Pivot to Events View

Document created by RSA Information Design and Development on Sep 11, 2018
Version 1Show Document
  • View in full screen mode

[Does this topic contain enough information about this feature?]

If you need to investigate a particular indicator to look for related activity across a time range, you can pivot to the Events view to get the entire context of the file. In the Events view, the time range is set to 1 day by default. You can change the time range accordingly.

To pivot to Events view:

  1. Go to INVESTIGATE > Users, and select an alert or a user.
  2. Under User Risk Score, select an alert name. Indicators are displayed under the alert.
  3. Select an indicator of interest. Details about the indicator are displayed in the right pane. Click on the user ID, as shown below.
  4. The Events view is displayed. [Image TBD]
    The date in the Events view is the day the alert occurred.
    The text in the search field is the value that you selected (the user ID).
    The events that are displayed are all the events that contain the selected user ID.

For information about investigating items of interest in the Events view, see "Investigating Raw Events in the Events View" in the NetWitness Investigate User Guide.

You are here
Table of Contents > Pivot to Events View