Reconstructing and Analyzing EventsReconstructing and Analyzing Events
Having refined events in the Navigate view or in the Events list as described in Refining the Results Set, your next step is to learn more about the events by reconstructing them, looking at attachments, and viewing additional context in third-party lookups or internal lookups.
Reconstructions are done in the Events view or the Legacy Events view. If you are starting from the Navigate view, you need to go to the Events view or the Legacy Events view to see a reconstruction.
Note: The Legacy Events view is disabled by default. The administrator can enable the view as described in "Configure Investigation Settings" in the System Configuration Guide.
To display events in the Events view, do one of the following:
- Go to Investigate > Events.
- Go to Investigate > Navigate (Version 11.5 and earlier), right-click the meta count for a meta value (the meta count is in green text). When the context menu is displayed, select Open Events in new tab.
The Events view opens with a list of events for the selected meta value.
For detailed information about the types of reconstruction and analysis that you can use in this view, see Examine Event Details in the Events View.
To display an event in the Legacy Events view, do one of the following:
- To open the Legacy Events view using the default query for the default service, go to Investigate > Legacy Events.( This option is available only if the administrator has enabled the view.)
- To view events for a specific meta value in the Legacy Events view, go to Investigate > Navigate and when events are loaded in the Values panel, click a meta count (the meta count is in green text). You can also right-click the meta count for a meta value. When the context menu is displayed, click Open Legacy Events in new tab.
The Legacy Events view displays the events for the selected meta value. The Legacy Events view provides three built-in presentations of event data: the Detail view, the List view, and the Log view. This figure is an example of the Detail view. You can use queries, the time range setting, and profiles to filter the events listed in the Legacy Events view. You can extract files, export events, export logs, and open the Event Reconstruction panel by double-clicking an event. See Downloading and Acting Upon Results for detailed information about these capabilities.
NetWitness runs a default query on the last three hours for the default service (if one is set) or displays a dialog in which you can select a service and then runs the default query. The default query selects all events and the Events view displays events on the selected service, with the oldest events first.
- To view a reconstruction of the first event in the list, double-click the event.
The reconstruction opens in a pop-up window in front of the Events list.