Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Investigate: Reconstruct an Event in the Events View

Document created by RSA Information Design and Development Employee on Mar 27, 2018Last modified by RSA Information Design and Development Employee on Jan 30, 2020
Version 8Show Document
  • View in full screen mode
 

When hunting for possible threats in captured network, log, and endpoint data, you can drill into different points of interest in the data. If a particular session contains suspicious events, you can examine the list of events for the session and you can also safely view a reconstruction of the event with features that help to identify patterns.

In the Events view, you can select the format for the reconstruction: packet, file, text, email, and web. For a log event or endpoint event , only the text reconstruction is available. The default reconstruction for network events is text; however, for a network event the last reconstruction format that was open overrides the default. The email and web reconstructions open the event in the Legacy Events view and are described in Reconstruct an Event in the Legacy Events View.

This figure is an example of the Network Event Details: Text panel in a web browser window.

example of a text reconstruction in the Events view

Within each type of analysis, settings are available to enhance your analysis. If you change a setting, the setting is preserved between browser refreshes and logins within the same browser. These are the preserved settings:

  • The currently selected reconstruction: Text, Packet, or File.
  • Whether the Event Meta panel is open or closed.
  • Whether the Event header is open or closed.
  • Whether the Request or Response, or both are displayed.
  • Whether packet payloads are displayed without the headers in the Packet panel.
  • Whether shaded bytes are displayed in the Packet panel.
  • Whether other common file types are highlighted in the Packet panel.
  • The number of packets per page in the Packet panel.
  • Whether compressed or uncompressed text is displayed in the Text panel.

The Text Panel

You can view all types of events (network events, log events, and endpoint events) in their original text format in the Text panel. The Text panel for some network events can be quite large. To ensure the best rendering, an excessively large payload is truncated to fit. If a single reconstructed request or response in the reconstructed event exceeds the maximum number of bytes, the header indicates what percentage of bytes is shown. Pagination controls add flexibility when paging through the reconstructed text of an event. This figure illustrates a single response that has been truncated because it exceeds the maximum number of bytes (Version 11.2 and later).

the Text Analysis panel with a truncated response

Version 11.1 handles large payloads differently; the payload for a single event is limited to 2500 packets. When the packet limit is reached, a warning in the footer advises the limit has been reached and provides the total number of packets in the event. Footer showing that the maximum number of packets has been reached

Note: For Version 11.1, the Show More option is still available for messages that are truncated; however, the entire text of the message is not visible without downloading the raw payload.

In the Text panel, network events, log events, and endpoint events are presented differently.

  • For network events, Investigate provides the direction of the packet (Request or Response) and contents of each packet in text format. If you are reconstructing a network event, the Text panel is scrollable. When you scroll, the text identification information and the Request and Response labels remain visible rather than scrolling out of view.
  • Log events and endpoint events have no request or response; only the raw event is displayed in the Text panel.

For each type of event (network, log, or endpoint), there are several differences:

  • The Event header includes information relevant to each type of event.
  • There are different options for exporting.

Below is an example of the Text panel for each type of event, a network event, a log event, and an endpoint event.


the Text Analysis panel with a truncated response

example of a log rescontruction in the Text panel

example of an Endpoint event in the Text panel

Note: The calculated packet count, calculated packet size, and calculated payload size in the Event header may be different than the same statistics in the Event Meta panel because the metadata is sometimes written before event parsing completes and may include packet duplicates.

The Packet Panel

The Packet panel is for network events. The panel is scrollable, and the packet identification information and the Request and Response labels remain visible rather than scrolling out of view. In the Packet panel, the headings provide the direction of the packet (Request or Response), the packet number, the packet start time, the packet ID and the sequence, and the payload size. All packets begin with a header, and some packets have a footer. Pagination controls add flexibility when paging through packets.

The metadata in the hexadecimal and ASCII data is highlighted in blue; when you place the cursor over the highlighted metadata, the meta key/meta value information is displayed in a hover box.

example of the packet reconstruction

Common file signatures are highlighted with an orange background. When you place the cursor over the highlighted text, the description of the file type is displayed in a hover box.

potential Windows executable highlighted

The File Panel

The File panel shows a list of files associated with the selected network event. This is an example of the File panel.

example of the File panel

You can select one or more files, or all files, to export to your local file system. When files are selected, Export Files becomes active and reflects the number of files selected.

files selected in the Files panel

Caution: Caution is advised when unzipping and opening files that are associated with a default application; for example, an Excel spreadsheet may automatically open in Excel before you have a chance to verify it is safe.

Analytical Tools for Each Event Type

The analytical tools in the Events view help analysts find the relevant information for different types of events (network event, log event, and endpoint event). This table lists the actions you can take by event type. The rest of this section provides procedures for performing the actions.

                                                                                                                                             
ActionNetwork EventLog EventEndpoint Event
View the Text panel
View the File panel   
View the Packet panel   
View the Email panel   
Open, close, and adjust the size of panels
Adjust the display of requests and responses   
Show or hide the Event Header in the Text panel
Expand truncated text entries in the Text panel   
Switch between a compressed and decompressed view of payloads in the Text panel   
View highlighted bytes in the Packet panel   
Highlight common file types in the Packet panel   
Display only the payload in the Packet panel   
Shade bytes in the Packet panel when viewing payload only   
Perform URL and Base64 encoding and decoding in the Text panel   
View decompressed text for an HTTP network session in the Text panel   
View event metadata for an event in the Text panel
Download a network event (as a PCAP file, payload only, request only, or response only) in the Packet panel or the Text panel   
Export files from a network event in the File panel   
Download the file for a log event in the Text panel   
Download the file for an endpoint event in the Text panel  
Open the current endpoint event in Text panel  

You are here
Table of Contents > Reconstructing and Analyzing Events > Reconstruct an Event in the Events View

Attachments

    Outcomes