Configure the Navigate View and Legacy Events View
Analysts can set preferences that affect performance and behavior of NetWitness when using the Navigate view and Legacy Events view. Some of the same settings are available in two places in NetWitness, and changes made in either location are applied in the other view:
- Investigate view > Settings dialog for the Navigate view and the Legacy Events view.
- Profiles > Preferences panel > Investigation tab.
- Navigate view and Legacy Events view Search Options drop-down.
By default, the legacy Navigate view is disabled. To enable the Navigate tab in Investigate:
- Go to (Admin) > System.
- In the left-hand panel, click Investigation.
-
In the Investigation window, select the Investigate tab.
- Select the Enable Navigate checkbox.
- Click Apply.
The following figure shows the page where you can enable the legacy Navigate view.
Configure Common Settings
In version 11.5 and later, the Common Settings tab allows you to configure settings that apply to the Navigate view, the Events view, and the Legacy Events view. You can set the time format used when downloading metadata and logs, and extraction timeout settings.
By default, the time format for downloads is Epoch format, which shows the time as a numerical value representing the number of seconds from the Unix epoch, January 1, 1970. The resulting number requires a conversion to be understood. You can change the setting to get a more understandable format that combines the user preference time zone, date format, and time format into an easily understood representation, which follows the industry standard ISO 8601 representation when possible.
This setting applies to all 11.5 Investigate views.
Go to (Admin) > System, and in the options panel, select Investigation.
The Investigation Configuration panel is displayed.
Access the Navigate View and Legacy Events View Settings
To access the settings, do one of the following:
-
In the Navigate view toolbar, select the Settings option.
The Settings dialog for the Navigate view is displayed.
- In the Legacy Events view toolbar, select the Settings option.
The Settings dialog for the Legacy Events view is displayed. -
In the top right corner of NetWitness, go to > , , and in the Preferences panel click the Investigation tab.
The Investigation panel is displayed. The figure below illustrates the Investigation panel.
Calibrate Navigate View Value Loading Parameters
Several settings influence the performance of NetWitness when loading values in the Values panel. Default values are set based on common usage, and individual analysts can adjust these settings for their own investigations. To adjust these settings:
- Go to the Preferences panel > Investigation tab or to the Settings dialog for the Navigate view.
- Adjust the following parameters:
- Threshold: Set the threshold for the maximum number of sessions loaded for a meta key value in the Values panel. A higher threshold allows accurate counts for a value, and also causes longer load times. The default value is 100000.
- Max Values Results: Set the maximum number of values to load in the Navigate view when the Max Results option is selected in the Meta Key Menu for an open Meta Key. The default value is 1000.
- Max Session Export: Specify the number of events that can be exported in a single PCAP or Log file.
- Max Log View Characters: Set the maximum number of characters to be displayed on Investigate > Events > Log Text. The default value is 1000.
- Max Meta Value characters: Set the maximum number of characters in a meta value name displayed in the Navigate view Values panel. The default value is 60.
- Show Debug Information: If you want NetWitness to display the where clause beneath the breadcrumb in the Navigate view and the elapsed load time for each aggregated service on a Broker, check this option. The default value is Off.
- Append Events in Events Panel: This option affects paging in the Events view and is described below under "Calibrate Events View Retrieval and Default Reconstruction."
- Autoload Values: If you want NetWitness to automatically load values for the selected service in the Navigate view, check this option. When not selected, NetWitness displays a Load Values button, allowing the opportunity to modify options. The default value is Off.
- Click Apply.
The settings become effective immediately and are visible the next time you load values.
Configure Navigate View and Legacy Events View Parameters
Several settings influence the performance of NetWitness when loading values in the Navigate view and the Legacy Events view. Default values are set based on common usage, and individual analysts can adjust these settings for their own investigations. You can set these parameters separately in the Navigate view and the Legacy Events view. When configured in one view, the setting does not automatically apply to the other view. To adjust these settings:
- Go to the Preferences panel > Investigation tab or to the Settings dialog for the Navigate view or the Legacy Events view.
- Adjust the following parameters:
- Live Connect: Highlight Risky Values: If you want NetWitness to highlight and display only IP addresses that are considered as risky by NetWitness community, check this option. When not selected, NetWitness displays all IP addresses. By default, this option is not selected (Off).
- Use Per Device Local Cache: You can specify the use of locally cached data from the selected service. By default, this option is not selected (Off). When unchecked, Investigate sends a fresh query to the database rather than displaying cached data in the Investigate views after the initial load. If checked, Investigate uses the data from local cache.
- Download Completed PCAPs: You can automate the downloading of extracted PCAPs in the Navigate view and Legacy Events view so that the browser downloads the extracted PCAP and opens it in the default application for opening PCAP files, such as Wireshark. By default, this option is not selected (Off). If you are going to enable this option, ensure that an application that can open PCAPs is installed on your local file system and that the application is set as the default application to handle PCAP file formats.
- Live Connect: Highlight Risky Values: If this option is unchecked, all the meta values that have context available in Live Connect are highlighted in the Navigate view Values panel. If the option is checked, among the values that have context in Live Connect, only those values deemed Risky/Suspicious/Unsafe by the community are highlighted. By default this option is unchecked (Off).
- Click Apply.
The settings become effective immediately.
Configure the Default Log Export Format
You can export logs from the Navigate view and the Legacy Events view as Text, XML, comma-separated values (CSV), and JSON. There is no built-in default value for the log export format. If you do not select a format here, NetWitness displays a selection dialog when you invoke export of logs. To select the format for exported logs:
- Go to the Preferences panel > Investigation tab or to the Settings dialog for the Navigate view or Legacy Events view.
- Select one of the options from the Export Log Format drop-down menu.
- Click Apply.
The setting goes into effect immediately.
Configure the Default Meta Value Export Format
You can export meta values from the Navigate view and Legacy Events view as Text, CSV, tab-separated values (TSV), and JSON. There is no built-in default value for the meta value export format. If you do not select a format here, NetWitness displays a selection dialog when you invoke export of meta values. To select the format for exported meta values:
- Go to the Preferences panel > Investigation tab or to the Settings dialog for the Navigate view or Legacy Eventsview.
- Select one of the options from the Export Meta Format drop-down menu.
- Click Apply.
The setting goes into effect immediately.
Note: If you upgrade to version 11.5.2, the Export Meta Format preference is not retained and is reset to blank. You must re-configure this value after you upgrade to version 11.5.2.
Calibrate Legacy Events View Retrieval and Default Reconstruction
You can configure several parameters that control the how NetWitness retrieves events and reconstructs events in the Legacy Events view. To adjust these paramaters:
- Go to the Preferences panel > Investigation tab or to the Settings dialog for the Legacy Events view.
- Configure the following parameters.
- Optimize Investigation page loads: Set a paging option. When optimized, results are returned as quickly as possible,and you cannot go to a specific page in the event list. Unchecking this box changes the Events list pagination to allow you to go to a specific page in the list (or to the last page). The default value is enabled.
- Default Session View: Selects the default reconstruction type for the initial reconstruction in the Legacy Events view. The default value is Best Reconstruction in which events are reconstructed using the reconstruction method most appropriate to the event.
- Go to the Preferences panel > Investigation tab, or to the Settings dialog for the Navigate view (11.1) or the Legacy Events view (11.2 and later), and set the Append Events in Events Panel option. When this option is selected, the events displayed in the Events Panel are added incrementally. For example, each time you click the next page icon, the next increment of events is added, at first you see 1 to 25, then 1 to 50, then 1 to 75 and so on. This option is available only if the Optimize Investigation Page Loads option is enabled.
- To activate the changes immediately, click Apply.
Enable or Disable Cascading Style Sheet Rendering in Web Content Reconstructions
Analysts can enable the use of cascading style sheets (CSS) when reconstructing web content. If enabled, the web reconstruction includes CSS styles and images so that its appearance matches the original view in a web browser. This includes scanning and reconstructing related events, and searching for style sheets and images used in the target event. The option is enabled by default. Disable this option if there are problems viewing specific websites.
Note: The appearance of the reconstructed content may not match the original web page perfectly if related images and style sheets could not be found or were loaded from the web browser's cache. Also, any layout or styling that is performed dynamically through the client side javascript is not rendered in the reconstruction because all client side javascript is removed for security purposes.
To enable or disable this option
- Go to the Preferences panel > Investigation tab.
- Select the Enable CSS Reconstruction for Web View checkbox.
- Click Apply.
The setting becomes effective immediately and is visible in the next web content reconstruction.
Configure Search Options
You can configure search options to apply when you type a search string in the Search field. Edit the Search Options in the Profile > Preferences panel > Investigation tab or in the Navigate and Legacy Events view Search Options drop-down menu. To configure search options:
- Go to the Search Options.
The following figure illustrates the Search Options drop-down menu for Version 11.2 and later. - Select one or more search options to apply to the search. Search for Text Patterns in the Navigate and Legacy Events Views provides detailed information about each option.
- To save the search settings, click Apply.
The preferences are saved and effective immediately.