Examine Event Details in the Events View

When you find an interesting session in the Navigate view or the Events view > Filter Events panel, you can see the list of sequential events for the session in the Events view > Events panel. Clicking an event in the list opens the Network Event Details panel for that type of event: Network Event Details, Log Event Details, or Endpoint Event Details. Within the Event Details panel, you can select a tab that shows an event reconstruction (text, packet, file, email, and web) or (Version 11.5 or later) the tab that shows host information for network events that are enriched with endpoint data.

Note: (Version 11.5 or Later) For expanded network visibility of existing network events in your network (packet) deployment. Network events are enriched with endpoint data namely the host and process that triggered the network event and other details such as user name, risk score, reputation, and so on.
You can view endpoint data in the following ways:
- (Quick View) Investigate > Events - Event Summary Header
- (Detailed View) Investigate > Events > Host
For more information to enable expanded network visibility, see "Creating Groups and Policies" in the Endpoint Configuration Guide.

Note: For expanded network visibility to work, ensure the service user account used for aggregating Endpoint Log Decoder data to Endpoint Concentrator is assigned with the decoder.manage permission. For more information on how to assign roles and permissions, see "Add a Role and Assign Permissions" in the System Security and User Management Guide.

Event Details for Each Event Type

Within the Event Details panel, different tabs are available per event type as shown in the following table. Procedures for working in the Event Details panel are provided in Analyze Events in the Events View.

Action Network Event Log
Event
Endpoint Event
View the text reconstruction (default unless last selected overrides) netwitness_checkmark.png netwitness_checkmark.png netwitness_checkmark.png
View the file reconstruction netwitness_checkmark.png    
(Version 11.5 or Later) View the host Information for an Endpoint Agent configured with expanded network visibility (see Host Information.

netwitness_checkmark.png

 

 

View the packet reconstruction netwitness_checkmark.png    
View the email reconstruction netwitness_checkmark.png    
View the web reconstruction in the Legacy Events view (see Reconstruct an Event in the Legacy Events View) netwitness_checkmark.png    

Each tab has settings to enhance your analysis. If you change a setting, the setting is preserved between browser refreshes and logins within the same browser. These are the preserved settings:

  • The currently selected reconstruction: Text, Packet, File, (Version 11.5 and later) Host, or Email.
  • Whether the Event Meta panel is open or closed.
  • Whether the Event header is open or closed.
  • Whether the Request or Response, or both are displayed.
  • Whether packet payloads are displayed without the headers in the packet reconstruction.
  • Whether shaded bytes are displayed in the packet reconstruction.
  • Whether other common file types are highlighted in the packet reconstruction.
  • The number of packets per page in the packet reconstruction.
  • Whether compressed or uncompressed text is displayed in the text reconstruction.

Text Reconstruction

In 12.0 and later, analysts can directly view an encrypted data in a decrypted format by switching on a toggle option Display Decrypted Payload. However, the data can be displayed in the decrypted format only if a Decoder service in the Events > Text tab, has a TLS key available. This feature enables the analyst to focus on the important data in less time and perform investigations on the selected events with optimum accuracy and quality.

122_view_decrypted_data_1122.png

For Endpoint Events Details, the Pivot options available under Text analysis page has been replaced with a Pivot dropdown menu that contains the three options to perform further investigation.

netwitness_txtanl1.png

You can view all types of events (network events, log events, and endpoint events) in their original text format in the Text tab. The text reconstruction for some network events can be quite large. To ensure the best rendering, an excessively large payload is truncated to fit. If a single reconstructed request or response in the reconstructed event exceeds the maximum number of bytes, the header indicates what percentage of bytes is shown. Pagination controls add flexibility when paging through the reconstructed text of an event. This figure illustrates a single response that has been truncated because it exceeds the maximum number of bytes.

122_textrec1_1122.png

122_textrec12_1122.png

Note: Version 11.1 handles large payloads differently; the payload for a single event is limited to 2500 packets. When the packet limit is reached, a warning in the footer advises the limit has been reached and provides the total number of packets in the event. For Version 11.1, the Show More option is still available for messages that are truncated; however, the entire text of the message is not visible without downloading the raw payload.

In the text reconstruction, network events, log events, and endpoint events are presented differently.

  • For network events, the reconstruction provides the direction of the packet (Request or Response) and contents of each packet in text format. If you are reconstructing a network event, the text reconstruction is scrollable. When you scroll, the text identification information and the Request and Response labels remain visible rather than scrolling out of view.
  • Log events and endpoint events have no request or response; only the raw event is displayed in the Text tab. Endpoint events include additional information relevant to an endpoint event.
  • (Version 11.5.1) Log events that contain JSON snippets are rendered in an easily readable JSON tree view with nested indentations if the RenderJSON option is enabled.

For each type of event (network, log, or endpoint), there are differences in the Overview panel and the options for downloading the event. Below is an example of the text reconstruction for each type of event: a network event, a log event, and an endpoint event.

122_texttblog2_1122.png

122_texttblog1_1122.png

netwitness_entpintevtdetails_1072x467.png

Note: The calculated packet count, calculated packet size, and calculated payload size in the Event header may be different than the same statistics in the Event Meta panel because the metadata is sometimes written before event parsing completes and may include packet duplicates.

Packet Reconstruction

The packet reconstruction is for network events. The panel is scrollable, and the packet identification information and the Request and Response labels remain visible rather than scrolling out of view. In the Packet tab, the headings provide the direction of the packet (Request or Response), the packet number, the packet start time, the packet ID and the sequence, and the payload size. All packets begin with a header, and some packets have a footer. Pagination controls add flexibility when paging through packets.

The metadata in the hexadecimal and ASCII data is highlighted in blue; when you place the cursor over the highlighted metadata, the meta key/meta value information is displayed in a hover box.

122_PktTb115_1122.png

Common file signatures are highlighted with an orange background. When you place the cursor over the highlighted text, the description of the file type is displayed in a hover box.

netwitness_evanpktintbyte111.png

File Reconstruction

The file reconstruction shows a list of files associated with the selected network event. This is an example of the file reconstruction.

122_file_reconstruct_1122.png

You can select one or more files, or all files, to export to your local file system. When files are selected, The Download File options becomes active and reflects the number of files selected.

122_file_reconstruct_warning_1122_2.png

Caution: Caution is advised when unzipping and opening files that are associated with a default application; for example, an Excel spreadsheet may automatically open in Excel before you have a chance to verify it is safe.

Host Information

Host information is displayed for network and endpoint events with the endpoint data.

You can filter the events in the Events view using the Events Filter panel (version 11.5 and later). For more information, see Filter Results in the Events View.

Note: Endpoint data is displayed only if you have an Endpoint deployment, and the Endpoint agents are configured for expanded network visibility. For more information to enable expanded network visibility, see "Creating Groups and Policies" in the Endpoint Configuration Guide.

Note: For expanded network visibility to work, ensure the service user account used for aggregating Endpoint Log Decoder data to Endpoint Concentrator is assigned with the decoder.manage permission. For more information on how to assign roles and permissions, see "Add a Role and Assign Permissions" in the System Security and User Management Guide.

Below is the example of the host information.

122_hosts_alerts_1122.png

  • The hosts with the closest matching process are listed in the order of event time.

  • By default, the first host is expanded, and you can view additional information such as:

    • Host details – This provides details on the host's operating system and the owner (logged in user) associated with the host.
      • To investigate on the host name, click the Host name link highlighted in blue. For more information, see "Investigating Hosts" in the NetWitness Endpoint User Guide.
      • To investigate alerts associated with the user, click the owner link highlighted in blue. For more information, see "Investigate High-Risk Entities" in the NetWitness UEBA User Guide
    • Process details – This provides details like risk score, process name, reputation, event time, on hosts, signed status, process ID, signer, user, launch arguments, SHA256, and path.
      • Click netwitness_1151processtreeicon.png to open the process tree. By default, the process tree will open the process details of last 14 days. The icon to open the process tree does not appear when the process tree is not available.

      • To investigate on the process, click the process link highlighted in blue. For more information, see "Investigating Files" in the NetWitness Endpoint User Guide.
      • To investigate alerts associated with the user, click the user link highlighted in blue. For more information, see "Investigate High-Risk Entities" in the NetWitness UEBA User Guide.
    • Alert details – It displays the recent ten alerts associated with the host. These alerts can be from endpoint, network, and log events. You can click View All to open the host details page. The host details page lists all the alerts that contribute to the risk score. You can click on the alert name to open the alert details. For information on how to review an alert, see “Reviewing Alerts” in the Net Witness Respond User Guide. This section provides the following details.
      • Severity – Displays the severity of the alert.

      • Time – Date and time when the alert was triggered.
      • Event Count – It displays the number of events that triggered the alert. To view the events associated with the alert, click the EVENT COUNT link highlighted in blue. The EVENT COUNT link is available only when the events are from the same source.
      • Incident – Lists the incidents associated with the respective alerts. To view the details and respond to an incident, click the INCIDENT link highlighted in blue. For more information, see "Responding to Incidents" in the NetWitness Respond User Guide.

You can hover over the meta values of the host name, process, user, owner, and SHA256 to view additional information about the specific metadata. For more information on context look up, see Look Up Additional Context for Results.

Below is an example of the Host Information tab with a single host, process, and user associated with the selected network event. The WmiPreSV.exe is the process associated with the host DESKTOP-44VINI and logged in user unknown.122_hosts12_1122.png

Note: You may see multiple hosts and processes triggered for the selected network event; in such cases, the host from where the event is triggered first is listed first and then the other hosts where a similar event is triggered.
For example, if 10.63.0.240 IP address is assigned to Host1, and User1 is logged in to the machine and accessed www.nyu.edu/ using Chrome. Meanwhile Host1 is powered off (within a span of 30 minutes), and the same IP address is assigned to Host2. The user logged in is User2 and accesses www.nyu.edu/ using Internet Explorer. In this case, network events for the endpoint data are as follows:
- Hostname - Host1, Host2
- Process - chrome.exe, iexplore.exe
- User - User1, User2

Email Reconstruction

In 11.7 and later, if the analysts need to review all email contents in a single session, then they can click on the Expand All Emails toggle button by navigating to Investigate > Events > Email view.

122_email_reconstruct1_1122.png

When the Expand All Emails toggle button switched on, the email content is displayed in an expanded form.

122_email_reconstruct_expand_all_content_1122.png

When the Expand All Emails toggle button is switched off, the email content is displayed in a collapsed form. If there are no emails to display the toggle button is disabled.

The email reconstruction shows a list of emails associated with the selected network event. This is an example of the email reconstruction.

122_email121_1122.png

  • By default, a single email is expanded and multiple emails are collapsed.
  • If an email contains attachments, you can download attachments as described in Download Data in the Events View.

    Caution: When you download and open attachments from an email, they may contain malicious data.

    An external link in an email cannot be accessed. Clicking an external link displays a Link Address pop-up window that provides the actual link.

  • When an email body is too long, Showing % is displayed in the beginning of the email. To view the remaining content, click Show Remaining % at the bottom of the email.
  • If an event contains a web email supported by the alias.host metadata of mail.google.com, mail.live.com, or mail.yahoo.com, a message is displayed with a link to view the reconstruction for the associated session in the Event Reconstruction page. If not, a “No Email reconstruction is available for this event” message is displayed.