Configure Investigation Settings

This topic provides instructions for administrators who are configuring the settings that apply to all investigations on the NetWitness instance being configured. The settings for configuring and tuning behavior of NetWitness Investigate are available in the (Admin) > System > Investigation panel. These settings apply to all investigations and reconstructions on the current instance of NetWitness.

Map Context Hub Meta Types

The Context Hub is preconfigured with meta fields mapped to entities. NetWitness Respond and Investigate use these default mappings for context lookup. For information about adding meta keys, see "Configure Context Hub Data Source Settings" in the Context Hub Configuration Guide.

Caution: For the Context Lookup to work correctly in the Respond and Investigate views, when mapping meta keys in the (Admin) > System > Investigation > Context Lookup tab, it is best practice to add only meta keys to the Meta Key Mappings. Do not add fields in the MongoDB to the Meta Key Mappings. Here is a sample meta key and Mongo DB field; ip.address is a meta key and ip_address is a field in the MongoDB.

In the Context Lookup tab, you can manage mapping of Context Hub meta types with meta keys in Investigate. You can add or remove meta keys in the list of meta types supported in Investigate by Context Hub. Procedures associated with this tab are provided in "Manage Context Hub Lists and List Values in the Navigate and Events Views" in the NetWitness Investigate User Guide.

Configure Common Settings

In version 11.5 and later, the Common Settings tab allows you to configure settings that apply to the Navigate view, the Events view, and the Legacy Events view. Initially, the only setting that you can set for all views is the time format used when downloading metadata and logs, and other settings may be added in future versions.

By default, the time format for downloads is Epoch format, which shows the time as a numerical value representing the number of seconds from the Unix epoch, January 1, 1970. The resulting number requires a conversion to be understood. You can change the setting to get a more understandable format that combines the user preference time zone, date format, and time format into an easily understood representation, which follows the industry standard ISO 8601 representation when possible.

This setting applies to all 11.7 Investigate views.

1. Go to (Admin) > System, and in the options panel, select Investigation.
   The Investigation Configuration panel is displayed.

   

2. In the Common Settings tab, do the following:
   1. Select the time format to be used in metadata and log downloads in Investigate.
   2. Edit the time in minutes to set the extraction timeout when the logs are downloaded before the session expires.
      By default, it is set to 30 minutes and can be set to a maximum of 60 minutes.
3. Click Apply.
   The setting goes into effect immediately.

Configure Navigate and Legacy Events View Settings

The name of the Version 11.3 and earlier Events tab was changed to Legacy Events tab in Version 11.4.

1. Go to (Admin) > System.

2. In the options panel, select Investigation.

   The Investigation Configuration panel is displayed.
   

3. In the Investigate tab, in the Render Threads Settings field, select the maximum number of concurrent meta key values that are loaded by a single user in the Navigate view. Click Apply.
4. In the Investigate tab, in the Parallel Coordinates Settings section, set the maximum limits for meta values scanned and meta value results that can be included in a parallel coordinates visualization. For better performance, these are the recommended settings: Meta Values Scan Limit -100000 and Meta Values Result Limit to 1,000-10,000
   Click Apply.
5. In the Legacy Events tab, in the Enable Legacy Events section, select the check box to view the legacy sub menus and legacy events in classic view. Click Apply.
6. In the Legacy Events tab, in the Event Search Settings section, set the maximum numbers of events scanned and event results displayed when an analyst is conducting an event search in the Legacy Events view. The actual number of events scanned and displayed may be slightly greater than the limit set here. Click Apply.

7. In the Legacy Events tab, in the Reconstruction Settings section, set the limits for the amount of data processed in the reconstruction of a single event. The default values are 500 maximum packets and 2097152 bytes. If analysts are seeing slow performance when reconstructing sessions in Investigate, the reconstruction settings may need adjustment. Click Apply.

   Caution: Setting a higher value affects the performance of the NetWitness Server by increasing the time and memory taken to create a reconstruction of an event. Setting the value to zero disables any limit and may lead to a NetWitness Server crash.

8. (Optional) In the Legacy Events tab, in the Web View Reconstruction Settings section, enable the use of supporting files in a web view reconstruction, and configure the additional settings to calibrate web view reconstructions. These include the time range (in seconds) to scan for related events, the maximum number of related events to scan, and overrides to Reconstruction Settings for use with web view reconstructions. Click Apply.

Clear Reconstruction Cache for Services

Under Reconstruction Cache Settings, administrators can clear the cache for one or more services. For example, the administrator can clear the cache for a single Broker, a Broker and Decoder, or all connected services. These are a few examples of causes for stale cache being used in a reconstruction.

• The downstream services may have their sessions invalidated or data reset. As an example, if Investigate is browsing a Broker and a downstream Concentrator or Decoder has a data reset, the metadata and session data for the investigating service (Broker) does not match the content if the downstream service has reset and repopulated. The reconstruction in Investigate shows content from cache, which does not match the real content. Even if the Decoder is offline, content is still displayed in the Broker reconstruction. Clearing cache on the Broker causes the NetWitness to reach out to the Decoder and an error is returned because the Decoder is offline.
• Another case where cache may be stale is when a service ID for a downstream service changes. This can happen when exporting, importing, deleting, and adding services to NetWitness because NetWitness can reuse service IDs. In this case, clearing the cache on the Broker causes NetWitness to request data from the services.

To clear reconstruction cache, do one of the following:

1. To clear cache for one or more services, select the services and click Clear Cache for the Selected Services.
2. To clear the cache for all listed services, click Clear Cache for All Services.
   The reconstruction cache for the selected services is cleared. NetWitness sends a request for data to the services.

Configure Events View Settings

These settings apply to the 11.3 and earlier Event Analysis view and the 11.4 and later Events view.

1. Go to (Admin) > System, and in the options panel, select Investigation.

   The Investigation Configuration panel is displayed.
   

2. In the Events tab, in the Event Limit Default field under Events Panel Settings, select the maximum number of events loaded in the Events panel when a query is submitted.
   The default and suggested value is 10,000 events, and you can select a value between 100 and 40,000 events. Increasing the limit above 10,000 events may cause excessive load on the queried service, causing a timeout or error to occur. Consider these factors before increasing the limit: number of columns in column groups, size or length of meta values associated to columns (meta keys), complexity of the search, length of the time range, and number of underlying services providing matching results to the query.
   When users want more results returned, so that their subsequent sorting and finds through that data do not require additional queries to the services, the event limit can be increased. In this case, the best practice is to configure a per-role limit using the configuration options in Event Limit per User Role so only specific users are returned more results. For example, set the global Event Limit Default to 5,000, and then create different Analyst roles that can be set to higher limits, up to the maximum 40,000 events.
3. If a query returns more events than the configured Event Limit Default, the Events panel title shows the analyst that more results are available but are not listed due to the limit. Increasing the limit may place additional load on the queried service; the ideal limit is determined by your environment.

4. Click Apply.

   The change becomes effective immediately, and applies to any new queries submitted by analysts.

5. Under Render Threads Settings in the Render Threads field, select the maximum number of concurrent meta key values that are loaded by a single user in the Events Meta view. The Render Threads value should be between 1-8. The default value is 2.

   Note: By increasing the number of render threads, the meta values within the Events Meta panel are loaded simultaneously.

6. Click Apply.

   The change becomes effective immediately, and applies to any new queries submitted by analysts.

7. Under Event Limit Per User Role, select the maximum number of events loaded for a single query for individual user roles. This limit must be less than or equal to the system events limit of 40,000 events; it can be larger than the default or configured limit set under Event Limit Default.

8. Click Apply.

   The change becomes effective immediately, and applies to any new queries submitted by users assigned to the user role.

Configure the Sync Core Timeout to Remedy Deadlocks in Events View Reconstructions

The sync-core-timeout is a setting in the /investigate/reconstruction node that determines the maximum time to wait for operations for caching core content to complete to prevent deadlocks. The default value is 600 seconds (10 minutes) and needs no adjustment under most circumstances. If analysts are seeing a spinner for a very long time (>10 minutes) when loading a reconstruction in the Events view, for example from events on a 10G Decoder, increasing the length of this timeout may improve the ability to reconstruct events.

Caution: Changing the timeout setting to more than 600 seconds may lead to stability issues.

To adjust the sync-core-timeout:

1. Go to (Admin) > Services > Investigate-server and View > Explorer.
2. In the node list, click the investigate-reconstruction node.
   
3. In the sync-core-timeout field, type a new value for the number of seconds before timeout and press RETURN.
   The setting is applied and goes into effect immediately.