Drill into Metadata in the Events View (BETA)

Note: This section applies to Version 11.5 and later. The feature is a beta feature that is enabled by default, and can be disabled by the system administrator as described in the System Security and User Management Guide.

When working in the Events view, the focus of an investigation is the smallest possible set of relevant events in sequential order. You can reduce the number of visible events loaded in the Events view using query profiles, column groups, meta groups, and queries. However, it is more efficient to limit the data set using the metadata indexed on the Concentrator before looking at the actual events stored on the Decoder or Log Decoder.

In Version 11.4.x and earlier, it is best to start by looking at the meta keys and meta values indexed on the Concentrator and drill into the metadata in the Navigate view to find a relevant set of events, with each drill or query further limiting the data set. When you have a meaningful data set, or drill point, you can examine the details of the related events in sequential order in the Events view.

Beginning with Version 11.5, you can drill into the metadata in the Filter Events panel, without leaving the Events view. The list of meta keys and meta values shown is related to all events seen in the environment for the time range in the query. When you find the drill point of interest in the Filter Events panel, you can open the Events panel to see the sequential events. The set of events loaded in the Events view is smaller and loads faster. The flow of an investigation is smoother with less hopping between views. The figure below illustrates the panel, open to the left of the Events panel.

netwitness_116fltrevnts1_1731x818.png

Note: There are two situations in which results in the Filter Events panel may not be as expected:
-In a mixed-mode environment with a Version 11.5 Broker and some Core services at RSA NetWitness Platform Version 11.4 or earlier, a text filter is not supported in the Filter Events panel. If the query in the Events panel includes a text filter, the result set in the Events panel and Filter Events panel may be different.
-If the query in the Events view query builder has a logical OR or &&, the results in the Events view may be different from results for the same query in the Navigate view and Legacy Events view. In this situation, a set of parentheses automatically encloses the logical OR expression in the Navigate view and Legacy Events view, while parentheses have to be manually added in the Events view. If this occurs, you need to enclose the logical OR expression in an additional set of parentheses; select the two filters in the query bar, right-click one of them, and select Wrap in parentheses in the menu.

Modes of Operation

The Filter Events panel has two modes of operation.

  • The narrowFilter Events panel is part of a faceted search view into the data (shown above). Left- or right-clicking a meta value adds a new filter, automatically executes a new query, and displays matching events in the sequential list of events. When both panels are open, you can drill into the data in both the Filter Events panel and the Events panel . Each time you left-click a meta value in the Filter Events panel, an expression is appended to the query bar, and the query is executed by default. The query results show new metadata to filter by in the Filter Events panel and the resulting events that match the query in the Events panel. If you change the service or other query elements in the Events panel, you need to execute the query to reload the Filter Events panel.
  • The fully expanded Filter Events panel uses the full width of the browser window to provide ample real estate to hunt through the metadata without the performance load of immediately submitting a query or viewing the sequential events. As you click a new meta value and drill into the meta values, each meta value is added to the query filter and executed in the Filter Events panel, so that the number of events seen is reduced. Because the Events panel is closed, the query in the Events panel is not updated and the query is not executed. When you collapse the Filter Events panel back to original size, the Events list opens and the query is executed. This is an example of the fully expanded panel.

netwitness_116fltrevnts2_1838x866.png netwitness_116fltrevnts3_1832x869.png

View Metadata in the Filter Events Panel

To view metadata in the Filter Events panel:

  1. Go to Investigate > Events, select a service to investigate, and select a time range.
  2. (Optional) Select a column group or a query profile.
  3. Click the Submit Query button to load events in the Events panel.
    A query is executed in the Events panel and matching events are listed,
  4. Click the Filter button (the Filter button) in the Events panel.
    The Filter Events panel opens to the left of the Events panel.
    netwitness_116fltrevnts1_1987x938.png

Note: (Version 11.6) By default, the Filter Events panel is open in the Events view. The last used state of the panel (narrow or fully expanded) is saved throughout the session and across logins. Also, the Filter Events panel provides additional contrast between meta keys, meta values, and meta counts to improve readability.

The Default Meta Keys meta group is in effect the first time you log in. If you selected a different meta group the last time you logged in, it remains in effect until browser cache is cleared. In Version 11.5.1, the meta group you selected previously is not stored in browser cache so it remains in effect until you change it. See Use Meta Groups to Focus on Relevant Meta Keys for details about meta groups. Based on the contents of the index file for the service, the Filter Events panel is populated with the first 25 meta keys that have at least one meta value and are open. When using the Default Meta Keys group in the Filter Events panel, only the first 30 meta keys with values are open and the remaining are closed. Closed meta keys may be listed, but they do not count toward the 25 or 30 meta keys total. Meta keys with no values are listed at the bottom of the panel. You can expand, collapse, and close the panel using the standard panel controls (expand or collapse left icon, expand or collapse right arrow, and close button).

  1. Do one of the following:
    1. To close the dialog without editing, click Close.
    2. To close the dialog and select the copy of the meta group, click Select Meta Group.
      The group is added to the Meta Group menu. The figure below has a private copy of the RSA HTTP meta group.
      netwitness_116mngcstmmtagrp16_520x476.png

    Show Max Value of Meta Groups

    In case all the values have not rendered and displayed, you can click Show Max Value to view all the values at once.

    1. With the Filter Events panel open in the 11.6 Events view, click netwitness_3dots_34x45.png and select the Show Max Values option.
      netwitness_shmaxvls_1595x767.png

    2. The values that were not rendered earlier will begin to load and a maximum of 1000 results are displayed.

View the Context Lookup Panel in the Filter Events Panel

In the Filter Events panel, you can click a meta entity to open the context tooltip. The context tooltip is available only for the meta keys that are defined as an entity the Context Hub supports. The Context Hub service is pre-configured with default meta types and meta keys mapping. For information about mapping of the context hub meta values with investigation meta keys, see "Configure Meta Type Mapping for Context Hub" in the Context Hub Configuration Guide. The context tooltip includes the following two sections.

  • Context Highlights - The information in this section helps you to determine the actions that you would like to take. It can show related data for Incidents, Alerts, Lists, Endpoint, Live Connect, Criticality, Asset Risk, and Threat Intelligence (TI). Depending on your data, you may be able to click these items for more information.

  • Actions - This section lists the available actions. In the example, the Add/Remove from List, Pivot to Investigate, Pivot to Archer, and Pivot to Endpoint Thick Client options are available.
    netwitness_116fltrevnts4_1969x934.png

Understand Visible Metadata

Each meta key has a list of meta values, with up to 20 values displayed by default. You can click Show More Values to incrementally add 20 meta values, up to a total of 1,000 meta values, which is a hard-coded limit to optimize performance. The meta key name and plain English name of each meta key found in the service, both populated and non-populated, are listed. For each meta value, you can see the number of events in the current results that contain the value (count) or the size of the events in the current results (size). For example, the following might be listed:

Action Event [action] (3)
get(3016) login (1346) put (501)

In this example, the meta key name is action, the English name is Action Event, and three meta values were found for this meta key. There were 3016 events containing get, 1346 events containing login, and 501 events containing put. The values are ordered so that the value with the largest count is listed first.

In the following example, the same meta key has the values ordered based on the event size in bytes. The smallest size is listed first:

Action Event [action] (3)
login (13,034,588) put (21,848,760) get (1,409,079,256)

An icon before each meta key name identifies the indexing method for the key. The indexing method determines the types of interactions and queries possible using that meta key.

  • This meta key is indexed by value: a meta key indexed by value. The green color indicates that the all available interactions and queries are supported. You can see the available interactions in the context menu by right-clicking the meta value.
  • This meta key is indexed by meta key: a meta key indexed by meta key. The yellow color is a clue that a subset of available interactions is supported, and queries on this meta key may take longer than meta keys that are indexed by value. You can see the available interactions in the context menu by right-clicking the meta value.
  • This meta key is not indexed: a non-indexed meta key. Values for non-indexed meta keys cannot be used to query. If you want to query a meta key that is not indexed, your administrator needs to edit the index file for the service to index the meta key by value or meta key.

If an error occurs while loading a meta key, the other meta keys load as usual and an error message is displayed in the meta key that did not load. When you execute a new query, some error messages disappear. Meta keys that have no values in the set of events are listed at the bottom of the panel.

Set the Ordering Method for Meta Values

With the Filter Events panel open, you can look at two parameters for each value: the event count or the event size. Each meta key entry includes either the event count or the event size in parentheses after the value. In both cases, there are four options for ordering.

To use the ordering options:

  1. With the Filter Events panel open, click the ordering menu label, which is named according to the selected ordering option. This is an example of the menu label when ordering by event count in ascending order by total count: the Ordering menu label showing the selected method.
    The Ordering menu is displayed. This figure shows the narrow version of the menu.
    netwitness_116fltrevnts8_305x461.png
  2. If you want to see the event count in parentheses after each value, select one of the following options. By default, the meta keys are displayed using the Event Count > Descending by Total Count method.
    1. To order by total count of events in which the value was found, select either Descending by Total Count or Ascending by Total Count.
    2. To order by the name of the value, select either Ascending by Value or Descending by Value.
  3. If you want to see the size in bytes of the events in which the value was found, select one of the following options.
    1. To order by total size of events in which the value was found, select either Descending by Total Size or Ascending by Total Size.
    2. To order by the name of the value, select either Ascending by Total Size or Descending by Total Size.
      Under each meta key in the Filter Events panel, the values are ordered according to your selection.
      netwitness_116fltrevnts6_1268x597.png

Drill into Meta Values

With the Filter Events panel open, you can drill into meta values to focus an investigation down to the smallest possible set of relevant events. Drilling in the fully expanded Filter Events panel adds filters to the query bar and refines the displayed metadata in the Filter Events panel, but does not execute the query in the Events panel. Drilling in the narrow panel, side by side with the Events panel, adds the filter to the query bar and executes the query in the Events panel and the Filter Events panel. This figure is an example of the fully expanded panel with some metadata loaded.

netwitness_116fltrevnts2_1819x857.png

You can drill into metadata in the Filter Events panel to find relevant meta values. A simple query using the (=) operator highlights the meta value used in the Filter Events panel. This helps to associate the metadata with the filter added to the query. For example, the following figure shows the meta key value, related to the query filter, highlighted in the Filter Events panel.
netwitness_116fltrevnts7_1829x868.png

To drill into meta values in the fully expanded Filter Events panel:

  1. Look for a meta value that is of interest, and click the value. Using the figure above as an example, to investigate the SMTP service type as opposed to other service types, click 25[SMTP].
    The other service types are filtered out of the metadata in the Filter Events panel, but the query is not executed in the Events panel.
  2. Look for a meta value that is of interest, and do one of the following:
    1. Click the value. Using the figure above as an example, to investigate the SMTP service type as opposed to other service types, click 25[SMTP].
      The filter is added as the last filter in the query bar, and other service types are filtered out of the metadata in the Filter Events panel. With the Events panel closed, no query is executed there.
    2. (Version 11.5.1) Right-click the value and select Add Filter - Do Not Run Query in the drop-down menu.
      The filter is added as the last filter in the query bar, but no other service types are filtered out of the metadata in the Filter Events panel. With the Events panel closed, no query is executed there.
    3. (Version 11.5.1) Press CTRL (Windows) or CMD (MacOS) and click the value.
      The filter is added as the last filter in the query bar, but no other service types are filtered out of the metadata in the Filter Events panel. With the Events panel closed, no query is executed there.
  3. Repeat step 1 with another meta value, for example, writetoexecutable in the Action Event [action] meta key. Continue drilling into values until you find a set of events (drill point) that you want to see in sequential order.
  4. To view the sequential events for the drill point, click the left double arrows to shrink the Filter Events panel.
    The Events panel opens to the right, and the query is executed in the Events panel so that you can see the raw events in sequential order.

To drill into meta values in the narrow Filter Events panel:

  1. Look for a meta value that is of interest, and click the value. Using the figure above as an example, to investigate the SMTP service type as opposed to other service types, click 25[SMTP].
    The filter is added as the last filter in the query bar, other service types are filtered out of the metadata in the Filter Events panel, and the query is executed in the Events panel.
  2. Look for a meta value that is of interest, and do one of the following:
    1. Click the value. Using the figure above as an example, to investigate the SMTP service type as opposed to other service types, click 25[SMTP].
      The filter is added as the last filter in the query bar, and other service types are filtered out of the metadata in the Filter Events panel and the data set showing in the Events panel.
    2. Right-click the value and select Add Filter - Do Not Run Query in the drop-down menu.
      The filter is added as the last filter in the query bar, but no other service types are filtered out of the metadata in the Filter Events panel, and the query is not executed in the Events panel until you click the query button.
    3. Press CTRL (Windows) or CMD (MacOS) and click the value.
      The filter is added as the last filter in the query bar, but no other service types are filtered out of the metadata, and the query is not executed in the Events panel until you click the query button.
  3. Continue clicking values to refine the set of events (drill point). As you refine the set of events, examine and reconstruct the raw events for the same set in the Events panel.

Copy the Meta Values for a Meta Key

To copy all of the visible meta values for a meta key:

  1. In the meta key row of an entry, click the Meta Key options button (the Meta Key options).
    The Meta Key options are displayed. Currently the only option is Copy Values.
    netwitness_116fltrevnts8_535x756.png
  2. Click Copy Values.
    A comma-separated list of the values is copied to your local clipboard. This is an example of the clipboard contents: "get", "login", "put".

View a Selected Meta Value in RSA Live

  1. Right-click a meta value, for example login.
    The Meta Value drop-down menu is displayed with the Copy option selected initially.
    example of the options for a meta value
  2. To look up the meta value, for example success, in RSA Live, select Live Lookup.
    The Live Search view is displayed with the meta value entered in the Generated Meta Values field, and ready for a search.

    Live Search View

Refocus the Investigation of a Meta Value

For each value listed under a meta key, the focus is <meta key> = <meta value>. When you right-click a meta value, a context menu with different refocus options is displayed. All of the refocus actions update the drill point in the Events panel and the Filter Events panel.

  1. To append the key-value pair to the query with different operators (=, !=, contains), right-click a meta value (for example UDP in the figure below) and select one of the Apply <operator> Drill options.
    the options when right-clicking a value
  2. To start the query over with the key-value pair and a different operator (=, !=, contains), right-click a value and select one of the Refocus <operator> Drill options.
    the Refocus options
  3. To append the key-value pair to the query or start the key-value pair over in a new browser tab, right-click a value and select one of the Refocus New Tab > Refocus <operator> Drill in New Tab or Refocus <operator> Drill in New Tab options.
    the Refocus New Tab options
    The drill is refocused according to your choice, and the new query is executed in the Events panel.