When hunting for possible threats in captured network data, you can drill into different points of interest in the data. If a session contains suspicious events, you can examine the list of events for the session and you can also safely view a reconstruction of the event with features that help to identify patterns. (See Beginning an Investigation for the different methods to access the Event Analysis view.)
In the Event Analysis view, you can select the format for the reconstruction: Packet Analysis, File Analysis, or Text Analysis, Email (Version 11.1 and later), and Web (Version 11.1 and later). When the medium meta key tags an event as a log event or endpoint event , only the Text Analysis is available. The default reconstruction for network events is Text Analysis; however, for a network event the last reconstruction format that was open overrides the default. The Email and Web reconstructions open the event in the Events view and are described in "Select the Event Analysis Type" in Examine Events in the Event Analysis View
This figure is an example of the Network Event Details: Text Analysis panel in a web browser window that is wide enough to display the reconstruction format options in a row.
When the browser window is too narrow to display all the view options horizontally, the options are presented in a drop-down list.
Within each type of analysis, settings are available to enhance your analysis. If you change a setting, the setting is preserved between browser refreshes and logins within the same browser. These are the preserved settings:
- The currently selected reconstruction: Text Analysis, Packet Analysis, or File Analysis.
- Whether the Event Meta panel is open or closed.
- Whether the Event header is open or closed.
- Whether the Request or Response, or both are displayed.
- Whether packet payloads are displayed in the Packet Analysis panel.
- Whether shaded bytes are displayed in the Packet Analysis panel.
- Whether other common file types are highlighted in the Packet Analysis panel.
- The number of packets per page in the Packet Analysis panel.
- Whether compressed or uncompressed text is displayed in the Text Analysis panel.
- The text decode setting in the Text Analysis panel of a network event.
The Text Analysis Panel
You can view all types of events (network events, log events, and endpoint events) in their original text format in the Text Analysis panel. Pagination controls add flexibility when paging through the reconstructed text of an event.
The Text Analysis panel for some network events can be quite large. To ensure the best rendering, an excessively large payload is truncated to fit. If a single reconstructed request or response in the reconstructed event exceeds the maximum number of bytes, the header indicates that the message has been truncated. This figure illustrates a single response that has been truncated because it exceeds the maximum number of bytes (Version 11.2).
Version 11.1 handles large payloads differently; the payload for a single event is limited to 2500 packets. When the packet limit is reached, a warning in the footer advises the limit has been reached and provides the total number of packets in the event. This figure shows the tooltip displayed when you hover over the warning.
In the Text Analysis panel, network events, log events, and endpoint events are presented differently.
- For network events, Investigate provides the direction of the packet (Request or Response) and contents of each packet in text format. If you are reconstructing a network event, the Text Analysis panel is scrollable. When you scroll, the text identification information as well as the Request and Response labels remain visible rather than scrolling out of view.
- Log events and endpoint events have no request or response; only the raw event is displayed in the Text Analysis panel.
For each type of event (network, log, or endpoint), there are several differences:
- The Event header includes information relevant to each type of event.
- There are different options for exporting.
Below is an example of the Text Analysis panel for each type of event, a network event, a log event, and an endpoint event.
The Packet Analysis Panel
The Packet Analysis panel is for network events only. The Packet Analysis panel is scrollable, and the packet identification information as well as the Request and Response labels remain visible rather than scrolling out of view.
In the Packet Analysis panel, the headings provide the direction of the packet (Request or Response), the packet number, the packet start time, the packet ID and the sequence, and the payload size. All packets begin with a header, and some packets have a footer. Some packets have a payload.
In Version 11.1 pagination controls add flexibility when paging through packets.
The metadata in the hexadecimal and ASCII data is highlighted in blue; when you place the cursor over the highlighted metadata, the meta key/meta value information is displayed in a hover box.
Common file signatures are highlighted with an orange background. When you place the cursor over the highlighted text, the description of the file type is displayed in a hover box.
The File Analysis Panel
The File Analysis panel shows a list of files associated with the selected network event. This is an example of the File Analysis panel.
You can select one file, one or more files, or all files to export to your local file system. When files are selected, the Export Files button becomes active and reflects the number of files selected.
Analytical Tools for Each Type of Event Analysis
The analytical tools in the Event Analysis view are designed to help analysts find the relevant information for different types of events (network event, log event, and endpoint event). This table lists the actions you can take by event type. The rest of this section provides procedures for performing the actions.