you do not see the expected data, you may need to change the initial view of the default meta keys.

When you change the initial state of default meta keys from within the Navigate view, the change persists for that service. When new keys are added to the custom index file for a Core service (for example, concentrator-custom-index.xml or decoder-custom-index.xml), the new keys are added to the default meta keys list. The changes made in the Navigate view apply only to the current service.

To specify that the initial Navigate view opens using default meta keys:

  1. Go to INVESTIGATE > Navigate.
  2. Select a service and select Navigate.
  3. In the Meta menu, select Use Default Meta Keys.
    If an investigation is already in progress, the data is reloaded in the current view and an icon highlights the selected option. If no data is loaded yet, the default meta keys are used for the next load.

Configure Default Meta Keys

To configure the default view of default meta keys in the Navigate view:

  1. In the Navigate view toolbar, select Meta > Manage Default Meta Keys.
    The Manage Default Meta Keys dialog is displayed with the list of available meta keys for the service.
    This is the Manage Default Meta Keys dialog
  2. (Optional) To change the order of the keys, select one or more keys, and drag the values up or down through the list of keys.
  3. Do one of the following:
    • (Optional) To change the default view for all meta keys, make sure that no keys are selected and in the toolbar, select Option Drop-down Menu.
    • (Optional) To change the default view for one or more keys, select the keys and in the toolbar, select Options Drop-down Menu.
      A drop-down of possible initial views for all default meta keys is displayed.
    • (Optional) To revert to the default view for meta keys as specified in the service index file, make sure that no keys are selected and in the toolbar, select Options Drop-down Menu > Auto.
      When you modify the default meta keys for a non-indexed meta key, you cannot set the key to OPEN. If you change the default view for a group of meta keys to OPEN and some of the meta keys are non-indexed, the non-indexed meta keys revert to AUTO. As a result, the meta key is automatically loaded only if it is indexed, and non-indexed meta keys are CLOSED until opened manually.
  4. Select one of the views.
  5. To save the changes, click Apply.
    The meta keys displayed in the Navigate view are set to your specifications. If the default meta keys are hidden, values for the meta keys are not shown in the investigation at all. If the default meta keys are closed, the values for the meta keys are not loaded by default, but you can load individual meta keys manually in the Navigate view.

Drill into Data in the Navigate View Time Chart

The Time Chart visualization allows analysts to visualize activity over time. You can zoom into the data by selecting a time window then selecting the Investigate option. You can then reset the navigation to the time range that was in effect before zooming.

  1. Go to INVESTIGATE > Navigate.
    The Time Chart for the current drill point and selected time range is displayed.
    Navigate view Time Chart Visualization
  2. To highlight a period of time on the Time Chart, click over the desired time period and drag the mouse.
    The Time Chart is redrawn for the selected time range, however the meta values are unchanged.
  3. To drill into the data for the selected time range, click Investigate.
    The URL is updated to reflect the time range override. and the Investigation options panel is updated to reflect the custom time range. The Time Chart is redrawn and the meta values are loaded for the selected time range.
  4. To reset the Time Chart to original time range, click Reset Zoom.
    The URL is updated to reflect the original URL prior to zooming into the data, and the Investigation options panel is updated to reflect the time range selected before zoom. The Time Chart is redrawn for the selected time range and the meta values are loaded for that time range.

Drill into Data in the Values Panel

NetWitness Suite displays the activity and values for the selected service in the Investigation > Navigate view. To investigate data, analysts drill into data by clicking on a meta key or a meta value, which is treaty as a query. In the Values panel, each query is added to the breadcrumb data in the Values panel. This results in a breadcrumb at the top with a crumb for each query. You can edit the breadcrumb to insert or remove a query.

To drill into a subset of the metadata:

  1. Begin an investigation so that metadata is displayed in the Navigate view.
    Navigate view with metadata in the values panel
  2. To drill down into the metadata, do any combination of the following:
    1. Click a meta key, for example, Service Type.
    2. Click a meta value, the blue text in the results. For example, OTHER.
      Each time you click a meta key or meta value, the investigation query pivots to a narrowed focal point, or drill point, in the data. At each drill point, the Values panel is updated and the new drill point is displayed in the breadcrumb. Below is an example of the first breadcrumb.
      First breadcrumb
      This is an example of a long breadcrumb that does not fit in the toolbar. The last query that fits is followed by a drop-down menu that lists additional queries. To select a drill point within the overflow, click the overflow icon and a query in the drop-down list.
      Overflow drop-down

To add a query in the breadcrumb:

In the breadcrumb, you can click any of the crumbs to display the Query menu. You can insert a new query before a crumb, and append a new query to the end of breadcrumb. After each edit in the breadcrumb, NetWitness Suite refreshes the results.

To add a query in the breadcrumb:

  1. Click a crumb.
    The Breadcrumb menu is displayed.
    Breadcrumb menu
  2. To add a query in the breadcrumb, select Append or Insert Before.
    The Create Filter dialog is displayed.
    Create Filter dialog
  3. Create the Query as described in Create a Custom Query.

To edit a query in the breadcrumb:

In the breadcrumb, you can click any of the crumbs to display the Query menu. You can delete a crumb and edit a query in a crumb. After each edit in the breadcrumb, NetWitness Suite refreshes the results.

To work with queries in the breadcrumb:

  1. Click a crumb.
    The Breadcrumb menu is displayed.
    Breadcrumb menu
  2. To edit a query in the breadcrumb, select Edit.
    The Create dialog is displayed with the selected query open for editing.
    Edit Filter dialog
  3. Edit the fields as described in Create a Custom Query.

To quick search within a meta key:

  1. Move the mouse over a meta key section and click the magnifying glass.
    The Quick Search form, which contains a comparator and an optional operand for the search, is displayed.
    Quick Search form
  2. (Optional) If you want to close the search form, click the magnifying glass again.
  3. Select the operation from the drop-down list on the left and type the text value to search for. Then click Drill to perform the execution.
    The metadata for that meta key is used to drill down in the current metadata.

To view meta key Information:

To view details about a meta key, specifically the key name, index level set for displaying the meta key, and the default view set for the meta key:

  1. Click the drop-down menu next to the meta key. These two figures show the drop-down menu for Version 11.0.0.x and 11.1 and later.
    Meta Key drop-down and Meta key drop-down for Version 11.1
  2. Select Meta Key Info.
    The Meta Key Info dialog is displayed.
    the Meta Key Information dialog
  3. When finished viewing, click Close icon.
  4. (Optional for Version 11.0) To view meta names found for the meta key as a comma-separated value list, click the drop-down menu next to the meta key and select View as CSV.
    The Showing Values in CSV Format dialog is displayed. When finished viewing, click Close.
  5. (Optional for Version 11.1) To view meta names found for the meta key in a list, click the drop-down menu next to the meta key and select Export Values.
    The Export Values dialog is displayed.
    the Export Values dialog
  6. (Optional) If you want to hide the results for the meta key in the current drill point, click the drop-down menu next to the meta key and click Hide Results.

To display events associated with a meta value:

The Events view provides additional details for an event in two different views: Events List and Detail View.

  1. In the Navigate view, drill into metadata that is the focus of your investigation.
  2. Click the count (the number in green) next to a blue meta value.
    The Events view corresponding to the current drill point is displayed.
    The operations that you can perform in the events view are described in Examining Raw Events in the Events View.

To search for specific events associated with a meta value:

  1. In the Navigate view, drill into metadata that is the focus of your investigation (click a meta value or add a query).
  2. Type a search string in the Search box and press Enter or click Search.
    You can also select and set search mode preferences. See Search for Text Patterns for detailed search information.
    The Events view opens in a new tab and shows the search results. If you do not see the search term highlighted, click Show Additional Meta. Your time range selection and drills (queries) carry forward to the Events view.
    Events view

To view a selected meta value in RSA Live:

  1. In the Navigate view, drill into metadata that is the focus of your investigation.
  2. Right-click a meta value (the text in blue).
    The Meta Value drop-down menu is displayed.
  3. To look up the meta value in RSA  Live, select Live Lookup.
    The Live Search view is displayed with the meta value entered in the Generated Meta Value(s) field, and ready for a search.

    Live Search View

To refocus the investigation in a drill point:

  1. Right-click a meta value (the text in blue).
    The Meta Value drop-down menu is displayed.
    Meta value drop-down menu
  2. Choose one of the refocus options.
    The drill is refocused according to your choice.

To look at a specific count in a new tab:

To view a count for a meta value in a new tab or view a Geomap of the locations for the selected meta value:

  1. Right-click a count for a meta value (the green number following the blue meta value).
    The context menu is displayed.
  2. (Optional) To open a separate investigation for the specific meta value, select Open in New Tab.
  3. (Optional) to open a geomap showing the locations where the selected meta value originated, select Geo-Map Locations in New Tab.
You are here
Table of Contents > Investigating Metadata in the Navigate View > Filter Results in the Navigate View

Attachments

    Outcomes