Configure the Events View

Analysts can set preferences that affect the behavior of NetWitness when using the Investigate > Events view. If the Events view is open; these two buttons give access to preferences dialogs: netwitness_ic-profile.png and netwitness_icon-prefsel.png. The User menu (netwitness_ic-profile.png) is focused on global user preferences such as time zone, while the Events preferences menu (netwitness_icon-prefsel.png) is focused on user preferences for behavior in the Events view. The rest of this section describes both sets of preferences.

Set the Default Investigate View

You can select the default view when you open Investigate: Navigate view, Events view, Hosts view, Files view, Entities view, or Malware Analysis view. The default Investigate view is set in the global User Preferences dialog (in the upper right corner of the NetWitness browser window, select netwitness_ic-profile.png).
The global user preferences are described in detail in the NetWitness Platform Getting Started Guide.

netwitness_113usrpref.png

Set User Preferences for the Events View

You can set your own preferences relevant to the Events view. The preferences selected persist per user and are available whenever the specific user logs in to the application.

To set default values for working in the Events view:

  1. In the Events view, click netwitness_icon-prefsel.png.
    The Event Preferences dialog is displayed. Different versions of the dialog have some differences in labeling and available options as shown in the following figure.
    New_user_preference.png
  2. In the Default Events View field, select the default reconstruction type when you open an event in the Events panel: Text, Packet, File, (Version 11.5 and Later) Host or Email .
    If you have not selected a default analysis type, when you open an event, the default reconstruction type is the Packet analysis, except for log and endpoint events, which open to the Text analysis. If you select a default reconstruction type, the reconstruction type is the default reconstruction that you specified. In both cases, the default is the starting point, and if you change the type while you are working, the type you choose is used for the next reconstruction.
  3. In the Default Log Format field, select the download format for exporting logs: Download Log (11.3) or Download Text (11.4), Download XML, Download CSV, or Download JSON. If you do not select a format here, the default download format is Download Text. These options are also available at the time of download in a drop-down menu.
  4. In the Default Packet Format (11.3) or Default Network Format (11.4) field, select the default format for downloading packets. If you do not select a format here, the default download format is Download PCAP. These options are also available at the time of download in a drop-down menu:
    • Download PCAP to download the entire event as a packet capture (*.pcap) file
    • Download All Payloads (11.3) or Download Payloads (11.4) to download the payload as a *.payload file
    • Download Request Payload to download the request payload as a *.payload1 file
    • Download Response Payload to download the response payload as a *.payload2 file
  5. (Version 11.4 and later) In the Default Meta Format field, select the download format for exporting metadata: Download Text, Download CSV, Download TSV, or Download JSON. If you do not select a format here, the default download format is Download Text.
  6. (Version 12.4 and later) With the new preference, Maximum Session Export Limit, analysts can update this setting to adjust the number of sessions available for exporting using the Download All menu options. The default limit is set to 10,000. However, analysts can increase or decrease this limit based on their requirements. The minimum limit allowed is 1,000, and the maximum limit is 100,000. This enhancement makes the number of exported sessions independent from the number of sessions displayed in the Events table.
  7. If you want all extracted files to be downloaded automatically, select the Download extracted files automatically checkbox. You can go to the Jobs queue to view the extracted files.
  8. (Version 11.5.1 and later) To change the preference for the time that is matched when you submit queries, select an option in the Query Time field.
    • When Collection Time is selected, the time of an event reflects when it was received and stored into the system. This is the default setting.
    • When Event Time is selected, the time of an event reflects the time at which the event actually occurred. A good case for using the event time is when investigating logs or endpoints and looking for events that occurred around the same time. Using Event Time filters out all network events.

    Note: By default, the time range for a query is based on the time that the Decoder consumed the event, which is always not the same time that the event occured. To see the actual event time instead of the collection time in the Events view, select Event Time.

    Note: When you query with the event time preference enabled, you must use the collection time column and time zone column. This is to help you differentiate if the events are listed in a sequential order or not. This scenario occurs because there is no global standard to follow while logging the event times, which results in different events from different sources being in different time zones.

  9. (Version 11.5.1 and later) Under Relative Time Range Settings, choose either Database Time or Current Time. The Events view can display results based on the relative time range, Last 2 hours or Last 30 Days, for example. The time range can be relative to the time when the event was received and stored into the system or the current time zone's clock time. When you set the time format, your individual user preference is saved until changed again. The default setting for this preference is Database Time, which is the same time format used to display query results in the Navigate view and Legacy Events view.
    • When Database Time is selected, the time range is relative to the time of the last stored event.
    • When Current Time (labeled Wall Clock Time in Version 11.3 and earlier) is selected, the time range is relative to the current time in the timezone set in user preferences.

    Note: (Version 11.6) Current Time is the default for Relative Time Range Settings. In previous versions, Database Time was the default value. Make a note that this may cause time range mismatch between Events View (using Current Time as default) and Navigate View (using Database Time as default). This change does not affect the existing users and is applicable only to the new users.(Version 11.4 and 11.5) Under Time Format for Query, choose either Database Time or Current Time. The Events view can display results based on the database time or the current clock time. When you set the time format, your individual user preference is saved until changed again. The default setting for this preference is Database Time, which is the same time format used to display query results in the Navigate view and Legacy Events view.

  10. (Version 11.4 and 11.5) Under Time Format for Query, choose either Database Time or Current Time. The Events view can display results based on the database time or the current clock time. When you set the time format, your individual user preference is saved until changed again. The default setting for this preference is Database Time, which is the same time format used to display query results in the Navigate view and view.
    • When Database Time is selected, the end time for a query is based on the time that the event was stored.
    • When Current Time is selected, the query is executed with the current time in accordance with the timezone set in user preferences.
  11. (Version 11.4 and later) To set the sort sequence by collection time for the events listed in the Events panel, select one option under Default Event Sort Order. After you have selected a preference, you can also interact with the table column headers to request the results again sorted differently as described in Use Columns and Column Groups in the Events List.
    • Unsorted (default for Version 11.4.1): To list events as processed by the Core services. Unsorted is faster because it streams back the events as soon as a match is found versus waiting for all Core services to respond and then displaying them in the chosen order.
    • Ascending (default for Version 11.4 and earlier): To put the events with the earliest collection time first in the list. The oldest events are displayed first if in ascending order.
    • Descending: To put the events with the latest collection time first in the list. The newest events are displayed first if in descending order. When investigating logs, you may want to change the sort sequence to see the latest collection time first.
      If results exceed the events limit, not all events can be loaded. The portion of returned events loaded in the Events panel matches the sort order preference: the oldest portion of events is loaded when Ascending order is selected, and newest portion of events is loaded when Descending order is selected. When Unsorted is selected, the oldest portion of events is matched and then listed unsorted. if you changed the sort order preference after events were loaded, you must refresh the view to apply the new sort order.
  12. (Version 11.3 and later) To automatically update the time range window in the query bar when the service is polled (at one minute intervals) and sends fresh results, select the Update Time Window Automatically checkbox. When the time range is updated, the netwitness_qryiconblue.png (Submit Query) button is activated and you can submit a query to get fresh results. To keep the time range window in the query bar synchronized with the current results, clear the checkbox (this is the default value
  13. (Version 11.6 and later) If you have multiple rows of data and want to word wrap or unwrap the content of an event , choose either Compact View or Expanded View. Based on the selection you make the rows will appear compact or expanded.
  14. (Version 11.7.1 and later) With the new preference, analysts can choose to split the free-form queries into multiple guided filters or a single free-form query. Analysts can switch the modes using the Free Form Split checkbox.

    122_event_spilt_view_1122.png

Configure Events View Meta Value Loading Parameters

From the 12.3 or later version, NetWitness introduces the new Meta Settings panel under the Investigate > Events view. This panel allows analysts to configure the number of sessions required for the specific meta key value within the Events view. However, several settings influence NetWitness performance when values are loaded into the Events view. Default values are set based on common usage, and individual analysts can adjust these settings for their own investigations.

Adjust Settings on the Events Meta Settings Panel

  1. Log in to the NetWitness Platform.

  2. Click Events Metafilter_meta_settings.png (Meta Settings).

    The Meta Settings dialog is displayed.

    meta_settings_investigate1.png

  3. Modify the following parameters:

    • Max Threshold Value: Set the threshold for the maximum number of sessions loaded for a meta key value in the Events panel. A higher threshold allows accurate counts for a value and also causes longer load times. The Max Threshold Value should be between 1-2147483647. The default value is 100,000.

    • Max Value Results: Set the maximum number of values to load in the Events view when the Max Results option is selected in the Meta Key Menu for an open Meta Key. The Max Value Results should be between 100-100000. The default value is 1000.

    • Max Meta Value Characters: Set the maximum number of characters in a meta value name displayed in the Events Meta panel. The Max Meta Value Characters should be between 60-512. The default value is 60.

  4. Click Apply.

    The settings become effective immediately and are visible the next time you load values.