Investigate: Begin an Investigation in the Navigate or Events View

Document created by RSA Information Design and Development on Mar 27, 2018Last modified by RSA Information Design and Development on Sep 11, 2018
Version 4Show Document
  • View in full screen mode
 

The Navigate view is the default view for Investigate unless you have selected a different view as your opening view. This user preference is set on the application level as described in Configuring NetWitness Investigate Views and Preferences. In the Navigate view and Events view, you are hunting for events of interest based on a query. In the Navigate view you can also refine results by clicking on meta keys and meta values. When you find interesting events, you can take a closer look at the event in the other Investigate views.

To begin an investigation in the Navigate view or Events view, a service must be specified.

  • NetWitness Platform opens the Navigate view or the Events view with the user-specified default service selected.
  • If no default service is currently specified and the service id is not in the URL, NetWitness Platform presents a dialog for selecting the service or collection to investigate.
  • When a service has been selected manually or by default in the Navigate view or Events view, you can change the service or collection to investigate by selecting the service name in the toolbar. NetWitness Platform presents the dialog for selecting the service to investigate.

Note: The Archiver service does not appear in the Navigate view to minimize user experience of slow performance when performing investigations. The Archiver is available in the Events view for log exports and enhanced search capabilities. 

With a service or collection selected, NetWitness Platform is ready to load data for the service or collection. It is recommended that you also select a time range so that results load faster. Several settings in the Navigate View and Events View Settings dialog or the Profiles > Preferences panel > Investigations tab affect the loading process: Threshold, Max Values Results, Show Debug Information, Autoload Values, and Optimize Investigation page loads (see Configuring NetWitness Investigate Views and Preferences).

Note: In the Events view data loads automatically. If you specified Autoload Values in the Navigate view preferences, NetWitness Platform populates the data automatically. Otherwise, you must select the Load Values button. NetWitness Platform populates the meta data in the Navigate view Values panel and results become visible almost immediately.

The rest of this topic provides instructions for beginning the investigation of data on a service.

Note: Only users with the administrator role can create a collection, and only the creator of the collection is able to  investigate a collection.

 

After loading data in the Navigate or the Events view:

  1. Refine results, visualize data, and act on a drill point (see Investigating Metadata in the Navigate View) and Examining Raw Events in the Events View). For example, you can Look Up Additional Context in the Navigate and Events Views, Launch a Malware Analysis Scan from the Navigate View, or Add Events to an Incident for Response.
  2. Reconstruct an event (see Reconstruct an Event) or view the interactive Event Analysis of an event (see Begin an Investigation in the Event Analysis View).

Begin an Investigation (No Default Service)

  1. Go to INVESTIGATE > Navigate or Events.
    The Investigate dialog is displayed.
    Investigate dialog
  2. Double-click a service or select a service, usually a Concentrator, and click Navigate.
    The data loads automatically in the Events view. If you are working in the Navigate view, the resulting panel displays the activity for the selected service, but the data is not loaded automatically.
  3. (Recommended) Select a specific time range so that results load faster.
  4. If you want to modify investigation options before loading, you can create or modify a custom profile, apply a different time range, create or apply a meta group, and perform a custom query as described in Querying and Acting on Data in the Navigate and Events Views You can also modify options at any time during the investigation.
  5. To load data in the Navigate view, click the Load Values button.
    The data for the selected service begins loading.
    the Navigate view with data loaded
    With the service selected and data loaded, you are ready to begin analyzing the data.

Set or Clear the Default Service

You can set the default service and clear the default service in the Investigate a Service dialog.

  1. Click the service name in the toolbar.
    The Investigate dialog is displayed.
    Investigate dialog
  2. Select a service on the Services grid, and click Default Service button.
    The service becomes the default, (indicated by Default in parentheses after the service name).
  3. To clear the default service, select the default service in the grid, click Default Service button, and click Cancel to close the dialog.
    No default service is set.

Note: The Cancel button does not cancel your selection of the default service. It simply closes the dialog without navigating to the currently selected service in the grid. Setting a default service that is different from the service currently being investigated, does not refresh the Navigate view. You must explicitly select and Navigate to a different service.

Begin an Investigation (Default Service Specified)

  1. Go to INVESTIGATE > Navigate or Events.
    If the Autoload Values setting is set to off, the Navigate view is displayed with the default service selected, and ready to load data. If the Autoload Values setting is on, the values are loaded as shown in Step 3. In the Events view, the data is loaded automatically.
  2. If you want to modify investigation options in the Navigate view before loading, you can create or modify a custom profile, apply a different time range, create or apply a meta group, and perform a custom query.
  3. When ready, click Load Values button.
    The values for the service are loaded in accordance with the selected options.

    With the service selected and data loaded you are ready to begin analyzing the data.

Change the Service or Collection to Investigate

  1. In the Navigate view or the Events view, click the service name at the top of the options panel.
    The Investigate dialog is displayed.
    Investigate dialog
  2. Double-click a service or select a service and click Navigate. The resulting panel displays the activity for the selected service.
    If the Autoload Values setting is on, the values are loaded as shown in Step 3. Otherwise, the Navigate view is displayed with the default service selected, and data ready to load. In the Events view the data is loaded automatically.
    Investigate Navigate view with Load Values button
  3. When ready, click Load Values button.
    The values for the service begin loading in accordance with the selected options.
    the Navigate view with data loaded

    With the service selected and data loaded you are ready to begin analyzing the data.

Investigate Workbench Restoration Collections

This procedure enables administrators to select content from an existing collection to reprocess for further investigation. This applies to Decoders that use Workbench services.

Note: Only a user with administrative privileges can create a collection, and you can view only those collections that you created.

To reprocess data for further investigation:

  1. Go to INVESTIGATE > Navigate or Events.
    The Investigate dialog is displayed.
    Investigate dialog
  2. Select a workbench service and workbench name that you want to investigate.
  3. Click Navigate to perform an investigation on your selected workbench service.
    Click Cancel to select a different workbench service to investigate.
    The Investigation view is displayed.
    With the collection selected and data loaded you are ready to begin analyzing the data.
You are here
Table of Contents > Beginning an Investigation > Begin an Investigation in the Navigate or Events View

Attachments

    Outcomes