Legacy Event Reconstruction View

The Event Reconstruction view is deprecated in favor of the Events view. The Legacy Events view provides a reconstruction of a selected event from the Legacy Events view. By default, NetWitness displays the best reconstruction for the event determined by the event content, or the default reconstruction that you have selected in the Default Session View setting for Investigate. You can use the options in the Event Reconstruction toolbar to change the reconstruction method, view top-to-bottom or side-by-side results, select request and response views, export an event, export meta values, extract files, open an email attachment, and open the event in a new tab.

To access this view, do one of the following:

  • In any Legacy Events view, double-click an event.
  • In the Legacy Events view with Detail View selected, right-click Events at the end of the event, and select Event Reconstruction.
  • In the Event Reconstruction toolbar of previewed reconstruction, click Open Event in New Tab.
  • In the Navigate view, select Actions > Go to event in Event Reconstruction, and enter an event ID.

What do you want to do?

User Role I want to ... Show me how

Incident Responder or Threat Hunter

review detections and signals seen in my environment

NetWitness Platform Getting Started Guide

Incident Responder

review critical incidents or alerts

NetWitness Respond User Guide

Threat Hunter query a service, metadata, and time range

Begin an Investigation in the Events View

Begin an Investigation in the Navigate or Legacy Events View

Threat Hunter

view metadata

Filter Results in the Navigate View

Drill into Metadata in the Events View

Threat Hunter

view sequential events*

Filter Results in the Events View

Filter Results in the Legacy Events View

Threat Hunter

reconstruct and analyze an event*

Examine Event Details in the Events View

Reconstruct an Event in the Legacy Events View

Threat Hunter examine files and associated hosts*

Download Data in the Events View

Export or Print a Drill Point in the Navigate View

Export Events in the Legacy Events View

Threat Hunter perform lookups

Look Up Additional Context for Results

Launch a Lookup of a Meta Key

Threat Hunter create an incident or add to an incident*

Add Events to an Incident in the Legacy Events View

Add Events to an Incident in the Events View

Threat Hunter

add a meta value to a Context Hub list

Look Up Additional Context for Results

*You can perform this task in the current view.

Related Topics

Quick Look

This figure is an example of the Event Reconstruction view. The following table describes the toolbar options.

netwitness_evrecon_700x442.png

Feature Description
Request & Response

Displays a drop-down menu for selecting whether the view displays:

  • Request & Response
  • Request
  • Response
Organization

Displays a drop-down menu for selecting whether the information is displayed top to bottom or side by side.

Reconstruction View

Displays a drop-down menu for selecting what information is displayed. By default, Best Reconstruction is selected. Other options are:

  • View Meta
  • View Text
  • View Hex
  • View Packets
  • View Web
  • View Mail
  • View Files
Actions

Displays a drop-down menu with the actions available in the Event Reconstruction view (Export PCAP, Extract Files, and Export Meta).

Open Event in New Tab

Opens the event in a new browser tab.

Event Analysis

Open the event in the Event Analysis view.

Beneath the toolbar is a list of meta keys and values. Some of the keys offer a drop-down menu with available actions.

The bar at the bottom of the view offers several options.

Feature Description
netwitness_arrowleft.png

Displays the previous event.

netwitness_arrowright.png

Displays the next event.

Show Reconstruction Log

Displays the reconstruction log at the bottom of the view. Once you click this button, it changes to Hide Reconstruction Log.