Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Investigate: Begin an Investigation in the Events View

Document created by RSA Information Design and Development Employee on Mar 27, 2018Last modified by RSA Information Design and Development Employee on Jan 30, 2020
Version 11Show Document
  • View in full screen mode
 

The Events view offers most of the features that are available in both the Navigate view and the Legacy Events view. Similar to the Navigate view, there is a view into meta keys and meta values for logs, endpoints, and packets. Like the Legacy Events view, an events list shows events listed in the order by time, and you can view the raw event, related metadata, and a reconstruction of an event. The Event reconstruction has some helpful cues to identify points of interest. See Analyze Events in the Events View.

The following figure shows the initial Events view with a section that provides examples of queries.

initial appearance of the Events view

Access the Events View

Several ways to access the Events view are available in Version 11.1 and later.

  • Go to Investigate > Events or select the Investigate option in the main menu if you have made the Events view your opening Investigate view. The following procedure provides detailed steps.
  • Use the Actions > Go to event in Events option in the Navigate view, and enter an event ID. The Events view opens the single event as a reconstruction. You can begin working as described in Reconstructing and Analyzing Events.
  • Hover over a count (the green number after a meta value) in the Navigate view and Control-click Open Events in new tab. The Events view opens with the list of events for the selected drill point, and you can begin working as described in Reconstructing and Analyzing Events. The following figure is an example of the list of events.
    Events view with events loaded

To begin an investigation in the Events view using direct access:

  1. Go to Investigate > Events.
    The Events view opens with a service selected and no data displayed. A drop-down list offers a list of available services in alphabetical order. The Select a service field is populated with the first service in the list or the most recently selected service. By default the list of available services is retrieved every twelve hours and cached on the NetWitness server. If a service is added or removed from the NetWitness server before the next time to retrieve, the cache is updated with the latest list of services. An icon provides the status of the service.
    • the database icon and selected service name = The service is selected.
    • spinner icon = Investigate is attempting to connect to the selected service.
    • the icon for a service that has not data = There was an error connecting to the selected service or there is no data in the selected service. In this state, the service selector control also turns red, and a tooltip explains why the connection attempt failed and advises you to choose another service.
  2. (Optional) Select a service, usually a Broker or Concentrator, from the drop-down list.

    The time range selector shows either the default time range of 24 hours, or the time range that you last selected for this service. The the query events button or Query Events button becomes active and you can create filters. If you launch a query without creating filters, the selected time is used.
  3. (Optional) Edit the time range as described in Filter Results in the Events View.
    the time range drop-down list
    The selected time range is stored in your browser for this service; you can set different time ranges for different services.

  4. Create a query that consists of one or more filters that contain a meta key, operator, and optional value. See Filter Results in the Events View for details on creating queries.
  5. When ready to submit the query, click the submit query button or Query Events.
    The Events view displays the data for the selected service, time range, and query, in accordance with permissions assigned to your role by the administrator. You are ready to begin analyzing the data. Refer to Reconstruct an Event in the Events View and Analyze Events in the Events View to learn how to work in the Events view.

Access the Events View (Version 11.0)

To open an event in the Event view:

  1. Go to Investigate > Events.
  2. Do one of the following:
    1. Right-click an event in the listed events, and select Event Analysis.
      Context Menu in the Events view to go to Event Analysis
    2. Right-click an event in the listed events and select Event Reconstruction. Then click the Event Analysis button in the reconstruction.

Refer to Reconstruct an Event in the Events View and Analyze Events in the Events View to learn how to work in the Events view.

 

 

You are here
Table of Contents > Beginning an Investigation > Begin an Investigation in the Events View

Attachments

    Outcomes