Investigate: Download Data in the Event Analysis View

Document created by RSA Information Design and Development on Mar 27, 2018Last modified by RSA Information Design and Development on Sep 11, 2018
Version 4Show Document
  • View in full screen mode
 

In the Event Analysis view, you can download events, logs, and files.

Download a Log in the Text Analysis Panel

When viewing a log reconstruction in the Text Analysis panel, you can download a log file in the following formats using options in the Download Log drop-down menu:

  • Raw log (log) using the Download Log option
  • Comma-separated values (CSV) using the Download CSV option
  • Extensible Markup Language (XML) using the Download XML option
  • JavaScript Object Notation (JSON) using the Download JSON option

This is an example of a log reconstruction with the Download Log menu options displayed.

example of the Download Log menu

Note: The Download Log option is applicable only for endpoint events that have at least one meta value exceeding 256 characters. For an endpoint event, the raw log is populated only when the meta value exceeds 256 characters. Long running or historically downloaded files are not downloadable.
For example, the meta values like launch arguments can exceed 256 characters. In this case, 256 characters are available as meta value while the full value is available in the raw log to view.

The downloaded log file contains the log and is named to help identify the service on which the log was collected, the session ID, and the file type. This is an example of the filename for a raw log: Concentrator_SID2.log. The exported log file is named using the following convention:

<service-ID or host name>_SID<n>.<filetype>

where:

  • <service-ID or host name> is the name of the service (for example a Concentrator or Broker) where the session was saved.
  • SID<n> is the session ID number.
  • <filetype> identifies the format of the downloaded log. These are the possible log types: raw log, CSV, XML, and JSON. By default the format is a raw log.

Note: Some formats do not have time stamps or the device IP where the event was generated, so a log downloaded in CSV, XML, or JSON format has an extra value called timestamp along with the raw log content. The additional information inside the log is in this form: Log timestamp="1490824512" source="10.12.35.65".

To download the log for a session:

In the Text Analysis panel of a log event, select one of the file formats for the downloaded log.
-To download the log as a raw log (the default format), click Download Log.
-To download the log in one of the other formats, click the downward arrow on the Download Log button, and select one of the file formats for the downloaded log.
Text Analysis with Download Log menu
The log file is downloaded to your local file system in the format specified. If you initiate a download and move away from the view while the log is being extracted and before the log starts to download, the log is not downloaded in your browser. A message notifies you that you can find the downloaded log in the job queue.

Download Network Event Data in the Text Analysis Panel or the Packet Analysis Panel

When viewing a reconstructed network event in the Packet Analysis panel or the Text Analysis panel, you can export network data files for further analysis. The download includes events for the current time range and drill point. You can download the data in these forms:

  • The entire event as a packet capture (*.pcap) file using the Download PCAP option.
  • The payload as a *.payload file using the Download All Payloads option.
  • The request payload as a *.payload1 file using the Download Request Payload option.
  • The response payload as a *.payload2 file using the Download Response Payload option.

This is an example of the filename for a PCAP file: C01 - Concentrator_SID1697309.pcap. The exported network data file is named using the following convention:

<service-ID or host name>_SID<n>.<filetype>

where:

  • <service-ID or host name> is the name of the service (for example a Concentrator or Broker) where the session was saved.
  • SID<n> is the session ID number.
  • <filetype> is pcap, payload, payload1, or payload2.

The network data is downloaded directly into your browser if the download is quick. If the download takes longer due to network factors or file size, the file is downloaded in the background and the task is tracked in the Jobs queue. In this case, you can check your jobs in the queue and get the file when the download is complete.

Note: If you initiate a download and move away from the view while the file is being extracted and before the file starts to download, the file is not downloaded in your browser. A message notifies you that you can find the downloaded document in the job queue.

To export an event as a network data file:

Go to the Packet Analysis panel of a network event, and select one of the file formats for the downloaded file.
-To download the event as a PCAP file (the default format), click Download PCAP.
-To download the event in one of the other formats, click the downward arrow on the Download PCAP button, and select one of the file formats for the downloaded event data.
the PCAP download options
The network data file is downloaded to your local file system in the format specified.

Download Files from a Network Event in the File Analysis Panel

When viewing reconstructed network events that contain files in the File Analysis panel, you can select one file, one or more files, or all files to download to your local file system.

Note: If you initiate a download and move away from the view while the file is being extracted and before the file starts to download, the file is not downloaded in your browser. A message notifies you that you can find the downloaded file in the job queue.

When files are selected, the Download Files button becomes active and reflects the number of files selected.

example of the File Analysis with files selected

Clicking the button exports the selected files as a password-protected zip archive. The password to open the exported archive is netwitness. Exporting the files in this form ensures that:

  • The archive is not quarantined by antivirus software.
  • Potentially malicious files are not automatically opened by the default application and executed.

This is an example of the filename for an archive: C01 - Concentrator_SID1697309_FC1.zip. The exported archive is named using the following convention:

<service-ID or host name>_SID<n>_FC<n>.zip

where:

  • <service-ID or host name> is the name of the service (for example a Concentrator or Broker) where the session was saved.
  • SID<n> is the session ID number.
  • FC<n> is the file count or number of files in the archive.

Caution: Caution is advised when unzipping and opening files that are associated with a default application; for example, an Excel spreadsheet may automatically open in Excel before you have a chance to verify it is safe.

To export files in a reconstructed event:

  1. In the Event Analysis view, go to the File Analysis panel of an event that contains files.
    example of File Analysis with Files selected
  2. Click one or more files that you want to extract, and click Download Files.
    The job is scheduled and when complete the selected file are downloaded, in the form of a password-protected zip archive, to the local file system.
  3. To open the archive on your local file system, enter the following password when prompted: netwitness.
You are here
Table of Contents > Analyzing Raw Events and Meta Data in the Event Analysis View > Download Data in the Event Analysis View

Attachments

    Outcomes