Begin an Investigation in the Events View

The Events view offers most of the features that are available in both the Navigate view and the Legacy Events view. Similar to the Navigate view, there is a view into meta keys and meta values for logs, endpoints, and packets. Like the Legacy Events view, an events list shows events listed in the order by time, and you can view the raw event, related metadata, and a reconstruction of an event. The Event reconstruction has some helpful cues to identify points of interest. See Reconstructing and Analyzing Events.

The following figure shows the initial Events view with some examples of queries and information about keyboard and mouse interaction. This figure depicts the initial view.


Access the Events View

Several ways to access the Events view are available in Version 11.1 and later.

  • Go to Investigate > Events or select the Investigate option in the main menu if you have made the Events view your default Investigate view. The following procedure provides detailed steps.
  • Hover over and click a count (the green number after a meta value) in the Navigate view. The Events view opens with the list of events for the selected drill point, and you can begin working as described in Analyze Events in the Events View.
  • Hover over a count and control-click Open Events in new tab. The Events view opens in a new tab with the list of events for the selected drill point, and you can begin working as described in Analyze Events in the Events View. The following figure is an example of the list of events.

To begin an investigation in the Events view using direct access:

  1. Go to Investigate > Events.
    The Events view opens with a service selected and no data displayed. A drop-down list offers a list of available services in alphabetical order. The Select a service field is populated with the first service in the list or the most recently selected service. By default the list of available services is retrieved every twelve hours and cached on the NetWitness server. If a service is added or removed from the NetWitness server before the next time to retrieve, the cache is updated with the latest list of services. An icon provides the status of the service.
    • netwitness_ic-newdb.png and selected service name = The service is selected.
    • netwitness_invspinner1_16x16.png = Investigate is attempting to connect to the selected service.
    • netwitness_ic-servnodata.png = There was an error connecting to the selected service or there is no data in the selected service. In this state, the service selector control also turns red, and a tooltip explains why the connection attempt failed and advises you to choose another service.
  2. (Optional) Select a service, usually a Broker or Concentrator, from the drop-down list.
    The time range selector shows either the default time range of 24 hours, or the time range that you last selected for this service. The netwitness_eaqryicblu.png or Query Events button becomes active and you can create filters. If you launch a query without creating filters, the selected time is used.
  3. (Optional) Edit the time range as described in Filter Results in the Events View.
    The selected time range is stored in your browser for this service; you can set different time ranges for different services.

  4. Create a query that consists of one or more filters that contain a meta key, operator, and optional value. See Filter Results in the Events View for details on creating queries.
  5. When ready to submit the query, click netwitness_eaqryicblu.png or Query Events.
    The Events view displays the data for the selected service, time range, and query, in accordance with permissions assigned to your role by the administrator. You are ready to begin analyzing the data. Refer to Examine Event Details in the Events View and Analyze Events in the Events View to learn how to work in the Events view.