Investigate: Begin an Investigation in the Event Analysis View

Document created by RSA Information Design and Development on Mar 27, 2018Last modified by RSA Information Design and Development on Sep 11, 2018
Version 4Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.1 and later.

The Event Analysis view offers most of the features that are available in both the Navigate view and the Events view. Similar to the Navigate view, there is a view into meta keys and meta values for logs, endpoints, and packets. Like the Events view, an events list shows events listed in the order by time, and you can view the raw event, related meta data, and a reconstruction of an event. The Event Analysis reconstruction has some helpful cues to identify points of interest in a reconstruction. See Analyzing Raw Events and Metadata in the Event Analysis View

Note: In Version 11.0 you cannot begin an investigation in the Event Analysis view. Instead, you begin the investigation in the Navigate or Events view, and then open an event in the Event Analysis view. In Version 11.1, an INVESTIGATE submenu gives you direct access to the Event Analysis view along with the ability to select a different service, time range, and create a query.

The following figure shows the initial Event Analysis view with a tooltip that provides examples of queries.

Example of the Event Analysis view when initially opened

Access the Event Analysis View (Version 11.1 and Later)

Several ways to access the Event Analysis view are available in Version 11.1.

  • When you use the Actions > Go to event in Event Analysis option in the Navigate view, and enter an event ID, the Event Analysis view opens the single event as a reconstruction. To simplify the view, the toolbar does not include the unnecessary options to expand, contract, and close windows. You can begin working as described in Analyzing Raw Events and Metadata in the Event Analysis View.
  • When you hover over a count (the green number after a meta value) in the Navigate view and click Open Event Analysis in new tab, the Event Analysis view opens with the list of events for the selected drill point, and you can begin working as described in Analyzing Raw Events and Metadata in the Event Analysis View. The list of events can be very large, and there is a chance that the event you selected is not visible in the current page of events. In this case, a message advises you to scroll down to view the event.
    Message to scroll down to see an event
  • You can also access the Event Analysis view directly by going to INVESTIGATE > Event Analysis or going to INVESTIGATE if you have made the Event Analysis view your opening Investigate view. When you land on the Event Analysis view for the first time, you need to select a service to begin analysis. If this is not the first time you opened Event Analysis, the last used service is remembered the browser cache is cleared.
    When you open the Event Analysis view from one of the other Investigate views, the service and query from that view are in effect. You can change the service, select a time range, and enter a query if you want to refine the results before opening the Event Analysis view as described in Filter Results in the Event Analysis View.

To access the Event Analysis view directly:

  1. Go to INVESTIGATE > Event Analysis.
    The Event Analysis view opens with the first service in the service list selected and no data displayed. The Select a service field is populated initially with the first service in the list or the last selected service. A drop-down menu offers a list of available services in alphabetical order. By default the list of available services is retrieved every twelve hours and cached on the NetWitness server. If a service is added or removed from the NetWitness server, the cache is updated with the latest list of services. At the beginning of the field an icon provides the status of the query.
    • the database icon and no service name = no service is selected.
    • the database icon and selected service name= the service is selected.
    • spinner icon = Investigate is attempting to connect to the selected service.
    • the icon for a service that has not data = Investigate cannot connect to the selected service or there is no data. In this state, the service selector control also turns red, and a tooltip explains why the connection attempt failed and advises you to choose another service.
      example of the view when Investigate cannot connect to the service
  2. (Optional) Select a service, usually a Concentrator, from the drop-down list.
    alphabetically sorted service list
    The time range selector shows either the default time range of 24 hours, or the time range that you last selected for this service. The Query Events button becomes active and you can enter filters. If you launch a query now, the selected time is used.
  3. (Optional) To select a time range from the Time Range selector, click in the Time Range selector and select a time range from the drop-down list. Options are Last 5, 10, 15 or 30 Minutes; the Last 1, 3, 6, 12, or 24 hours; the Last 2, 5, 7, 14 or 30 days; or all Data. (The time range is based on preferences set for the Event Analysis view. The default basis for time range is database time; you can change it to wall clock.)
    The selected time range is stored in your browser for this service; you can set different time ranges for different services.
    the Select a Time Range drop-down list
  4. Type a query by creating one or more filters that contain at a minimum a meta key or meta entity, operator, and optional value. See Filter Results in the Event Analysis View for details on entering queries.
  5. Click Query Events.
    The Event Analysis view displays the activity for the selected service and time range, in accordance with permissions assigned to your role by the administrator. With the service selected and data loaded, you are ready to begin analyzing the data. Refer to Analyzing Raw Events and Metadata in the Event Analysis View to learn how to work in the Event Analysis view.

Access the Event Analysis View (Version 11.0)

To open an event in the Event Analysis view:

  1. Go to INVESTIGATE > Events.
  2. Right-click an event in the listed events, and select Event Analysis.
    Context Menu in the Events view to go to Event Analysis

Refer to Analyzing Raw Events and Metadata in the Event Analysis View to learn how to work in the Event Analysis view.

 

 

You are here
Table of Contents > Beginning an Investigation > Begin an Investigation in the Event Analysis View

Attachments

    Outcomes