Investigate: Begin an Investigation in the Event Analysis View

Document created by RSA Information Design and Development on Mar 27, 2018Last modified by RSA Information Design and Development on Apr 25, 2019
Version 6Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.1 and later.

The Event Analysis view offers most of the features that are available in both the Navigate view and the Events view. Similar to the Navigate view, there is a view into meta keys and meta values for logs, endpoints, and packets. Like the Events view, an events list shows events listed in the order by time, and you can view the raw event, related meta data, and a reconstruction of an event. The Event Analysis reconstruction has some helpful cues to identify points of interest in a reconstruction. See Analyzing Raw Events and Metadata in the Event Analysis View

The following figure shows the initial Event Analysis view with a section that provides examples of queries.

the Event Analysis view when initially opened

Access the Event Analysis View (Version 11.1 and Later)

Several ways to access the Event Analysis view are available in Version 11.1.

  • Use the Actions > Go to event in Event Analysis option in the Navigate view, and enter an event ID. The Event Analysis view opens the single event as a reconstruction. You can begin working as described in Analyzing Raw Events and Metadata in the Event Analysis View.
  • Hover over a count (the green number after a meta value) in the Navigate view and Control-click Open Event Analysis in new tab. The Event Analysis view opens with the list of events for the selected drill point, and you can begin working as described in Analyzing Raw Events and Metadata in the Event Analysis View. The following figure is an example of the list of events.
    Event Analysis view with a drill point from the Navigate view in effect
  • Go to INVESTIGATE > Event Analysis or select the INVESTIGATE option in the main menu if you have made the Event Analysis view your opening Investigate view. The following procedure provides detailed steps.

To begin an investigation in the Event Analysis view using direct access:

  1. Go to INVESTIGATE > Event Analysis.
    The Event Analysis view opens with a service selected and no data displayed. A drop-down list offers a list of available services in alphabetical order. The Select a service field is populated with the first service in the list or the most recently selected service. By default the list of available services is retrieved every twelve hours and cached on the NetWitness server. If a service is added or removed from the NetWitness server before the next time to retrieve, the cache is updated with the latest list of services. An icon provides the status of the service.
    • the database icon and selected service name= the service is selected.
    • spinner icon = Investigate is attempting to connect to the selected service.
    • the icon for a service that has not data = There was an error connecting to the selected service or there is no data in the selected service. In this state, the service selector control also turns red, and a tooltip explains why the connection attempt failed and advises you to choose another service.
  2. (Optional) Select a service, usually a Broker or Concentrator, from the drop-down list.

    The time range selector shows either the default time range of 24 hours, or the time range that you last selected for this service. The the query events button or Query Events button becomes active and you can create filters. If you launch a query without creating filters, the selected time is used.
  3. (Optional) Edit the time range as described in Filter Results in the Event Analysis View.
    the time range drop-down list
    The selected time range is stored in your browser for this service; you can set different time ranges for different services.

  4. Create a query that consists of one or more filters that contain a meta key, operator, and optional value. See Filter Results in the Event Analysis View for details on creating queries.
  5. When ready to submit the query, click the submit query button or Query Events.
    The Event Analysis view displays the data for the selected service, time range, and query, in accordance with permissions assigned to your role by the administrator. You are ready to begin analyzing the data. Refer to Analyzing Raw Events and Metadata in the Event Analysis View to learn how to work in the Event Analysis view.

Access the Event Analysis View (Version 11.0)

To open an event in the Event Analysis view:

  1. Go to INVESTIGATE > Events.
  2. Do one of the following:
    1. Right-click an event in the listed events, and select Event Analysis.
      Context Menu in the Events view to go to Event Analysis
    2. Right-click an event in the listed events and select Event Reconstruction. Then click the Event Analysis button in the reconstruction.

Refer to Analyzing Raw Events and Metadata in the Event Analysis View to learn how to work in the Event Analysis view.

 

 

You are here
Table of Contents > Beginning an Investigation > Begin an Investigation in the Event Analysis View

Attachments

    Outcomes