Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Investigate: Reconstructing and Analyzing Events

Document created by RSA Information Design and Development Employee on Mar 27, 2018Last modified by RSA Information Design and Development Employee on Oct 16, 2020
Version 12Show Document
  • View in full screen mode
 

Having refined events in the Navigate view or in the Events list as described in Refining the Results Set, your next step is to learn more about the events by reconstructing them, looking at attachments, and viewing additional context in third-party lookups or internal lookups.

Reconstructions are done in the Events view or the Legacy Events view. If you are starting from the Navigate view, you need to go to the Events view or the Legacy Events view to see a reconstruction.

Note: The Legacy Events view is disabled by default. The administrator can enable the view as described in "Configure Investigation Settings" in the System Configuration Guide.

To display events in the Events view, do one of the following:

  1. Go to Investigate > Events.
  2. Go to Investigate > Navigate, right-click the meta count for a meta value (the meta count is in green text). When the context menu is displayed, select Open Events in new tab.
    Open Event Analysis in new tab option and Open Events in new tab option
    The Events view opens with a list of events for the selected meta value. 
    example of the Events view with the Events list open

For detailed information about the types of reconstruction and analysis that you can use in this view, see Examine Event Details in the Events View.

To display an event in the Legacy Events view, do one of the following:

  1. To open the Legacy Events view using the default query for the default service, go to Investigate > Legacy Events.( This option is available only if the administrator has enabled the view.)
  2. To view events for a specific meta value in the Legacy Events view, go to Investigate > Navigate and when events are loaded in the Values panel, click a meta count (the meta count is in green text). You can also right-click the meta count for a meta value. When the context menu is displayed, click Open Legacy Events in new tab.
    The Legacy Events view displays the events for the selected meta value. The Legacy Events view provides three built-in presentations of event data: the Detail view, the List view, and the Log view. This figure is an example of the Detail view. You can use queries, the time range setting, and profiles to filter the events listed in the Legacy Events view. You can extract files, export events, export logs, and open the Event Reconstruction panel by double-clicking an event. See Downloading and Acting Upon Results for detailed information about these capabilities.
    NetWitness Platform runs a default query on the last three hours for the default service (if one is set) or displays a dialog in which you can select a service and then runs the default query. The default query selects all events and the Events view displays events on the selected service, with the oldest events first. 
    the Legacy Events view
  3. To view a reconstruction of the first event in the list, double-click the event.
    The reconstruction opens in a pop-up window in front of the Events list.
    example of an email reconstruction

You are here
Table of Contents > Reconstructing and Analyzing Events

Attachments

    Outcomes