Global Audit Logging Operation ReferenceGlobal Audit Logging Operation Reference
This topic lists message types being logged by the various NetWitness components. Most messages plainly state the operation being logged; when necessary the meaning of the message is explained.
After you create a global audit logging configuration, audit logs automatically go to the external syslog system in the format specified in the selected audit logging template. The message types being logged by the various NetWitness components are shown in the following tables.
CARLOSCARLOS
The following table lists the operations logged by CARLOS.
| Serial # | Operation Name | Meaning |
|---|---|---|
| 1 | SetProviderConfiguration | A new notification server (for example, SMTP server) was added or updated |
| 2 | SetInstanceConfiguration | A new notification type (for example, email destination) was added or updated |
| 3 | SetTemplateDefinition | A new template was added or updated |
| 4 | RemoveProviderConfiguration | A notification server was removed |
| 5 | RemoveInstanceConfiguration | A notification type was removed |
| 6 | RemoveTemplateDefinition | A template definition was removed |
| 7 | Commit | A configuration bean change was committed |
| 8 | Set | A JMX property value was set via NetWitness Explore view |
ESAESA
The following table lists the operations logged by the Event Stream Analysis (ESA).
| Serial # | Operation Name | Meaning |
|---|---|---|
| 9 | SetSourceRequest | A concentrator was added or updated to ESA as source |
| 10 | RemoveSourceRequest | A concentrator was removed from ESA as source |
| 11 | SetEplModule | An EPL module was deployed or updated to ESA |
| 12 | RemoveEplModule | An EPL module was removed from ESA |
| 13 | SetEnrichmentSourceRequest | An ESA enrichment source was added/updated |
| 14 | RemoveEnrichmentSourceRequest | An ESA enrichment source was removed |
| 15 | SetDatabaseReference | An enrichment database reference was made to ESA |
| 16 | UpdateEnrichmentData | Data rows added to an ESA enrichment source |
| 17 | SetEnrichmentConnection | A connection was made between an EPL module and an enrichment source |
| 18 | RemoveEnrichmentConnection | A connection between an EPL module and an enrichment source was removed |
| 19 | DisableTrialModule | ESA Trial rules were disabled |
InvestigationInvestigation
The following table lists the operations logged by Investigations.
| Serial # | Operation Name | Meaning |
|---|---|---|
| 1 | VisualizePreferences | Operations related to Informer Visualization Request. |
| 2 | ParallelCoordinates | Operations related to Loading of Co-Ordinate View Navigation. |
| 3 | TimeLine | Operations related to Loading of Timeline View Navigation. |
| 4 | ExteralQuery | Operation when a Direct Query is fired via URL. |
| 5 | PrintView | Operations to open Investigation in Print View. |
| 6 | submitExtractFiles | Operation to submit a Request to Extract files from Sessions. |
| 7 | submitExtractLogs | Operation to submit a Request to Extract Logs from Sessions. |
| 8 | submitExtractPcap | Operation to submit a Request to Extract Sessions from Sessions. |
| 9 | DataScienceDrill | Operation to investigate from Data Science Report. |
| 10 | breadCrumbs | Operation to access the Query Breadcumbs. |
| 11 | Create | Operation when a new Investigation Query is being saved as a predicate to be used for URL Integration. |
| 12 | userPredicates | Operation to access Recent Queries of a user. |
| 13 | chartDefaultMetas | Operation to access last used Meta for generating Coordinate Chart. |
| 14 | defaultDevice | Operation to access the Default Investigation Device. |
| 15 | deleteDefaultDevice | Operation to delete the Default Investigation Device. |
| 16 | chartPreferences | Operation to edit an Investigation Navigation Chart Parameters such as Height. |
| 17 | devicePreferences | Operation to save the preferences about the Investigation Device such asTime Range, Profile, Meta Groups etc. |
| 18 | topValues | Operation to get the Top Values for Metas. Normally called from Top Values Dashlet. |
| 19 | MetaLanguages | Operation to read the Meta Languages from a Device. |
| 20 | MetaGroups | Operations related to Investigation Meta Groups. |
| 21 | DefaultMetaKeys | Operations related to Investigation Default Meta Keys. |
| 22 | UpdateDefaultMetaKeys | Operations to update Investigation Default Meta Keys. |
| 23 | UpdateMetaGroup | Operations to update Investigation Meta Groups. |
| 24 | ApplyMetaGroup | Operations to use Investigation Meta Groups. |
| 25 | DeactivateMetaGroup | Operations to reset Investigation Meta Groups in UI. |
| 26 | DeleteMetaGroup | Operations to remove Investigation Meta Group. |
| 27 | DeleteMetaGroups | Operations to remove multiple Investigation Meta Groups. |
| 28 | ImportMetaGroups | Operations to import Investigation Meta Groups. |
| 29 | ExportMetaGroup | Operations to export multiple Investigation Meta Groups. |
| 30 | GeoMap | Operation to access the Geo Map View of Investigation. |
| 31 | deleteEndpointCache | Operation to clear Reconstruction Cache of a Device. |
| 32 | delete | Operation to delete Alert Templates. |
| 33 | CustomColumnGroup | Operation to apply or read Custom Column Group. |
| 34 | Import | Operations related to Import of Column Group or Profiles. |
| 35 | Export | Operations related to Export of Column Group or Profiles. |
| 36 | SaveProfile | Operation to save an Investigation Profile. |
| 37 | ApplyProfile | Operation to apply an Investigation Profile. |
| 38 | DeactivateProfile | Operation to deactivate an Investigation Profile. |
| 39 | DeleteProfile | Operation to delete an Investigation Profile. |
| 40 | DeleteProfiles | Operation to delete multiple Investigation Profiles. |
Reporting EngineReporting Engine
The following table lists the operations logged by the Reporting Engine.
| Serial # | Operation Name | Meaning |
|---|---|---|
| 1 | TEMPLATE | For all operations related to template |
| 2 | CHART | For all operations related to chart |
| 3 | REPORT | For all operations related to report |
| 4 | RULE | For all operations related to rule |
| 5 | IMAGE | For all operations related to Logo Images used in Reports. |
| 6 | LIST | For all operations related to list |
| 7 | ALERT | For all operations related to alert |
| 8 | CONFIG | For all operations related to configuration change |
| 9 | SCHEDULE | For all operations related to schedule |
| 10 | ROLE | For all operations related to role/authorization |
| 11 | BATCH_JOB | For all operations related to batch jobs |
| 12 | SCHEDULER | For all operations related to scheduler |
| 13 | QUERYPROCESSOR | For all operations related to queryprocessor |
| 14 | FORMATTER | For all operations related to formatter |
| 15 | OUTPUTACTION | For all operations related to outputaction |
| 16 | STATUSMANAGER | For all operations related to statusmanager |
| 17 | BATCH_RUNDEF | For all operations related to batch rundef |
| 18 | CHARTGROUP | For all operations related to chart group |
| 19 | REPORTGROUP | For all operations related to report group |
| 20 | RULEGROUP | For all operations related to rule group |
| 21 | LISTGROUP | For all operations related to list group |
| 22 | DISKSPACE | For all operations related to disk space |
Warehouse ConnectorWarehouse Connector
The following table lists the operations logged by the Warehouse Connector.
| Serial # | Operation Name | Meaning |
|---|---|---|
| 1 | LockBox Password Create | Operation to create LockBox Password. |
| 2 | LockBox Password Update | Operation to update LockBox Password. |
| 3 | LockBox Password Refresh | Operation to refresh LockBox Password. |
| 4 | Adding Stream | Operation to add a Stream. |
| 5 | Adding Source | Operation to add a Source. |
| 6 | Adding Destination | Operation to add a Destination. |
| 7 | Removing | Operation to remove a Source, Stream, or Destination. |
| 8 | Changing Password | Operation to change the Password. |
| 9 | Updating Source | Operation to update a Source. |
| 10 | Adding Source to Stream | Operation to add a Source to a Stream. |
| 11 | Deleting Source from Stream | Operation to delete a Source from a Stream. |
| 12 | Setting Destination to Stream | Operation to set a Destination to a Stream. |
| 13 | Finalizing Stream | Operation to finalize a Stream and initiate the aggregation. |
| 14 | Stopping Stream | Operation to stop a Stream. |
| 15 | Starting Stream | Operation to start a Stream. |
| 16 | Reloading Stream | Operation to reload a Stream. |
Health & WellnessHealth & Wellness
The following table lists the operations logged by Health & Wellness.
| Serial # | Operation Name | Meaning |
|---|---|---|
| 1 | SavePolicyRequest | Operation while adding or modifying a Policy. |
| 2 | RemovePolicyRequest | Operation while removing a Policy. |
NetWitness Core ServicesNetWitness Core Services
The following table lists the operations logged by NetWitness Core Services.
| Serial # | Operation Name | Meaning |
|---|---|---|
| 1 | FILE-Command | Operation to list, retrieve and delete files from approved directories on this device. |
| 2 | SERVICE-Start | Service started |
| 3 | SERVICE-Stop | Service stopped |
| 4 | REDIRECT-Syslog | Operation for syslog forwarding. |
| 5 | ADD-Monitor | Issuing a filesystem monitor operation |
| 6 | DELETE-Monitor | Issuing a filesystem monitor deletion operation |
| 7 | SHUTDOWN-Service/shutdown.service | Shutting down appliance service |
| 8 | REBOOT-Service | Restarting appliance service |
| 9 | CONFIGURE-Network | Issuing Network Configuration change |
| 10 | SET-NTP | Issuing NTP set operation |
| 11 | STOP-NTP | Issuing NTP stop operation |
| 12 | NTP-Timesync | Issuing NTP time sync operation |
| 13 | SET-SNMP | Issuing SNMP set |
| 14 | UPGRADE/upgrade | Issuing upgrade operation |
| 15 | create.collection | Operation to create an empty collection. |
| 16 | restore | Issuing restore |
| 17 | session.aggregation | Issuing aggregation start/stop |
| 18 | add.device | Adding a device for aggregation |
| 19 | edit.device | Editing a device used for aggregation |
| 20 | delete.device | Deleting a device used for aggregation |
| 21 | capture.start | Starting capture operation |
| 22 | capture.stop | Stopping capture operation |
| 23 | select.interface | Selecting capture interface |
| 24 | export | Operation to export packets or sessions. |
| 25 | reload | Issuing a parser reload |
| 26 | schema | Issuing a schema request for loaded parsers |
| 27 | upload/file.upload | Issuing file upload |
| 28 | notify | Issuing feed notify |
| 29 | delete | Issuing file deletion |
| 30 | edit.config | Configuration change operation |
| 31 | parsers.transforms | Perform a language key transformation |
| 32 | data.reset | Data reset operation |
| 33 | timeout | REST request timeout |
| 34 | cancel | Cancel a running query |
| 35 | timeroll | Operation to delete the database files that exceed a given limit. |
| 36 | dump | Operation to dump information out of the database in nwd formatted files. |
| 37 | session.wipe | Issuing a session wipe operation |
| 38 | REPLACE-Rule | Issuing a rule replace operation |
| 39 | MERGE-Rule | Issuing a rule merge operation |
| 40 | ERASE-Rule | Issuing deletion of a set of all rules |
| 41 | ADD-Rule | Issuing a rule addition operation |
| 42 | DELETE-Rule | Issuing deletion of a set of rules |
| 43 | sdk.info | Issuing SDK summary info. |
| 44 | sdk.session | Issuing SDK session info. |
| 45 | sdk.language | Issuing SDK language |
| 46 | sdk.aliases | Issuing SDK alias request |
| 47 | sdk.transform | Issuing SDK transformation request |
| 48 | sdk.search | Issuing session content search request |
| 49 | sdk.cache | Operation related to session content cache |
| 50 | sdk.content | Issuing session content request |
| 51 | check.authorization | Operation to check user roles for permissions to execute an operation. |
| 52 | close.connection | Issuing a connection close operation |
| 53 | handshake | Issuing an SSL handshake |
| 54 | logon/login | Operation to login from NW to the other services, mostly to privileged users. |
| 55 | STOREDPROCOP | Issuing file upload cancel/start |
| 56 | ADD-Task | Added scheduled task |
| 57 | DELETE-Task | Deleted scheduled task |
| 58 | logoff | Issuing logout operation |
| 59 | list.cacerts | Issuing list trusted CA certificate operation |
| 60 | delete.cacerts | Issuing delete trusted CA certificate operation |
| 61 | add.cacerts | Issuing addition of trusted CA certificate operation |
| 62 | restart.command | Issuing restart command line option |
| 63 | delete.file/file.delete | Operation to delete system configuration files. |
| 64 | update.file/file.update | Operation to update system configuration file. |
| 65 | create.file | Issuing file creation operation |
| 66 | query | Issue a database query |
| 67 | unlock | Issuing unlock user account operation |
| 68 | user.add | Operation to create user accounts on individual devices. |
| 69 | user.delete | Operation to delete a user on individual devices. |
| 70 | group.create | Operation to add a new group to the system. |
| 71 | user.remove | Remove a user account from a group |
| 72 | group.delete | Delete a group from the /users/groups tree |
| 73 | add.user | Issuing add user command to collection |
| 74 | delete.user | Issuing delete user command to collection |
| 75 | remove.user | Removing an user from collection |
| 76 | collection.open | Issuing an open command for a collection |
| 77 | collection.close | Issuing a close command for a collection |
| 78 | collection.delete | Issuing collection deletion command |
| 79 | reingest.start | Operation to start reingesting of packet data in collection. |
| 80 | feed.notify | Issuing a feed notify command |
| 81 | collect | Issuing a collect command |
| 82 | collect.start | Issuing a data collection start |
| 83 | collection.global | Issuing import parser command |
| 84 | parser.reload | Issuing parser reload command |
| 85 | reingest | Operation to reingest packet data in collection. |
| 86 | collection.create | Issuing a create collection command |
| 87 | collection.restore | Issuing a restore collection command |
| 88 | collection.clone | Issuing a clone collection command |
| 89 | parser.reload | Issuing parser reload command |
| 90 | sdk.query | Performs a query against the meta database |
| 91 | sdk.msearch | Search for pattern matches in many sessions or packets |
| 92 | sdk.values | Performs a value count query and returns the matching values for a report |
| 93 | sdk.timeline | Returns the count of sessions/size/packets in discrete time intervals |
Malware AnalysisMalware Analysis
The following table lists the operations logged by the Malware Analysis (MA) component.
| Serial # | Operation Name | Meaning |
|---|---|---|
| 1 | GetDashBoardSummaryRequest | Get dashboard analysis statistics |
| 2 | GetFileScoreSummaryRequest | Get aggregated file scores by score type and risk level |
| 3 | CountEventsAndFilesRequest | Get count of events and files over a time frame |
| 4 | GetAvVendorDetectionRequest | Get AV vendor analysis results |
| 5 | GetAVVendorsRequest | Get list of AV Vendors supported |
| 6 | SetInstalledAVVendors | Request Update list of installed AV Vendors in config |
| 7 | CountEventByCriteriaRequest | Count events by criteria |
| 8 | FindEventByIdRequest | Get event by id |
|
9 |
FindEventByCriteriaRequest |
Get event by criteria |
| 10 | DeleteEventRequest | Delete event |
|
11 |
CommentOnEventRequest |
Add comment to event |
| 12 | ReSubmitEventRequest | Resubmit event for analysis |
|
13 |
FindEventScoreByIdRequest |
Get event score by event id |
| 14 | FindEventScoreByCriteriaRequest | Get event score by criteria |
|
15 |
FindMetaByIdRequest |
Get meta by id |
| 16 | FindMetaByCriteriaRequest | Get meta by criteria |
|
17 |
FindMetaValueByCriteriaRequest |
Get meta value by criteria |
| 18 | CountByDistinctMetaValueRequest | Count distinct meta values |
|
19 |
CountByMetaNameAndValueWithDate RangeIntervalRequest |
Count meta and values with interval for charting |
| 20 | CountByValueAndAverageOverallScore Request | Count meta and map to overall scores for events |
|
21 |
CountByValueAndAverageGroupScore Request |
Count meta and map to group scores for events |
| 22 | CountFileEntryByCriteriaRequest | Count files by criteria |
|
23 |
FindFileEntryByIdRequest |
Get file by id |
| 24 | FindFileEntryByCriteriaRequest | Get file by criteria |
|
25 |
ReSubmitFileEntryRequest |
Resubmit file for analysis |
| 26 | FileDownloadRequest | Download file from repository |
|
27 |
FileUploadRequest |
Upload file for analysis |
| 28 | FindFileScoreByIdRequest | Get file score by id |
|
29 |
FindFileScoreByCriteriaRequest |
Get file score by criteria |
| 30 | FindHashValueByIdRequest | Get whitelist/blacklist Hash value by id |
|
31 |
FindHashValueByCriteriaRequest |
Get whitelist/blacklist Hash value by criteria |
| 32 | AddHashValueRequest | Add whitelist/blacklist Hash value |
|
33 |
UpdateHashValueRequest |
Update whitelist/blacklist Hash value |
| 34 | DeleteHashValueRequest | Delete whitelist/blacklist Hash value |
|
35 |
FindHashValueByMd5Request |
Find whitelist/blacklist Hash value by md5 |
| 36 | AddHashValueInFileRequest | Add File to repository as well as hash value |
|
37 |
GetDefaultRulesRequest |
Get default IOC Rules configuration |
| 38 | ResetToDefaultRulesRequest | Reset IOC Rules configuration to default |
|
39 |
GetAllOverrideRulesRequest |
Get IOC Rules user created override configuration |
| 40 | FindOverrideRuleByIdRequest | Find IOC override rule by id |
|
41 |
AddOverrideRuleRequest |
Add IOC override rule |
| 42 | UpdateOverrideRuleRequest | Update IOC override rule |
|
43 |
DeleteOverrideRuleRequest |
Delete IOC override rule |
| 44 | SubmitOnDemandNextGenRequest | Submit new ondemand nextgen scan |
|
45 |
FindOnDemandJobEntryByIdRequest |
Get ondemand job entity by id |
| 46 | FindOnDemandJobEntryByCriteria Request | Get ondemand job entity by criteria |
|
47 |
GetOnDemandJobInfoRequest |
Get ondemand job reference entity by id |
| 48 | GetOnDemandDefaultConfiguration | Request Get ondemand default configuration |
|
49 |
CancelOnDemandJobRequest |
Cancel ondemand job in progress |
| 50 | DeleteOnDemandJobRequest | Delete ondemand job |
|
51 |
ReSubmitOnDemandJobRequest |
Resubmit ondemand job |
| 52 | SubscriptionRequest | Subscribe to MA Cloud communication |
|
53 |
UnSubscribeRequest |
Unsubscribe from MA Cloud communication |
| 54 | GetTopEventInfluencesRequest | Get Top N event influences |
|
55 |
GetServerInfoRequest |
Get server info, such as server time |
| 56 | DataResetRequest | Reset database |
|
57 |
OnDemandJobStatusNotification |
Report ondemandjob progress to subscribers |
| 58 | LicenseStatusNotification | Report license status - num samples analyzed |
|
59 |
DataResetNotification |
Report that data was reset |
| 60 | GetIocSummaryRequest | Get IOC rules aggregated by event/file scores |
|
61 |
FindAlertTemplatesByCriteriaRequest |
Get rabbitmq alert templates by criteria |
| 62 | SaveAlertTemplateRequest | Update alert template |
|
63 |
DeleteAlertTemplateRequest |
Delete alert template |
| 64 | GetJobStatusRequest | Get in progress job analysis thread status |
|
65 |
GetEventTypeCountSummaryRequest |
Get event analysis counts by date chart |
| 66 | Logon | Logon to the MA Service |
|
67 |
Modified |
Modifying config changes |
| 68 | GetNextGenSummaryRequest | Get nextgen dashboard summary statistics |
NetWitness User InterfaceNetWitness User Interface
The following table lists the operations logged by the NetWitness User Interface component.
| Serial # | Operation Name | Meaning |
|---|---|---|
| 1 | uploadTrialLicense | Upload Trial License |
| 2 | LicenseEntitle | Entitle License |
| 3 | LicenseDeactivation | Deactivate License |
| 4 | ExpiredLicense | License Expired |
| 5 | LicenseOutOfComplianceAcknowledgement | EULA Acknowledgement |
| 6 | resetLicense | Reset License |
| 7 | usageDateExport | License data usage - csv/pdf |
| 8 | refreshLicense | Refresh LLS license |
| 9 | LicenseOutOfCompliance | Out of Compliance |
| 10 | OOTBEntitlementOutOfCompliance | OOTB Trial license Out of Compliance |
| 11 | OOTBEntitlementFirstLoginTimeModified | OOTB time modified |
| 12 | OOTBEntitlementFileDeleted | OOTB File deleted |
| 13 | OOTBEntitlementDataTampering | OOTB data tampering |
| 14 | uploadOfflineResponse | Upload offline response |
| 15 | offlineDownloadCapRequest | Download offline request |
| 16 | movePerpetualToThroughput | Move Appliance license to Throughput |
| 17 | moveThroughputToPerpetual | Mover Throughput to Appliance license |
| 18 | mapApplianceLicense | Map Service to Real license |
| 19 | delete | Operation to delete Alert Templates. |
| 20 | HttpRequest | Operation for Audit Logging of the accessed URL. |
| 21 | Page Accessed | Operation for Audit Logging of the accessed page. |
| 22 | Navigate | Operation to navigate to the accessed page. |
| 23 | Events | Operation to view the accessed event page. |
| 24 | Recon | Operation for Event Reconstruction requested. |
| 25 | Services | Operation while reading the list of available devices for investigation. |
| 26 | Service | Operation for a List of devices requested to be investigated. |
| 27 | Collections | Operation to view the list of collections requested. |
| 28 | Profiles | Operation to apply a Profile. |
| 29 | ColumnGroups | Operation to apply or read Column Group. |
| 30 | ParallelCoordinates | Operations related to Loading of co-ordinate view navigation. |
| 31 | Timeline | Operations related to loading of timeline view navigation. |
| 32 | PrintView | Operations to open investigation in print view. |
| 33 | Preferences | Operations related to Informer Request. |
| 34 | import | Operations related to Import of Column Group or Profiles. |
| 35 | export | Operations related to Export of Column Group or Profiles. |
| 36 | Predicate | Operations related to Queries (Predicates) used for Investigation. |
| 37 | Languages | Operation for Language requested from a Device. |
| 38 | CancelLanguageLoad | Operation for Language Load Canceled from Navigate Page. |
| 39 | summary | Operation for a summary requested from a Device. |
| 40 | languages | Operation for a language requested from a device. |
| 41 | aliases | Operation for meta aliases requested from a device. |
| 42 | query | Operation for SDK Query requested from a device. |
| 43 | msearch | Operation for a meta search requested from a device. |
| 44 | nodeListing | Node Listing for a node requested from a Device. |
| 45 | content | SDK Content call requested from a Device for downloading a PCAP or Log. |
| 46 | Export Files | File Listing Requested for a Session in File View or Extraction jobs. |
| 47 | packets | Packets requested for sessions in Packet View or Extraction Jobs. |
| 48 | deleteEndpointCache | Operation to clear reconstruction cache of a device. |
| 49 | Logon | Operation for user to sign in to NetWitness User Interface. |
| 50 | Logoff | Operation for user to sign out of NetWitness User Interface. |
| 51 | defaultDevice | Operation to access the Default SA UI Device. |
| 52 | deleteDefaultDevice | Operation to delete the Default investigation device. |
| 53 | submitExtractFiles | Operation to submit a request to Extract files from Sessions. |
| 54 | submitExtractLogs | Operation to submit a Request to Extract Logs from Sessions. |
| 55 | submitExtractPcap | Operation to submit a Request to Extract Sessions from Sessions. |
| 56 | MetaGroup | Operations related to SA UI Meta Groups. |
| 57 | ExternalQuery | Operation when a Direct Query is fired via URL. |
| 58 | GeoMap | Operation to access the Geo Map View of Investigation. |
| 59 | SaveProfile | Operation to save an Investigation Profile. |
| 60 | ApplyProfile | Operation to apply an Investigation Profile. |
| 61 | DeleteProfile | Operation to apply an Investigation Profile. |
| 62 | DeactivateProfile | Operation to apply an Investigation Profile. |
| 63 | VisualizePreferences | Operations related to Informer Visualization Request. |
| 64 | ExportMetaGroup | Operations to export multiple SA UI Meta Groups. |
| 65 | userPredicates | Operations to export multiple SA UI Meta Groups. |
| 66 | FileView | Operation for reconstruction request for File View. |
| 67 | resource.update | Operation when Live Subscription State changes. |
RespondRespond
The following table lists the operations logged by the Respond component.
| Serial # | Operation Name | Meaning |
|---|---|---|
| 1 | update | Update notification setting |
| 2 | update | Update integration settings configuration |
| 3 |
delete |
Delete Alerts |
| 4 | create | Create new incident |
| 5 | update | Update incident details |
| 6 | read | Read incident details |
| 7 | delete | Delete incidents |
| 8 | read | Read remediation tasks |
| 9 | delete | Delete Remediation tasks |
| 10 | update | Update remediation tasks |
| 11 | create | Create new rule |
| 12 | update | Update existing alert rule |
| 13 | reorder | Reorder priority of alert rules |
Investigate ServerInvestigate Server
| Serial # | Operation name | Meaning |
|---|---|---|
|
1 |
Aliases |
Fetch aliases |
|
2 |
BackgroundJob | Category for all background job |
| 3 | ColumnGroup | Category for all column group operation |
|
4 |
Count-query | Default Investigate |
| 5 | Countdistict-query | Default Investigate |
| 6 | Content | Default Session Content |
| 7 | Create | User entity |
| 8 | Create | User preferences |
|
9 |
Create |
Predicate |
| 10 | Delete | User preferences |
| 11 | Delete | Predicate |
| 12 | Extract-content | Extract Content from Session |
| 13 | Folders | Category for all folder operation |
| 14 | Files | SDK content request |
| 15 | InvestigateExport | Category for extraction invocation |
| 16 | Key-refs | Fetch meta keys |
| 17 | Languages | SDK language call |
| 18 | MetaGroup | Category for all meta group operation |
| 19 | Metakey | Category for all metakey operation |
| 20 | MailReconstruction | Category for all mail reconstruction operation |
| 21 | ParsingRequest | Category for all request parsing operation |
| 22 | PacketReconstruction | Category for all packet reconstruction operation |
| 23 | Predicate InvestigateIncidents | Category for all predicate operation |
| 24 | Query | SDK query |
| 25 | Reconstruction | Category for common shared reconstruction operation |
| 26 | ReconstructionCache | Category for reconstruction caching operation |
| 27 | ReconstructionStreaming | Category for reconstruction streaming operation |
| 28 | ReconstructDataSecurity | Category for reconstruction security operations (data-scrubbing) |
|
29 |
Session-Meta |
SDK query to get session meta |
|
30 |
Summary |
SDK summary |
| 31 | Search-meta-value | Search meta-value based on field name |
| 32 | TextReconstruction | Category for all text reconstruction operation |
|
33 |
Timeline |
Timeline request |
| 34 | UserPreferences | Category for all user preferences operation |
| 35 | Update | User entity |
| 36 | Update | User preferences |
| 37 | Update | Profile group |
|
38 |
Update |
Predicate |
| 39 | Values | SDK values |
| 40 | Validate-query | Validate SDK query |
Security ServerSecurity Server
The following table lists the events logged by the Security Server.
| Log Category | Description |
|---|---|
|
Create: |
Add record for a role with new ID. |
|
Create: |
Add user record with new ID. |
|
Update: |
Update the user account with a new ID. |
| Authentication: | Logs events pertaining to user logins and logouts. |
| Authorization: | Logs events pertaining to user access checks and RBAC management. |
| UserAccount | Logs events pertaining to NetWitness domain account management. |
| ExternalProvider: | Tracks events pertaining with external account providers (for example, Active Directory). |
The following example shows an event logged by the Security Server:
2018-03-13 16:25:02,938 UserAccount{action=ExpirePassword, success=true, identity=admin, parameters={id=Justin}}
Admin ServerAdmin Server
The following table lists the events logged by the Admin Server.
| Log Category | Description |
|---|---|
|
Restore: |
System operation to restore a data springboard. |
Config ServerConfig Server
The following table lists the events logged by the Admin Server.
| Log Category | Description |
|---|---|
|
newregistration: |
Record the registration to config server that manages the collection storage. |
Context Hub ServerContext Hub Server
The following table lists the events logged by the Admin Server.
| Log Category | Description |
|---|---|
|
verifyconnection: |
System operation to check if the connection is live. |
| addconnection | Create new connection to access data. |
