Settings Dialogs for Investigate Views

NetWitnessVersion 11.0 has two settings dialogs, one for the Navigate view and one for the Legacy Events view. With the addition of the settings dialog for the Events view in Version 11.1, Investigate has three settings dialogs.

The settings in these dialogs are a subset of the Investigation settings made in the Profiles > Preferences panel > Investigation. Analysts can save time by editing these settings within the Investigate view. If you change a setting here, the same setting is changed in the Profiles view, and if you change a setting in the Profiles view, the same setting is changed here.

To access this dialog, go to the Navigate or Legacy Events view, and select the Settings option in the toolbar.

The settings in the Events view have no corresponding settings in the Profiles > Preferences panel.

Related Topics

Quick Look

This is a quick look at the settings dialog for the Navigate view, Legacy Events view, and Events view.

Navigate View Settings Dialog

The following figure illustrates the Navigate view Settings dialog. The settings that influence performance when loading values in the Values panel have default values based on common usage, and individual analysts can adjust these settings for their own investigations. The following table describes the features.
netwitness_navvwsettings.png

Feature Description
Threshold Sets the threshold for the maximum number of sessions loaded for a meta key value in the Values panel. A higher threshold allows accurate counts for a value, and also causes longer load times. The default value is 100000.
Max Values Results Sets the maximum number of values to load in the Navigate view when the Max Results option is selected in the Meta Key menu for an open meta key. The default value is 1000.
Max Session Export Sets the maximum number of sessions that can be exported. The default value is 100000.
Export Log Format Sets the file format of exported logs. There are four formats available:
  • Text: Raw log format.
  • SML: Structured Markup Language format.
  • CSV: Comma-separated values (CSV) format.
  • JSON: The JavaScript Object Notation (JSON) format.

Export Meta Format

Sets the file format of exported meta values. There are four formats available:

  • Text: Raw log format.
  • SML: Structured Markup Language format.
  • CSV: Comma-separated values (CSV) format.
  • JSON: The JavaScript Object Notation (JSON) format.

Note: If you upgrade to version 11.5.2, the Export Meta Format preference is not retained and is reset to blank. You must re-configure this value after you upgrade to version 11.5.2.

Use Per Device Local Cache When the checkbox is cleared, Investigate sends a fresh query to the database rather than displaying cached data in the Investigate views after the initial load. If the checkbox is selected, Investigate uses the data from local cache.
Show Debug Information This option controls the display of the where clause beneath the breadcrumb in the Navigate view and the elapsed load time for each aggregated service on a Broker. When the checkbox is selected, the debug information is displayed. The default value is Off (checkbox cleared).
Autoload Values This option controls automatic loading of values for the selected service in the Navigate view. When the checkbox is selected, values are automatically loaded when you select a service to investigate. When the checkbox is cleared, Investigate displays a Load Values button, allowing the opportunity to modify options. The default value is Off.
Download Completed PCAPs This setting automates the downloading of extracted PCAPs in Investigate so that you do not have to manually download and open extracted PCAP files in an application, such as Wireshark, that can handle viewing data in a PCAP form. When the checkbox is selected, the option is enabled. The default setting is disabled (checkbox is cleared).
Live Connect: Highlight Risky IPs If the checkbox for this option is cleared, all the meta values that have context available in Live Connect are highlighted in the Navigate view Values panel. If the checkbox is selected, among the values that have context in Live Connect, only those values deemed Risky/Suspicious/Unsafe by the community are highlighted. By default this option is disabled (checkbox cleared).
Apply Applies the settings immediately and they are visible the next time you load values. The same changes are also applied in the Profiles view.
Cancel Cancels the editing operation and closes the dialog, leaving the settings unchanged.

Legacy Events View Settings Dialog

The following figure is an example of the Settings dialog for the Legacy Events view, and the table describes the features.

netwitness_evvwsettings.png

Feature Description
Export Log Format Sets the file format of exported logs. There are four formats available:
  • Text: Raw log format.
  • SML: Structured Markup Language format.
  • CSV: Comma-separated values (CSV) format.

  • JSON: The JavaScript Object Notation (JSON) format.

Export Meta Format

Sets the file format of exported meta values. There are four formats available:

  • Text: Raw log format.
  • SML: Structured Markup Language format.
  • CSV: Comma-separated values (CSV) format.

  • JSON: The JavaScript Object Notation (JSON) format.
Download Completed PCAPs This setting automates the downloading of extracted PCAPs in Investigate so that you do not have to manually download and open extracted PCAP files in an application, such as Wireshark, that can handle viewing data in a PCAP form.
Live Connect: Highlight Risky IPs When the checkbox is selected, Investigate uses a filter to fetch only IP addresses that are considered as risky by RSA community. When the checkbox is cleared, NetWitness displays all IP addresses. By default, this option is disabled (checkbox cleared).
Optimize Investigation page loads Sets a paging option. When optimized, results are returned as quickly as possible, sacrificing the original ability to go to a specific page in the event list. Clearing this checkbox changes the Events list pagination to allow you to go to a specific page in the list (or to the last page). The default value is enabled (checkbox selected).
Append Events in Event Panel This option affects paging in the Legacy Events panel and in prior releases was located in the Navigate view settings dialog. When the checkbox is selected, the next group of events is appended to the already displayed events. When cleared, the previous page of events is replaced by the next page. The default value is Off (checkbox cleared).
Default Session View Selects the default reconstruction type for the initial reconstruction in the Events view. The default value is Best Reconstruction in which events are reconstructed using the reconstruction method most appropriate to the event.
Enable CSS Reconstruction for Web View This setting controls how web content reconstruction is performed. If enabled, the web reconstruction includes cascaded style sheet (CSS) styles and images so that its appearance matches the original view in a web browser. This includes scanning and reconstructing related events, and searching for style sheets and images used in the target event. The option is enabled by default. Clear the checkbox to disable this option if there are problems viewing specific websites.
Apply Applies the settings immediately and they are visible the next time you view events. The same changes are also applied in the Profiles view.
Cancel Cancels the editing operation and closes the dialog, leaving the settings unchanged.

Events View Preferences Dialog

Beginning with Version 11.1, the Events view has user preferences that you can configure in the Events view > Event Preferences dialog. These settings persist so that they are applied each time you log in and go to the Events view. The following figures are examples of the dialog for Version 11.3 and Version 11.6. The table below describes the options.

netwitness_event_preferences_referencetopic_405x596.png

Feature Description
Default Events View

Selects the default event analysis view that is displayed every time you open the Events view. For example, if you select File, the File Analysis panel is highlighted and displayed every time you investigate an event in the Events view. These are following options:

  • Text : View and analyze the raw text payload of an event.
  • Packet : View and interactively analyze the packets and payload of an event.
  • File : View a list of files and download one or more files in an event.
Default Log Format

Selects the default format for downloading logs:

  • Download Log or Download Text: Raw log (log) format.
  • Download CSV: Comma-separated values (CSV) format.
  • Download XML: The Extensible Markup Language (XML) format.
  • Download JSON: The JavaScript Object Notation (JSON) format.
Default Packet Format or Default Network Format

Selects the default format for downloading packets.

  • Download PCAP: To download the entire event as a packet capture (*.pcap) file.
  • Download All Payloads or Download Payloads: To download the payload as a *.payload file.
  • Download Request Payload: To download the request payload as a *.payload1 file.
  • Download Response Payload: To download the response payload as a *.payload2 file.
Default Meta Format

Selects the default format for downloading metadata:

  • Download CSV: Comma-separated values (CSV) format.
  • Download JSON: The JavaScript Object Notation (JSON) format.
  • Download Text: Plain text format.
  • Download TSV: Tab-separated values (TSV) format.
Time Format for Query

The Events view can display results based on the database time or the current clock time.

Note: (Version 11.6) Current Time is the default for Relative Time Range Settings. In previous versions, Database Time was the default value. Make a note that this may cause time range mismatch between Events View (using Current Time as default) and Navigate View (using Database Time as default). This change does not affect the existing users and is applicable only to the new users.
When Database Time is selected, the start and end time for a query is based on the time that the event was captured (collection time).

When Current Time (labeled Wall Clock Time in Version 11.3 and earlier) is selected, the query is executed using the end time based on the current browser time; the start time is calculated based on that end time and the time range.

Event Sort Order (Version 11.4 and Later)

Sets the sort sequence by collection time for the events listed in the Events panel. If results exceed the events limit, not all events can be loaded. The portion of returned events loaded in the Events panel matches the sort order preference: the oldest portion of events is loaded when Ascending order is selected, and newest portion of events is loaded when Descending order is selected. A change to this setting becomes effective the next time you submit a query.

Unsorted: Default sorting method for Version 11.4.1. To list events as processed by the Core services. Unsorted is faster because it streams back the events as soon as a match is found versus waiting for all Core services to respond and then displaying them in the chosen order.

Ascending: Default sorting method for Version 11.4. To put the events with the earliest collection time first in the list.

Descending: To put the events with the latest collection time first in the list. When investigating logs, you may want to change the sort sequence to latest collection time first.

Download Extracted Files Automatically

Enables the automatic download of files if they are in the selected default format in the Default Log Format and Default Packet format fields set in the Event Preferences dialog.

Select the checkbox to enable downloading the selected format automatically to local file system. Otherwise, the download job goes to the job queue, and you can download it manually.

Update Time Window Automatically

(Version 11.3 and later) Enables automatic update of the time range window in the query bar when the service is polled (at one minute intervals) so that fresh results are sent. The default setting is disabled.

When the checkbox is selected, as the time range is updated, the netwitness_eaqryicblu.png (Submit Query) button is activated so you can click to get the fresh results.

When the checkbox is cleared, the automatic update is disabled keeping the time range window in the breadcrumb synchronized with the current results.