Investigate: Begin an Investigation in the Event Analysis View

Document created by RSA Information Design and Development on Mar 27, 2018Last modified by RSA Information Design and Development on Apr 3, 2018
Version 2Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness® Suite Version 11.1 and later.

The Event Analysis view offers most of the features that are available in both the Navigate view and the Events view. Similar to the Navigate view, there is a view into meta keys and meta values for logs, endpoints, and packets. Like the Events view, an events list shows events listed in the order by time, and you can view the raw event, related meta data, and a reconstruction of an event. The Event Analysis reconstruction has some helpful cues to identify points of interest in a reconstruction. See Examining Raw Events and Meta Data in the Event Analysis View

Note: In Version 11.0 you cannot begin an investigation in the Event Analysis view. Instead, you begin the investigation in the Navigate or Events view, and open an event in the Event Analysis view. In Version 11.1, an INVESTIGATE submenu gives you direct access to the Event Analysis view along with the ability to select a different service, time range, and create a query.

Access the Event Analysis View (Version 11.1 and Later)

Several ways to access the Event Analysis view are available in Version 11.1.

  • When you use the Actions > Go to event in Event Analysis option in the Navigate view, and enter an event ID, the Event Analysis view opens the single event as a reconstruction. To simplify the view, the toolbar does not include the unnecessary options to expand, contract, and close windows. You can begin working as described in Examining Raw Events and Meta Data in the Event Analysis View.
  • When you hover over a count (the green number after a meta value) in the Navigate view and click Open Event Analysis in new tab, the Event Analysis view opens with the list of events for the selected drill point, and you can begin working as described in Examining Raw Events and Meta Data in the Event Analysis View. The list of events can be very large, and there is a chance that the event you selected is not visible in the current page of events. In this case, a message advises you to scroll down to view the event.
    Message to scroll down to see an event
  • You can also access the Event Analysis view directly by going to INVESTIGATE > Event Analysis or going to INVESTIGATE if you have made the Event Analysis view your opening Investigate view. When you land on the Event Analysis view for the first time, you need to select a service to begin analysis. If this is not the first time you opened Event Analysis, the last used service is remembered until the localStorage is cleared.
    When you open the Event Analysis view from one of the other Investigate views, the service and query from that view are in effect. You can change the service, select a time range, and enter a query if you want to refine the results before opening the Event Analysis view as described in Filter Results in the Event Analysis View.

To access the Event Analysis view directly,

  1. Go to INVESTIGATE > Event Analysis.
    The Event Analysis view opens with the first service in the service list selected and no data displayed. The Select a service field is populated initially with the first service in the list or the last selected service. A drop-down menu offers a list of available services in alphabetical order. By default the list of available services is retrieved every twelve hours and cached on the NetWitness server. If a service is added or removed from the NetWitness server, the cache is updated with the latest list of services. At the beginning of the field an icon provides the status of the query.
    the database icon and no service name = no service is selected.

    the database icon and selected service name= the service is selected.
    spinner icon = Investigate is attempting to connect to the selected service.
    the icon for a service that has not data =Investigate cannot connect to the selected service or there is no data. In this state, the service selector control also turns red, and a tooltip explains why the connection attempt failed and advises you to choose another service.
    example of the view when Investigate cannot connect to the service
  2. (Optional) Select a service, usually a Concentrator, from the drop-down list.
    the Select a Service drop-down list
    The time range selector shows either the default time range of 24 hours, or the time range that you last selected for this service. The Query Events button becomes active and you can enter filters. If you launch a query now, the selected time is used.
  3. (Optional) To select a time range from the Time Range selector, click in the Time Range selector and select a time range from the drop-down list. Options are Last 5, 10, 15 or 30 Minutes; the Last 1, 3, 6, 12, or 24 hours; the Last 2, 5, 7, 14 or 30 days; or all Data. (The time range is based on preferences set for the Event Analysis view. The default basis for time range is database time; you can change it to wall clock.)
    The selected time range is stored in your browser for this service; you can set different time ranges for different services.
    the Select a Time Range drop-down list
  4. Type a query by creating one or more filters that contain at a minimum a meta key or meta entity, operator, and optional value. See Filter Results in the Event Analysis View for details on entering queries.
  5. Click Query Events.
    The Event Analysis view displays the activity for the selected service and time range, in accordance with permissions assigned to your role by the administrator. With the service selected and data loaded, you are ready to begin analyzing the data. Refer to Examining Raw Events and Meta Data in the Event Analysis View to learn how to work in the Event Analysis view.

Access the Event Analysis View (Version 11.0)

To open and event in the Event Analysis view:

  1. Go to Navigate > Events.
  2. Right-click an event in the listed events, and select Event Analysis in the menu.
    Context Menu in Evenst view to go to Event Analysis

Refer to Examining Raw Events and Meta Data in the Event Analysis View to learn how to work in the Event Analysis view.

 

 

You are here
Table of Contents > Beginning an Investigation > Begin an Investigation in the Event Analysis View

Attachments

    Outcomes