Download Data in the Events View

In the Events view, you can download data from the Events panel and from a reconstruction. The Events panel download available in Version 11.4 and later is a bulk download of log and network events for all event types.

  • Version 11.4.1 has the added capability to download visible metadata for all event types. From within a reconstruction, you can download events, logs, and files.
  • Version 11.5 has the added capability to download metadata for all event types in the Events panel and in the event reconstructions.
  • Version 12.4 has the added capability to enter the required name to download events, logs, and files. for all event types in the Events panel and in the event reconstructions.

Note: The information that you can view and download is managed by Role-Based Access Controls (RBAC) that your administrator has implemented. When RBAC is configured to prevent downloads of certain data, events for which you do not have download permission may appear to download successfully, but they are 0 byte in size. When RBAC is configured to prevent reconstruction of certain events, the reconstruction is disabled from the Events panel, but the bulk download button is still enabled.

Download Events or Metadata in the Events Panel

After submitting a query, you can download logs, network events, visible metadata (Version 11.4.1), or all metadata (Version 11.5) for events in your preferred format, directly from the Events panel. The preferences are set in the Event Preferences dialog and any changes made there are reflected inside the Download menu. See Configure the Events View for more information about preferences.

In the Events panel, you can select events individually or select all events returned by your search. The selection checkboxes appear only if you have permission to download the events. All checkboxes are deselected when a new query is submitted. When you select events and click Download, the Download menu is displayed. The number of events selected for each event type is displayed next to each option in the format Events of this type selected/ Total number of events selected. If an event type has no events selected, the corresponding download option is disabled and the number of events selected is displayed as 0 / Total number of events selected as shown in the following figure.

Download_selected.png

If the Select All checkbox is selected in the Events list, the Download All options are available. In addition to the options that download all logs or network events.

Download_selected1.png

The difference between the All Meta options and the Visible Meta options are as follows:

  • In Version 11.4.1 and later, visible metadata for the selected events is downloaded in the format that you selected in the Events Preference menu (Visible Meta as Text, Visible Meta as CSV, Visible Meta as JSON, or Visible Meta as TSV) or the format that you select under Other Options in the Download menu at the time of download. The downloaded metadata for each event corresponds to the columns visible when the metadata is downloaded. The visible columns are determined by the selected column group and the Column Selector. For additional information about selecting columns, see Use Columns and Column Groups in the Events List. If the Summary column group is selected in the Events panel, all metadata for the events is downloaded. When you use one of the Download Visible Meta options; the downloaded metadata is sorted in order of collection time rather than the current sort order in the Events panel.
  • In Version 11.5, all metadata for the selected events is downloaded in the default format that you selected in the Events Preference menu (All Meta as Text, All Meta as CSV, All Meta as JSON, or All Meta as TSV) or the format that you select under Other Options in the Download All menu at the time of download. The resulting download includes all metadata for the events selected, regardless of what columns are visible in the Events list. For example, if an event has 40 meta keys in the meta database, even if the column group in the Events list has 20 columns with 10 columns visible, all 40 meta keys for that event are included in the downloaded file.
  • In Version 11.5.1, all metadata for the selected events is downloaded in the default format that you selected in the Events Preference menu (All Meta as Text, All Meta as CSV, All Meta as JSON, All Meta as TSV, or Download Files) or the format that you select under Other Options in the Download All menu at the time of download. The resulting download includes all metadata for the events selected, regardless of what columns are visible in the Events list. For example, if an event has 40 meta keys in the meta database, even if the column group in the Events list has 20 columns with 10 columns visible, all 40 meta keys for that event are included in the downloaded file.

Note: When you select all events for download, only the events in the current result set are downloaded. If you canceled the query before all results were returned, only the events that were loaded are downloaded.

To download event data for one event, multiple events, or all events in the Events panel

  1. Do one of the following:
    1. To select events individually, select the checkbox next to each event you want to download, and click the downward arrow on the Download menu button to see the options.
      Download_selected.png
    2. To select all events displayed in the Events panel, select the checkbox at the top of the Events panel and click the Download All menu button.
      Download_selected1.png

  2. Review the Default Options in effect in the top section of the menu. If you do not want to use the default format, you can choose a different format from the Other Options section of the menu.

    • Logs are downloaded in the preferred format that you selected in the Events Preference menu (Logs asText, Logs as CSV, Logs as JSON, or Logs as XML). If you want to choose a different format for this download, select one of the formats from Other Options.

    • Network events are downloaded as a PCAP. When downloading multiple network events in the Events panel, the format is always PCAP. The preferred format that you specified in the Events Preference menu (Network as PCAP, Network as Payloads, Network as Request Payload, or Network as Response Payload) is ignored in this menu. Your preferred format applies only to downloading a single network event in the network reconstruction panel.
    • Visible metadata is downloaded in the format that you selected in the Events Preference menu (Visible Meta as Text, Visible Meta as CSV, Visible Meta as JSON, or Visible Meta as TSV). If you want to choose a different format for this download, select one of the formats from Other Options. The downloaded metadata for each event corresponds to the columns visible when the metadata is downloaded. If the Summary column group is selected in the Events panel, all metadata for the events is downloaded.
    • All metadata is downloaded in the format that you selected in the Events Preference menu (All Meta as Text, All Meta as CSV, All Meta as JSON, All Meta as TSV, or Download Files). If you want to choose a different format for this download, select one of the formats from Other Options. The downloaded metadata for each event includes all metadata, not just the visible columns.
  3. Click the Download Selected .
  4. (From version 12.4 or later) A dialog box is displayed to enter the file name. By default, the file name is initially displayed with a time stamp in the following format: investigation-yyyy-mmm-dd-hh-mm-ss (Example, investigation-2024-Jan-08-22-33-54). Enter the required file name and click Download.

   download_file1.png
The download begins immediately within the browser window if the Download extracted files automatically preference is set (Events view > netwitness_icon-prefsel.png). If the preference is not set, the download job for the selected events is added to the Jobs tray, where you can download the events.
If the download fails, a message provides feedback regarding why the download failed. The download button is re-enabled and any selected events remain selected. These are examples of reasons for a failed download: timeout after X minutes, connection failed, event limit reached, and permission denied.

5. To display the Jobs tray, go to Investigate > Navigate or Investigate > Legacy Events, and click the netwitness_jobsicon.png Jobs icon, which looks like a stop watch.
The jobs are displayed in the Jobs tray.
netwitness_dwnldjobsq114.png

Download a Log in the Text Reconstruction

When viewing a text reconstruction of a log event, you can download a log file in the following formats using options in the Download Log menu:

  • Raw log (log) using the Download Log (11.3) or Download Text (11.4 and later) or Download Log as Text (11.5 and later) option.
  • Comma-separated values (CSV) using the Download CSV or Download Log as CSV (11.5 and later) option.
  • Extensible Markup Language (XML) using the Download XML or Download Log as XML (11.5 and later) option.
  • JavaScript Object Notation (JSON) using the Download JSON of Download Log as JSON (11.5 and later) option.

In Version 11.5 and later, you can also download the metadata for the log using one of these options:

Download Meta as Text, Download Meta as CSV, Download Meta as JSON, or Download Meta as TSV.

netwitness_download_log_378x556.png

 

Note: For endpoint events, the Download Log, Download Text, or Download Log as Text option applies only to events that have at least one meta value exceeding 256 characters. For an endpoint event, the raw log is populated only when the meta value exceeds 256 characters. Long-running or historically downloaded files are not downloadable. For example, meta values like launch arguments can exceed 256 characters. In this case, 256 characters are available as a meta value while the full value is available in the raw log to view.

The downloaded log file contains the log and is named to help identify the service on which the log was collected, the session ID, and the file type. This is an example of the filename for a raw log: Concentrator_SID2.log. The exported log file is named using the following convention:

<service-ID or host name>_SID<n>.<filetype>

where:

  • <service-ID or host name> is the name of the service (for example a Concentrator or Broker) where the session was saved.
  • SID<n> is the session ID number.
  • <filetype> identifies the format of the downloaded log. These are the possible log types: raw log, CSV, XML, and JSON. By default, the format is a raw log.

Note: Some formats do not have time stamps or the device IP where the event was generated, so a log downloaded in CSV, XML, or JSON format has an extra value called timestamp along with the raw log content. The additional information inside the log is in this form: Log timestamp="1490824512" source="10.12.35.65".

To download the log or the metadata for a log

In the text reconstruction of a log event, do one of the following:

  1. To download the log as a raw log (the default format), click Download Log, (Download Text) or (Download Log as Text).
  2. To download the log in one of the other formats, click the downward arrow on the Download Log, Download Text, or Download Log as Text button, then select one of the file formats for the downloaded log.
  3. To download the metadata for the log, click the downward arrow on the Download Log, Download Text, or Download Log as Text label, then select Download Meta as Text, Download Meta as CSV, Download Meta as JSON, or Download Meta as TSV).
  4. (From version 12.4 or later) A dialog box is displayed to enter the file name. By default, the file name is initially displayed with a time stamp in the following format: investigation-yyyy-mmm-dd-hh-mm-ss (Example, investigation-2024-Jan-08-22-33-54). Enter the required file name and click Download.

            Download_log_file.png

The log file or the metadata for the log is downloaded to your local file system in the format specified. If you initiate a download and move away from the view while the log is being extracted and before the log starts to download, the log is not downloaded in your browser. A message notifies you that you can find the downloaded log in the job queue.

Download Network Event Data in the Text or Packet Reconstruction

When viewing a packet reconstruction or a text reconstruction of a network event, you can export network data files for further analysis. In Version 11.5 and later, you can also download metadata for the reconstructed event.

netwitness_download_pcap_376x516.png

The download includes events for the current time range and drill point. You can download the data in these formats:

  • The entire event as a packet capture (*.pcap) file using the Download PCAP option.
  • The payload as a *.payload file using the Download All Payloads (11.3) or Download Payloads (11.4) option.
  • The request payload as a *.payload1 file using the Download Request Payload option.
  • The response payload as a *.payload2 file using the Download Response Payload option.
  • (Version 11.5) The metadata for the event using one of these options: Download Meta as Text, Download Meta as CSV, Download Meta as JSON, or Download Meta as TSV.

The label on the download menu button is one of these formats, based on the setting selected in the Event Preferences dialog. If the event does not have that type of data, the menu button is dimmed. You can click the downward arrow on the menu button to see which options are available. For example, if an event has a request payload, but no response payload, the Download Response Payload label is dimmed. You can click the downward arrow on the button and select Download Request Payload for this download. After selecting a valid format, clicking the button executes the download.

This is an example of the filename for a PCAP file: C01 - Concentrator_SID1697309.pcap. The exported network data file is named using the following convention:

<service-ID or host name>_SID<n>.<filetype>

where:

  • <service-ID or host name> is the name of the service (for example a Concentrator or Broker) where the session was saved.
  • SID<n> is the session ID number.
  • <filetype> is pcap, payload, payload1, or payload2.

The network data is downloaded directly into your browser if the download is quick. If the download takes longer due to network factors or file size, the file is downloaded in the background and the task is tracked in the Jobs queue. In this case, you can check your jobs in the queue and get the file when the download is complete.

Note: If you initiate a download and move away from the view while the file is being extracted and before the file starts to download, the file is not downloaded in your browser. A message notifies you that you can find the downloaded document in the job queue.

To export an event as a network data file or to download the metadata for the event

Go to the packet reconstruction of a network event and do one of the following:

  1. To download the event as a PCAP file (the system-defined default format) or in the user-defined default format, click the Download <format> button. The label is the same as the download option set in the Events Preferences dialog.
  2. To download the event in one of the other formats, click the downward arrow on the button, and select one of the file formats for the downloaded event data.
  3. To download the metadata for the event, click the downward arrow on the button, and select one of the file formats for the downloaded metadata.
  4. (From version 12.4 or later) A dialog box is displayed to enter the file name. By default, the file name is initially displayed with a time stamp in the following format: investigation-yyyy-mmm-dd-hh-mm-ss (Example, investigation-2024-Jan-08-22-33-54). Enter the required file name and click Download.

            Pcap.png

The network data file is downloaded to your local file system in the format specified or the metadata for the event is downloaded in the format specified.

Download Files from a Network Event in the File Reconstruction

When viewing reconstructed network events that contain files in the file reconstruction, you can select one or more files, or all files, to download to your local file system.

Note: If you initiate a download and move away from the view while the file is being extracted and before the file starts to download, the file is not downloaded in your browser. A message notifies you that you can find the downloaded file in the job queue.

When files are selected, the Download Files button becomes active and reflects the number of files selected.

122_file_reconstruct_warning_11221.png

Clicking Download Files exports the selected files as a password-protected zip archive. The password to open the exported archive is netwitness. Exporting the files in this form ensures that:

  • The archive is not quarantined by antivirus software.
  • Potentially malicious files are not automatically opened by the default application and executed.

When downloading files form the file reconstruction, the exported archive is of the form <service-name>SID<service ID><file-count>_FILES_FILES, for example, Broker_SID8_1_FILES_FILES.zip. This is the password to open the zip archive: netwitness.

<service-ID or host name>_SID<n>_<file-count>FILES_FILES.zip

where:

  • <service-ID or host name> is the name of the service (for example a Concentrator or Broker) where the session was saved.
  • SID<n> is the session ID number.
  • <file-count> FILES is the number of files in the archive.
  • FILES identifies the reconstruction type from which the files were downloaded.

Caution: Caution is advised when unzipping and opening files that are associated with a default application; for example, an Excel spreadsheet may automatically open in Excel before you have a chance to verify it is safe.

To export files in a reconstructed event

  1. In the Events view, go to the file reconstruction of an event that contains files.
  2. Click one or more files that you want to extract, and click Download File or Download Files.
  3. (From version 12.4 or later) A dialog box is displayed to enter the file name. By default, the file name is initially displayed with a time stamp in the following format: investigation-yyyy-mmm-dd-hh-mm-ss (Example, investigation-2024-Jan-08-22-33-54). Enter the required file name and click Download.

Download_file_view.png
The job is scheduled and when complete the selected file are downloaded, in the form of a password-protected zip archive, to the local file system.

4. To open the archive on your local file system, enter the following password when prompted: netwitness.

Download Attachments from an Email Reconstruction

When viewing an email reconstruction that contains attachments, you can select one or more attachments, or all attachments (Version 11.4.1.x), to download to your local file system. This feature exports the selected files as a password-protected zip archive. The password to open the exported archive is netwitness. Exporting the files in this form ensures that:

  • The archive is not quarantined by antivirus software.
  • Potentially malicious files are not automatically opened by the default application and executed.

When downloading files from an email reconstruction, the filename is of the form <service-name>_SID<n>_EMAIL, for example, Broker-_SID34_EMAIL.zip. This is the password to open the zip archive: netwitness. The exported archive is named using the following convention:

<service-ID or host name>_SID<n>_EMAIL.zip

where:

  • <service-ID or host name> is the name of the service (for example a Concentrator or Broker) where the session was saved.
  • SID<n> is the session ID number.
  • EMAIL is the type of reconstruction from which the files were downloaded.

Caution: Caution is advised when unzipping and opening files that are associated with a default application; for example, an Excel spreadsheet may automatically open in Excel before you have a chance to verify it is safe.

To download email attachments:

  1. Go to the Events view and open an email reconstruction by clicking an event that contains an email with attachments.
  2. Expand the Attachments drop-down list and do one of the following:
    1. (Version 11.5 and later) Click a link to an attachment.
      122_email_attach_1122.png
      A dialog warns you that downloaded email attachments may contain malicious data and asks you to cancel or confirm the download. If you want to complete the download, click Download. Otherwise, click Cancel to cancel the download.
      netwitness_downloademailatdg.png
    2. (Version 11.4.1.x) Select one or more attachments or All Attachments.
      netwitness_downloademailatt1141.png
      A warning message is displayed in the reconstruction. Click the Download File or Download Files button. The attachments are downloaded with no additional opportunity to cancel.