Investigate: Configure the Event Analysis View

Document created by RSA Information Design and Development on Mar 27, 2018Last modified by RSA Information Design and Development on May 8, 2018
Version 3Show Document
  • View in full screen mode

Note: The information in this topic applies to RSA NetWitness® Suite Version 11.1 and later.

Beginning with Version 11.1, analysts can set preferences that affect the behavior of NetWitness Suite when analyzing data using the Investigate > Event Analysis view. The main toolbar in Investigate has a different appearance when the Event Analysis view is open; these two buttons give access to preferences dialogs: User Profile icon and Open Preferences icon. The User menu (User Profile icon) is focused on global user preferences such as time zone, while the Event Analysis preferences menu (Open Preferences icon) is focused on user preferences for behavior in the Event Analysis view. The rest of this section describes both sets of preferences.

Set the Default Investigate View

The default Investigate view is set in the global User Preferences dialog (in the upper right corner of the NetWitness Suite browser window, select User Profile icon).
The User Preferences dialog shows your current preferences for the Investigate view. You can select the default view when you open Investigate here: Navigate view, Events view, Event Analysis view, Hosts view, Files view, or Malware Analysis view.
User Preferences in the Respond and Investigate views

The global user preferences are described in detail in the NetWitness Suite Getting Started Guide. Go to the Master Table of Contents for NetWitness Logs & Packets 11.x to find all NetWitness Suite 11.x documents.

Configure the Event Analysis View

In Version 11.1, you can set preferences relevant to the Event Analysis view. The preferences selected here persist per user and are available whenever the specific user logs in to the application.

To set default values for working in the Event Analysis view:

  1. With the Event Analysis view open, click Open Preferences icon.
  2. In the Default Event Analysis View drop-down menu, select the default reconstruction type when you open an event in the Event Analysis panel: Text Analysis, Packet Analysis, File Analysis.
    If you have not selected a default analysis type, when you open an event, the default reconstruction type is the Packet Analysis, except for log and endpoint events, which open to the Text Analysis. If you select a default reconstruction type, the reconstruction type is the default reconstruction that you specified. In both cases, the default is the starting point, and if you change the type while you are working, the type you choose is used for the next reconstruction.
  3. In the Default Log Format drop-down, select the download format for exporting logs: Download Log, Download XML, Download CSV, or Download JSON. If you do not select a format here, the default download format is Download Log. These options are also available at the time of download in a drop-down menu.
  4. In the Download PCAP drop-down menu, select the default format for downloading packets. These options are also available at the time of download in a drop-down menu:
    Download PCAP to download the entire event as a packet capture (*.pcap) file
    Download All Payloads to download the payload as a *.payload file
    Download Request Payload to download the request payload as a *.payload1 file
    Download Response Payload to download the response payload as a *.payload2 file
  5. Under Configure the Time Format for queries, choose either Database Time or Wall Clock Time. The Event Analysis view can display results based on the database time or the current clock time. When you set the time format here, your individual user preference is saved until changed again. The default setting for this preference is Database Time, which is the same time format used to display query results in the Navigate view and Events view.
    When Database Time is selected, the start and end time for a query is based on the time that the event was stored.
    When Wall Clock Time is selected, the query is executed with current time in accordance with the timezone set in user preferences.
You are here
Table of Contents > Configuring NetWitness Investigate Views and Preferences > Configure the Event Analysis View