Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Investigate: Examine Event Details in the Events View

Document created by RSA Information Design and Development Employee on Mar 27, 2018Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 10Show Document
  • View in full screen mode
 

When you find an interesting session in the Navigate view or the Events view > Filter Events panel, you can see the list of sequential events for the session in the Events view > Events panel. Clicking an event in the list opens the Network Event Details panel for that type of event: Network Event Details, Log Event Details, or Endpoint Event Details. Within the Event Details panel, you can select a tab that shows an event reconstruction (text, packet, file, email, and web) or (Version 11.5 or later) the tab that shows host information for network events that are enriched with endpoint data.

Note: (Version 11.5 or Later) For expanded network visibility of existing network events in your network (packet) deployment. Network events are enriched with endpoint data namely the host and process that triggered the network event and other details such as user name, risk score, reputation, and so on.
You can view endpoint data in the following ways:
- (Quick View) Investigate > Events - Event Summary Header
- (Detailed View) Investigate > Events > Host
For more information to enable expanded network visibility, see "Creating Groups and Policies" in the Endpoint Configuration Guide.

Event Details for Each Event Type

Within the Event Details panel, different tabs are available per event type as shown in the following table. Procedures for working in the Event Details panel are provided in Analyze Events in the Events View.

                                                   
ActionNetwork EventLog
Event
Endpoint Event
View the text reconstruction (default unless last selected overrides)
View the file reconstruction   
(Version 11.5 or Later) View the host Information for an Endpoint Agent configured with expanded network visibility (see Host Information.

 

 

View the packet reconstruction   
View the email reconstruction   
View the web reconstruction in the Legacy Events view (see Reconstruct an Event in the Legacy Events View)   

Each tab has settings to enhance your analysis. If you change a setting, the setting is preserved between browser refreshes and logins within the same browser. These are the preserved settings:

  • The currently selected reconstruction: Text, Packet, File, (Version 11.5 and later) Host, or Email.
  • Whether the Event Meta panel is open or closed.
  • Whether the Event header is open or closed.
  • Whether the Request or Response, or both are displayed.
  • Whether packet payloads are displayed without the headers in the packet reconstruction.
  • Whether shaded bytes are displayed in the packet reconstruction.
  • Whether other common file types are highlighted in the packet reconstruction.
  • The number of packets per page in the packet reconstruction.
  • Whether compressed or uncompressed text is displayed in the text reconstruction.

Text Reconstruction

You can view all types of events (network events, log events, and endpoint events) in their original text format in the Text tab. The text reconstruction for some network events can be quite large. To ensure the best rendering, an excessively large payload is truncated to fit. If a single reconstructed request or response in the reconstructed event exceeds the maximum number of bytes, the header indicates what percentage of bytes is shown. Pagination controls add flexibility when paging through the reconstructed text of an event. This figure illustrates a single response that has been truncated because it exceeds the maximum number of bytes (Version 11.2 and later).

a truncated response in the Text tab

Note: Version 11.1 handles large payloads differently; the payload for a single event is limited to 2500 packets. When the packet limit is reached, a warning in the footer advises the limit has been reached and provides the total number of packets in the event. Footer showing that the maximum number of packets has been reachedFor Version 11.1, the Show More option is still available for messages that are truncated; however, the entire text of the message is not visible without downloading the raw payload.

In the text reconstruction, network events, log events, and endpoint events are presented differently.

  • For network events, the reconstruction provides the direction of the packet (Request or Response) and contents of each packet in text format. If you are reconstructing a network event, the text reconstruction is scrollable. When you scroll, the text identification information and the Request and Response labels remain visible rather than scrolling out of view.
  • Log events and endpoint events have no request or response; only the raw event is displayed in the Text tab. Endpoint events include additional information relevant to an endpoint event.

For each type of event (network, log, or endpoint), there are differences in the event header and the options for downloading the event. Below is an example of the text reconstruction for each type of event: a network event, a log event, and an endpoint event.
the Text Analysis panel with a truncated response

 

example of a text reconstruction of a log event

 

a text reconstruction of an endpoint event

Note: The calculated packet count, calculated packet size, and calculated payload size in the Event header may be different than the same statistics in the Event Meta panel because the metadata is sometimes written before event parsing completes and may include packet duplicates.

Packet Reconstruction

The packet reconstruction is for network events. The panel is scrollable, and the packet identification information and the Request and Response labels remain visible rather than scrolling out of view. In the Packet tab, the headings provide the direction of the packet (Request or Response), the packet number, the packet start time, the packet ID and the sequence, and the payload size. All packets begin with a header, and some packets have a footer. Pagination controls add flexibility when paging through packets.

The metadata in the hexadecimal and ASCII data is highlighted in blue; when you place the cursor over the highlighted metadata, the meta key/meta value information is displayed in a hover box.

example of a packet reconstruction

Common file signatures are highlighted with an orange background. When you place the cursor over the highlighted text, the description of the file type is displayed in a hover box.

potential Windows executable highlighted

File Reconstruction

The file reconstruction shows a list of files associated with the selected network event. This is an example of the file reconstruction.

example of the File tab

You can select one or more files, or all files, to export to your local file system. When files are selected, The Download File options becomes active and reflects the number of files selected.

a file selected in the File tab

Caution: Caution is advised when unzipping and opening files that are associated with a default application; for example, an Excel spreadsheet may automatically open in Excel before you have a chance to verify it is safe.

Host Information

Host information is for network events with endpoint data.

Note: Endpoint data is displayed only if you have an Endpoint deployment, and the Endpoint agents are configured for expanded network visibility. For more information to enable expanded network visibility, see "Creating Groups and Policies" in the Endpoint Configuration Guide.

Below is an example of the host information.

  • The event summary header includes the following information from endpoint data:

    • Host name - The host from where the event originated.
    • Process - The source process that triggered the event.
    • User - The user associated with the triggered process.
  • You can view:

    • Host details – This provides details on the host's operating system and the owner (logged in user) associated with the host.
      • To investigate on the host name, click the Host name link highlighted in blue. For more information, see "Investigating Hosts" in the NetWitness Endpoint User Guide.
      • To investigate alerts associated with the user, click the owner link highlighted in blue. For more information, see "Investigate High-Risk Entities" in the NetWitness UEBA User Guide
    • Process details – This provides details like risk score, process name, reputation, event time, on hosts, signed status, process ID, signer, user, launch arguments, SHA256, and path.
      • To investigate on the process, click the process link highlighted in blue. For more information, see "Investigating Files" in the NetWitness Endpoint User Guide.
      • To investigate alerts associated with the user, click the user link highlighted in blue. For more information, see "Investigate High-Risk Entities" in the NetWitness UEBA User Guide.

You can hover over the meta values of the host name, process, user, owner, and SHA256 to view additional information about the specific metadata. For more information on context look up, see Look Up Additional Context for Results.

Below is an example of the Host Information tab with a single host, process, and user associated with the selected network event. The svch0st.exe is the process associated with the host INENJOHNAJI3C and logged in user johna.

Note: You may see multiple hosts and processes triggered for the selected network event; in such cases, the host from where the event is triggered first is listed first and then the other hosts where a similar event is triggered.
For example, if 10.63.0.240 IP address is assigned to Host1, and User1 is logged in to the machine and accessed www.nyu.edu/ using Chrome. Meanwhile Host1 is powered off (within a span of 30 minutes), and the same IP address is assigned to Host2. The user logged in is User2 and accesses www.nyu.edu/ using Internet Explorer. In this case, network events for the endpoint data are as follows:
- Hostname - Host1, Host2
- Process - chrome.exe, iexplore.exe
- User - User1, User2

Email Reconstruction

The email reconstruction shows a list of emails associated with the selected network event. This is an example of the email reconstruction.

 

  • By default, a single email is expanded and multiple emails are collapsed.
  • If an email contains attachments, you can download attachments as described in Download Data in the Events View.
  • Caution: When you download and open attachments from an email, they may contain malicious data.

    An external link in an email cannot be accessed. Clicking an external link displays a Link Address popup window that provides the actual link.
  • When an email body is too long, Showing % is displayed in the beginning of the email. To view the remaining content, click Show Remaining % at the bottom of the email.
  • If an event contains a web email supported by the alias.host metadata of mail.google.com, mail.live.com, or mail.yahoo.com, a message is displayed with a link to view the reconstruction for the associated session in the Event Reconstruction page. If not, a “No Email reconstruction is available for this event” message is displayed.

You are here
Table of Contents > Reconstructing and Analyzing Events > Examine Event Details in the Events View

Attachments

    Outcomes