Investigate: Configure the Event Analysis View

Document created by RSA Information Design and Development on Mar 27, 2018Last modified by RSA Information Design and Development on Apr 25, 2019
Version 6Show Document
  • View in full screen mode

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.1 and later.

Analysts can set preferences that affect the behavior of NetWitness Platform when using the Investigate > Event Analysis view. In the Event Analysis view is open; these two buttons give access to preferences dialogs: User Profile icon and Open Preferences icon. The User menu (User Profile icon) is focused on global user preferences such as time zone, while the Event Analysis preferences menu (Open Preferences icon) is focused on user preferences for behavior in the Event Analysis view. The rest of this section describes both sets of preferences.

Set the Default Investigate View

You can select the default view when you open Investigate: Navigate view, Events view, Event Analysis view, Hosts view, Files view or Malware Analysis view. The default Investigate view is set in the global User Preferences dialog (in the upper right corner of the NetWitness Platform browser window, select User Profile icon).
The global user preferences are described in detail in the NetWitness Platform Getting Started Guide.

Set User Preferences for the Event Analysis View

You can set your own preferences relevant to the Event Analysis view. The preferences selected persist per user and are available whenever the specific user logs in to the application.

To set default values for working in the Event Analysis view:

  1. In the Event Analysis view, click Open Preferences icon.
    Event Preferences for the Event Analysis view
  2. In the Default Event Analysis View drop-down menu, select the default reconstruction type when you open an event in the Event Analysis panel: Text Analysis, Packet Analysis, or File Analysis.
    If you have not selected a default analysis type, when you open an event, the default reconstruction type is the Packet Analysis, except for log and endpoint events, which open to the Text Analysis. If you select a default reconstruction type, the reconstruction type is the default reconstruction that you specified. In both cases, the default is the starting point, and if you change the type while you are working, the type you choose is used for the next reconstruction.
  3. In the Default Log Format drop-down, select the download format for exporting logs: Download Log, Download XML, Download CSV, or Download JSON. If you do not select a format here, the default download format is Download Log. These options are also available at the time of download in a drop-down menu.
  4. In the Default Packet Format drop-down menu, select the default format for downloading packets. These options are also available at the time of download in a drop-down menu:
    • Download PCAP to download the entire event as a packet capture (*.pcap) file
    • Download All Payloads to download the payload as a *.payload file
    • Download Request Payload to download the request payload as a *.payload1 file
    • Download Response Payload to download the response payload as a *.payload2 file
  5. Under Time Format for Query, choose either Database Time or Wall Clock Time. The Event Analysis view can display results based on the database time or the current clock time. When you set the time format, your individual user preference is saved until changed again. The default setting for this preference is Database Time, which is the same time format used to display query results in the Navigate view and Events view.
    • When Database Time is selected, the start and end time for a query is based on the time that the event was stored.
    • When Wall Clock Time is selected, the query is executed with the current time in accordance with the timezone set in user preferences. The current time is focused on real time ingestion of captured data rather than PCAP uploads.
  6. If you want all extracted files to be downloaded automatically, select the Download extracted files automatically checkbox. You can go to the Jobs queue to view the extracted files.
  7. (Version 11.3 and later) To automatically update the time range window in the query bar when the service is polled (at one minute intervals) and sends fresh results, select the Update Time Window Automatically checkbox. When the time range is updated, the the submit query button (Submit Query) button is activated and you can click to get the fresh results. To keep the time range window in the query bar synchronized with the current results, clear the checkbox (this is the default value).

You are here
Table of Contents > Configuring NetWitness Investigate Views and Preferences > Configure the Event Analysis View