Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Investigate: Begin an Investigation in the Events View

Document created by RSA Information Design and Development Employee on Mar 27, 2018Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 13Show Document
  • View in full screen mode
 

The Events view offers most of the features that are available in both the Navigate view and the Legacy Events view. Similar to the Navigate view, there is a view into meta keys and meta values for logs, endpoints, and packets. Like the Legacy Events view, an events list shows events listed in the order by time, and you can view the raw event, related metadata, and a reconstruction of an event. The Event reconstruction has some helpful cues to identify points of interest. See Reconstructing and Analyzing Events.

The following figure shows the initial Events view with some examples of queries and information about keyboard and mouse interaction. This figure depicts the initial view.

the initial Events view

This figure show the examples provided in Version 11.4, which has two modes for creating queries.

the query examples in Version 11.4

Access the Events View

Several ways to access the Events view are available in Version 11.1 and later.

  • Go to Investigate > Events or select the Investigate option in the main menu if you have made the Events view your default Investigate view. The following procedure provides detailed steps.
  • Hover over and click a count (the green number after a meta value) in the Navigate view. The Events view opens with the list of events for the selected drill point, and you can begin working as described in Analyze Events in the Events View.
  • Hover over a count and control-click Open Events in new tab. The Events view opens in a new tab with the list of events for the selected drill point, and you can begin working as described in Analyze Events in the Events View. The following figure is an example of the list of events.
    example of the Events list

To begin an investigation in the Events view using direct access:

  1. Go to Investigate > Events.
    The Events view opens with a service selected and no data displayed. A drop-down list offers a list of available services in alphabetical order. The Select a service field is populated with the first service in the list or the most recently selected service. By default the list of available services is retrieved every twelve hours and cached on the NetWitness server. If a service is added or removed from the NetWitness server before the next time to retrieve, the cache is updated with the latest list of services. An icon provides the status of the service.
    • the database icon and selected service name = The service is selected.
    • spinner icon = Investigate is attempting to connect to the selected service.
    • the icon for a service that has not data = There was an error connecting to the selected service or there is no data in the selected service. In this state, the service selector control also turns red, and a tooltip explains why the connection attempt failed and advises you to choose another service.
  2. (Optional) Select a service, usually a Broker or Concentrator, from the drop-down list.

    The time range selector shows either the default time range of 24 hours, or the time range that you last selected for this service. The the query events button or Query Events button becomes active and you can create filters. If you launch a query without creating filters, the selected time is used.
  3. (Optional) Edit the time range as described in Filter Results in the Events View.
    the time range drop-down list
    The selected time range is stored in your browser for this service; you can set different time ranges for different services.

  4. Create a query that consists of one or more filters that contain a meta key, operator, and optional value. See Filter Results in the Events View for details on creating queries.
  5. When ready to submit the query, click the submit query button or Query Events.
    The Events view displays the data for the selected service, time range, and query, in accordance with permissions assigned to your role by the administrator. You are ready to begin analyzing the data. Refer to Examine Event Details in the Events View and Analyze Events in the Events View to learn how to work in the Events view.

Access the Events View (Version 11.0)

To open an event in the Event view:

  1. Go to Investigate > Events.
  2. Do one of the following:
    1. Right-click an event in the listed events, and select Event Analysis.
      Context Menu in the Events view to go to Event Analysis
    2. Right-click an event in the listed events and select Event Reconstruction. Then click the Event Analysis button in the reconstruction.

Refer to Examine Event Details in the Events View and Analyze Events in the Events View to learn how to work in the Events view.

You are here
Table of Contents > Beginning an Investigation > Begin an Investigation in the Events View

Attachments

    Outcomes