Begin an Investigation in the Events View

The Events view offers most of the features that are available in both the Navigate view and the Legacy Events view. Similar to the Navigate view, there is a view into meta keys and meta values for logs, endpoints, and packets. Like the Legacy Events view, an events list shows events listed in the order by time, and you can view the raw event, related metadata, and a reconstruction of an event. The Event reconstruction has some helpful cues to identify points of interest. See Reconstructing and Analyzing Events.

The following figure shows the initial Events view with some examples of queries and information about keyboard and mouse interaction. This figure depicts the initial view.

netwitness_121_mainpageevents_1122_1417x657.png

Access the Events ViewAccess the Events View

Several ways to access the Events view are available in Version 11.1 and later.

  • Go to Investigate > Events or select the Investigate option in the main menu if you have made the Events view your default Investigate view. The following procedure provides detailed steps.
  • Hover over and click a count (the green number after a meta value) in the Navigate view. The Events view opens with the list of events for the selected drill point, and you can begin working as described in Analyze Events in the Events View.
  • Hover over a count and control-click Open Events in new tab. The Events view opens in a new tab with the list of events for the selected drill point, and you can begin working as described in Analyze Events in the Events View. The following figure is an example of the list of events.
    netwitness_121_events_view_inv_1122_1901x878.png

To begin an investigation in the Events view using direct access:

  1. Go to Investigate > Events.
    The Events view opens with a service selected and no data displayed. A drop-down list offers a list of available services in alphabetical order. The Select a service field is populated with the first service in the list or the most recently selected service. By default the list of available services is retrieved every twelve hours and cached on the NetWitness server. If a service is added or removed from the NetWitness server before the next time to retrieve, the cache is updated with the latest list of services. An icon provides the status of the service.
    • netwitness_ic-newdb.png and selected service name = The service is selected.
    • netwitness_invspinner1_16x16.png = Investigate is attempting to connect to the selected service.
    • netwitness_ic-servnodata.png = There was an error connecting to the selected service or there is no data in the selected service. In this state, the service selector control also turns red, and a tooltip explains why the connection attempt failed and advises you to choose another service.
  2. (Optional) Select a service, usually a Broker or Concentrator, from the drop-down list.
    netwitness_121_service_selectionview_1122_832x304.png
    The time range selector shows either the default time range of 24 hours, or the time range that you last selected for this service. The netwitness_eaqryicblu.png or Query Events button becomes active and you can create filters. If you launch a query without creating filters, the selected time is used.

  3. (Optional) Edit the time range as described in Filter Results in the Events View.
    netwitness_date_selection_262x215.png
    The selected time range is stored in your browser for this service; you can set different time ranges for different services.

  4. Create a query that consists of one or more filters that contain a meta key, operator, and optional value. See Filter Results in the Events View for details on creating queries.

  5. Select a Query Results Panel layout from the dropdown menu.

    For example, if you select, Show: Meta and Events option from the dropdown menu, the query results will be displayed in two separate panels, i.e., Meta and Events.

    123_QueryReultsPanel.png

  6. When ready to submit the query, click EAQryIcBlu.png or Query Events.
    The Events view displays the data for the selected service, time range, and query, in accordance with permissions assigned to your role by the administrator. You are ready to begin analyzing the data. Refer to Examine Event Details in the Events View and Analyze Events in the Events View to learn how to work in the Events view.

Investigate on Timeline

The timeline visualizes the events count that occurs at a specific instance. The timeline provides event counts so that you can see if the number of events increases drastically at a given point in time. The timeline displays activity for the specified service and time range as a bar chart. This allows analysts to detect significant spikes that could indicate anomalies. Using the visual representation, analysts can conduct a more detailed investigation of the events that occurred during that specific period.

The timeline on Events View has been improved so that users can interact with it and gain more insights. With the enhanced timeline, you can now expand the timeline, zoom into the interested zone in the timeline, change the axis settings, or reset the query to the original requested form.

Note: The Mini Timeline is still not interactive. You should expand the timeline to interact and perform certain actions on the timeline.

12.3_Timeline.png

Users can perform the following actions on the Expanded Timeline:

Expand the Timeline

The Expand Timeline feature helps you interact with the event’s result based on your search query. The expanded timeline view shows the total number of events for the selected date and time range. On the expanded timeline, X-axis shows the Time and the Y-axis shows either the Total number of events that occurred or the File Size recorded by the services at a specific time on the timeline.

To Expand the Timeline:

  1. Log in to the NetWitness Platform XDR.

  2. Go to Investigate > Events.

  3. Click ExpandTimeline_Icon.png (Expand Timeline) to expand the timeline and see the specific or interested zone on the timeline.

  4. Hover over any bar to know the event count and the time of the events created.

    The bar is highlighted in red to indicate that the tooltip information associated with it.

    ExpandedTimeline_View.png

Use Timeline Settings

Analysts can use the Timeline Settings option to change the Y-axis data dimension (Count or Size) and view the data presented on the timeline.

Click the info_icon.png (info) button to the right of the Mini Timeline to know the representation of the timeline's event data (like what information is shown on the Y-axis).

Note: To change the X-axis settings, you must change the Query Time options set within the Events Preferences panel. For more information on Query time, see Configure the Events View.

To change the Timeline Settings:

  1. Click Timeline Settings (Icon-Settng.png).

    The Timeline Settings dialog is displayed.

    123_TimelineSettings.png

  2. Select the Y-axis data dimension based on your preference:

    1. Count: Displays the total number of events that have occurred at a specific time on the timeline.

    2. Size: Displays the total size of the events recorded by services at a certain time on the timeline.

  3. Click Apply Changes. The changes are reflected on the Timeline bar.

  4. Click X to close the Timeline Settings.

Zoom the Timeline

The Zoom-in or Zoom-out feature within the timeline helps you focus on the events that occurred at a specific time from the query results.

To Zoom in or Zoom out the Timeline:

  1. Place the cursor on the expanded timeline and use the scroll wheel on the mouse to zoom in or zoom out the timeline.

    The extent of the zoom-in area will be in focused mode on the Mini Timeline while the rest of the area is masked with transparent white color.

    123_ExpandedTimeline_Zoom.png

Pan the Timeline

The Pan feature within the timeline helps you move through the timeline while you are in zoomed mode, or a specific time range selection mode on the expanded timeline.

To Pan the Timeline:

  1. Hover over any bar in the zoom-in area and Right Click + drag right or left to move through the timeline.

    IMPORTANT: When you pan through the timeline, you will notice that the focus area will also change on the Mini Timeline and Expanded Timeline.

Time Range Selection

The Time Range Selection feature assists you in creating a new query depending on your selection of an interested area or focus area on the expanded timeline.

To Select Time Range on the Expanded Timeline:

  1. While you are on the Expanded Timeline (with zoom-in or zoom-out mode), Right Click + drag right or left to select the date range of events that you want to focus on and analyze.

    The non-selected area on both Mini Timeline and Expanded Timeline are dimmed in Gray color. The events count of the selected date range will be displayed on the left side of the Expanded Timeline.

    123_ExpandedTimeline_Selection.png

  2. To modify the selection, you can click and drag the selection to the left or right. In addition, you can also click and drag the left or right ends of the selection box to increase or decrease the selected area.

    The Date Range of the query bar will be changed to reflect the selected date range of the events and the Search button will be highlighted to initiate the new query search.

  3. If you further want to analyze the events in the selected time range, click the Search button to initiate a new query based on your selection of an interested area or focus area.

Reset the Query Time Range

The Reset Query Time Range feature helps in resetting the query to the originally requested state.

After an initial query, if you’ve zoomed or made a selection and want to get back to the original query state quickly, click the EventsReset_icon.png (Reset the Query Time Range) button. This action will zoom out the timeline, remove any selections, and resets the Time Range on the query bar.