Use Columns and Column Groups in the Events List
When the events list in Investigate is populated with events, each column lists the values returned for a meta key. Changing the meta keys displayed in the events list is a useful method of narrowing the focus of your investigation. For example, compare these two figures showing the same set of events with different columns. The first figure has five columns, Collection Time, Type, Theme, Size, and Summary. These are just the basic information, not specialized in any way. The second figure has many more columns that contain information useful when investigating email; you can scroll to the right to see the additional columns.
You can adjust the events list as you work, selecting different columns to be displayed, rearranging the order of the columns, changing the width of the columns, and choosing a column by which the list is sorted. Manual adjustments are easy to make if you know which meta keys are relevant. Manual adjustments apply only to the current session in Version 11.5; in Version 11.5.1, the column width is an exception. When you adjust the column width, it is preserved as a personal preference and is applied every time the column is used in the Events list, overriding any default column width.
In version 11.6, you can select additional columns with data for the meta keys that you are viewing. This will enable you to obtain all the relevant meta key information from the Filter Events panel however the recommendations can change based on the selected meta groups. The following figure displays the additional meta key information under the Recommended Meta Keys section.
To improve your ability to see relevant meta keys quickly when looking at events in the Legacy Events view and the Events view, you can change the set of meta keys displayed by applying a column group. A column group defines the meta keys or meta entities that are displayed as columns, the position of the column in the Events list, and the default width of the column. A column group must have at least one column. Column groups are useful in themselves, and they become even more useful when you combine them with meta groups and preQueries to define query profiles (see Use Query Profiles to Encapsulate Common Areas for Investigation).
The same column groups are shared between the Legacy Events view and the Events view. When importing a column group, the imported group is limited to the available meta keys for the service being investigated. Private column groups created in the Events view are not available in the Legacy Events view or for use in Query Profiles in the Navigate view.
Note: In the Navigate view and Legacy Events view, you can manually add non-indexed meta keys (or keys that are not in the index at all) to a meta group or column group. The non-indexed meta keys are fully available (manageable and displayable) in the Navigate view and Legacy Events view, but only partially (displayable in the Filter Events panel) in the Events view. The Events view Filter Events panel can display data for non-indexed meta keys that are already included in a meta group, but you cannot add non-indexed meta keys while you are editing a meta group. The non-indexed meta keys in a column group do not display data in a column and new non-indexed meta keys cannot be added to a column group in Events view.
Large column groups can have a performance impact when loading data because the values for each meta key are loaded in the events list. To minimize impact on performance, the Events view has a fixed limit on the number of meta keys in a column group. The maximum number of meta keys in a column group is 40. (Because several default meta keys are included you may see a few more than 40 displayed on the screen.) Meta keys that are not in the selected column group are not loaded in the events list. By default we load all columns in the group, but only 15 are displayed by default.
The Legacy Events view does not have a limit on the number of meta keys in a column group, and may have more than 40 meta keys in a column group. If you apply a column group with more than 40 meta keys that was created in the Legacy Events view, all columns are loaded in the Events view. If you copy a group with more than 40 columns, you must remove the excess columns when you edit the column group.
Note: All existing column groups, both built-in and custom, are available in the 11.4 Events view. The complete column group management functionality is available in the Legacy Events view, and all functionality except cloning, importing, and exporting column groups is available in the 11.4 Events view. In Version 11.5, cloning is also available in the Events view, but importing and exporting are not.
In 11.6.1, the Investigate > Events Preferences view has been added to make optimum use of the space to enable analysts to view maximum details related to the events they are analyzing.
Additionally, an analyst can now view the time line details of an event by clicking the icon. When clicked the time line that displays the date and time range s displayed as shown in the image.
The Investigate > Events reconstruction panel has been modified to display an overlay that will contain an Overview tab and a Meta panel tab that can be expanded or collapsed. This will enable the analyst to view the headers and meta panel of the events optimally. The analysts can also toggle Hide Duplicate Events option and view only the relevant details of a selected event.
When an analyst navigates to this page the following view will be displayed.
The analyst can use the toggle button ( ) to view the details related to the selected event.
The binocular icon is enabled only if an event payload is open for a search related to a selected event.
The Overview Tab displays all the headers related to a specific event and the Event Metadata Panel displays all the metadata related to the selected event.
In 11.7, when you open the meta panel to view the selected event details, all the available headers will be displayed. The meta panel contains Expand buttons ( ). When you click on an event, the meta panel is displayed. In case, there are no additional headers to display, an error related to the header error is displayed.
The analyst can use the expand option to broaden the meta panels in three different views. When the outward facing arrow is clicked, it expands all the details displayed under the Overview and Event Metadata panel are displayed.
When clicked one more time, you can get an expanded view.
The analyst can revert the screen display by clicking the icon with the inward facing arrow , so that the window reverts to the earlier position. This helps the analyst to view the details of each event in an optimum manner.
The analysts can search for related sessions for a specific event as part of an investigation. The search for related sessions can be performed by navigating to the Investigate > Events page. You can click the icon and select either Find Related Sessions or Find Related Sessions in New Tab option from the drop-down.
When you select the Find Related Sessions option, all the events that are matched by selected event's query will be displayed in the current window. And if you select the Find Related Sessions in New Tab option the results are displayed in a new tab. The analyst can further investigate on each of the related session.
The query is based on the information displayed in the hover over text of an event. For example, in the below image the event has two split sessions where one event is split into one another session.
So, in this case when a search is done on these parameters, the related session for the following query is displayed.
The results are displayed in the following format:
An analyst can view the last five time-ranges that were used recently, as the selection will be saved and displayed under the Recent Time Ranges section. The selection is saved separately for a user per service. For example, for Concentrator service, if you select Last 30 Days as the time-range, this will create an entry under the Recent Time Ranges section for Concentrator and when you select the same service in the next session, then the time range will be shown as below:
Now, if you select Concentrator service and if you have not viewed the details of the Concentrator recently, then the time range drop-down will not display any details as shown below:
Built-In Column Groups
The NetWitness Platform has built-in column groups that include useful meta keys for specific types of investigation. The built-in groups cannot be edited or deleted, but you can create a copy of the group and edit the copy. The column groups are listed in alphabetical order in the Column Group menu in a way that makes built-in groups distinguishable from custom groups that you imported or created.
In the Legacy Events view, "RSA" precedes the name of built-in column groups. In the Events view (Version 11.4 and later), RSA precedes the name and the group is marked by the lock symbol (). This is an example of a selected built-in column group in the Column Groups menu. The information icon is displayed at the end of the row.
Live Column Groups
In 11.6 and later, NetWitness Platform supports deploying the investigate content from live and are marked by the live symbol () . The column groups are categorized as RSA Groups (RSA Live content and RSA OOTB Groups), and Shared Groups. The groups are displayed as non-editable folders and sub-folders except for Shared Groups that can be edited. All private content is displayed outside these groups. For example, the below image shows private content below the Shared Groups folder. The number inside () depicts the number of contents inside a folder and > symbol helps you to drill down inside the folder.
The column group can be copied by clicking the copy icon (). After copying, the copied column group is displayed under the selected location (Private folders or Shared groups). You can hover over on the cloned item to view a tool tip that displays the path from which the column group is cloned. In case you need to search for a specific column group, you can type the name of the column group in the filter field () at the folder level.
These are the built-in column groups.
- RSA Email Analysis: Includes meta keys that are useful when investigating email-related metadata.
- RSA Endpoint Analysis: Includes meta keys that are useful when investigating endpoint-related metadata.
- RSA Malware Analysis: Includes meta keys that are useful when investigation potential malware.
- RSA HTTP: Includes meta keys that are useful when investigating HTTP related metadata.
- RSA SSL/TLS: Includes meta keys that are useful when investigating SSL/TTS analysis related metadata.
- RSA Threat Analysis: Includes meta keys that mark potential threats in the data set.
- RSA User and Entity Behavior Analysis: Includes meta keys that are useful when investigating UEBA data.
- RSA Web Analysis: Includes meta keys that mark anomalies in web traffic.
- Summary List: Includes meta keys that are useful in a general investigation. This is the default column group.
Custom Column Groups
You can create custom column groups to support scenarios that you use frequently while working in Investigate. When an administrator adds custom meta groups manually by editing the custom index file for a service, the new meta groups become available to use in column groups after the service is restarted.
Custom column groups are shared globally within your organization in Version 11.4. If you edit a shared custom column group, your changes are applied globally. If you delete a shared custom column group, the group is deleted and no longer available for all analysts. In Version 11.5 and later, you can create shared column groups as before, and can also create private column groups. When you create a group in Version 11.5, you can choose to share it or you can keep it private (default); you cannot change a shared group to private or a private group to shared.
Note: Private column groups created in the Events view are not visible or usable in the Legacy Events view.
Icons identify the group type in the Column Group menu. These are examples of each type of custom column group with the edit icon displayed at the end of the row.
Filtering Folders
In case there are many folders, you can type the folder name and filter for a specific folder. The filtering is applicable to the current level folders and will not display folders available within a sub-folder. To search content within a sub-folder you need to navigate to the specific folder and filter.
Also, when you select a specific folder, the content of the selected folder is displayed and the filter field becomes empty and when you navigate back the last selected folder is displayed. In the following example, the folder selected is RSA Groups with the its content and the column group drop-down displays the filtered Summary List folder.
Dialogs for Managing Column Groups
While the functionality of column groups is similar in the Legacy Events view and the Events view, the user interface and some of the procedures are different. The following figures illustrate the (Events view) Create Column Group dialog and the (Legacy Events view) Manage Column Groups dialog. The Version 11.5 and later dialog includes a Sharing option.
Using options in the Create Column Group dialog and the Column Group Details dialog, you can:
- See the details of a column group.
- Create, edit, and delete custom column groups.
Using options In the Manage Column Groups dialog, you can do all of above and these additional functions:
- Clone and edit the clone of a built-in or custom column group.
- Import and export a column group.
The rest of this topic provides instructions for working with column groups in the Version 11.4 and later Events view, the 11.3 and earlier Event Analysis view, and the Legacy Events view.
Work with Columns and Column Groups in the Events View
After the upgrade to Version 11.4, all of the existing column groups -- both built-in and custom -- are available for management in the Events view. Unless noted, the procedures in this section are for the Events view.
Manually Select Columns to Display and Adjust Column Order and Width
Note: The Column Selector was also available in the 11.3 Event Analysis view. If a column group includes a column for a meta key that your administrator has blacklisted (hidden), the data for that column cannot be displayed. The column is not available in the Column Selector and is not displayed in the Events panel.
- With the Events list open and a column group applied, click to display the column selector.
- Select the meta keys or enter the name of a meta key that you want to display in additional columns.
- Deselect the meta keys that you do not want to display in a column.
The data is redisplayed using the selected columns. - To change the width of the columns in the events list, hover the cursor over the column title and drag the column divider to the right or the left.
- To rearrange the order of the columns across the top of the events list, hover the cursor over the column title and drag the column to the right or the left.
The changes that you make in the events list are in effect during the current session and are not retained as part of the column group. The next time the column group is applied, the original composition and order of columns is applied.
Select a Column for Sorting Events in the Events Panel (Version 11.4)Select a Column for Sorting Events in the Events Panel (Version 11.4)
Note: You can sort events in the Events panel after results have finished loading if all connected services are updated to 11.4. or later. Sorting by column is disabled when any connected service is running an earlier version of NetWitness Platform. Version 11.4.1 has more visible sorting toggles in the column heads and the ability to view results without sorting, but otherwise it functions the same as in Version 11.4.
You can change the order of the events list in the Events panel based on the value for a meta key in the event. Each column title represents a meta key, and the column is populated by the values found for the meta key in the displayed events. In Version 11.4, the events in the Events panel are sorted using the method selected in the Event Preferences dialog: Ascending or Descending. If no sort method is selected, the default order is ascending (see Configure the Events View). In Version 11.4.1, the events in the Events panel are sorted only when the sort preference in the Event Preferences dialog is selected and is either Ascending or Descending. The events are not sorted if you do not have a sort preference selected under Events Preferences or if you selected Unsorted.
Sortability of a column is based on the definition of the meta key in the Broker and Concentrator index files. Columns for meta keys that are indexed by value are sortable. If the meta key is not indexed, is indexed by meta key, or has multiple values in the same event, it is not sortable.
- These are some examples of keys that are indexed by value and sortable: time, eth.type, city.src, ip.src, ipv6.dst, and ipv6.src.
- Meta entities are not sortable. For example, the meta entity ipv6.all is not sortable because it includes ipv6.dst and ipv6.src, and a single event has both ipv6.dst and ipv6.src.
- These are some examples of multiple value keys, which cannot be sorted: filename, filetype, and attachment. A single event can have more than one file and therefore more than one value for filename, filetype, and attachment.
- These are some examples of meta keys that cannot be sorted because they are not indexed or not indexed at the values level: password, query, and size.
Sorting by Column (Version 11.4.1 and Later)
The initial view of the Events list with the sorting preference set to Unsorted and no column sorting has an event count in the title, with no indication of a sorting method applied to a column. If the event sorting preference is set to Ascending, the count label is "Oldest 1,000 Events." If the event sorting preference is set to Descending, the count label is "Newest 1,000 Events." In the figure below, the Ascending method is in effect, more than 2001 events matched the query, and only the oldest 2001 are displayed. Clicking the amber warning triangle displays an explanation. Refer to Configure the Events View for more information about the sorting preference.
When you move the mouse over a column title, sortable columns have a pair of arrows after the column title, one pointing up for ascending and one pointing down for descending (). You can choose one sort column and the direction of the sort. A blue up arrow () indicates that ascending sort order is in effect; which means the earliest events or the lowest numbers, or the text strings beginning with an 'A' appear first. A blue down arrow ( ) indicates that descending sort order is in effect; which means the latest events or the highest numbers, or the text strings beginning with a 'Z' appear first.
- When a column has a blue arrow, you can click the white arrow to change the sort order. When you change the sort order, a blue progress bar is displayed in the Events list title bar to show progress. As sorting begins, there is a short segment on the left side of the window; as sorting progresses the blue color extends to the right across the entire title bar. The directional arrow does not change until the events are re-sorted in the chosen sort order.
- To change the column to unsorted, you can click the blue arrow. Both arrows are white now to show that the column is unsorted. This figure shows the Type column sorted in ascending order.
- If a column is not sortable, no arrow is displayed when you hover the mouse over the column title. Instead a tooltip explains why it is not sortable.
Sorting on a column is done on the client side without re-executing the query if the number of displayed results is less than the events limit set by the administrator. If there are more results that are not displayed because the number of results exceeded the events limit, a new query is submitted with the new sort order, and the same service, time range, and filters. The current results are removed, a spinner indicates progress, the Cancel button becomes available, the reconstruction closes, and progress is visible in the Query console.
Note: The re-sorting of events takes place in the browser when the number of results of the original query is less than the event display threshold.
To change the sort order or the sort column
- Move the mouse over the column titles to find a sortable column.
If a column is not sortable, a tooltip that explains the reason is displayed. - To sort the list based on a column, move the mouse over a sortable column and click one of the arrows ().
The arrow turns blue and the events are reloaded in the selected order. If both arrows are white, the column is not being used to sort the events list. If one arrow is blue, the column is being used to sort the events list, and the sort order (Asc or Desc) is appended to the events count in the title bar. This figure shows a column sorted in ascending order. When a column is descending order, (Desc) is appended to the event count.
- Click a white arrow to sort the events list in that order.
- Click a blue arrow to return to unsorted order.
Sorting by Column (Version 11.4)
When you move the mouse over a column title, sortable columns have an up or down arrow ( or ) after the column title. You can choose one sort column and the direction of the sort. An up arrow indicates that Ascending sort order is in effect; which means the earliest events or the lowest numbers, or the text strings beginning with an 'A' appear first. A down arrow indicates that Descending sort order is in effect; which means the latest events or the highest numbers, or the text strings beginning with a 'Z' appear first. When you select a sort column, it is sorted in descending order by default, with events having a null value for the meta key first.
- A column that is being used to sort the events list has a bright white arrow indicating the direction that you can choose for sorting: click to change to Ascending or to change to Descending order. When you click to change to Ascending sort order, the directional arrow does not change until the events are re-sorted in ascending order. The same behavior applies when you click the to change to Descending order.
- If a sortable column is not being used to sort the events list, the arrow is dimmed. If a column is not sortable, no arrow is displayed when you hover the mouse over the column title. Instead a tooltip explains why it is not sortable.
- If you click the arrow on a different column, the column is sorted in the same order as the previously active sort column. You can select a different sort order if desired.
Sorting on a column is done on the client side without re-executing the query if the number of displayed results is less than the events limit set by the administrator. If there are more results that are not displayed because the number of results exceeded the events limit, a new query is submitted with the new sort order, and the same service, time range, and filters. The current results are removed, a spinner indicates progress, the Cancel button becomes available, the reconstruction closes, and progress is visible in the Query console.
Note: The re-sorting of events takes place in the browser when the number of results of the original query is less than the event display threshold. If some of those events have the exact same time, they will not change order as you might expect when you reverse the sort order.
To change the sort order or the sort column:
- Move the mouse over the column titles to find a sortable column.
If a column is not sortable, a tooltip that explains the reason is displayed. - To sort the list based on a column:
- Move the mouse over a sortable column and click the arrow ( or ).
The events are sorted in the correct sort order. If you hover over the column title, you can see that the arrow is no longer dimmed. A column that is being used to sort the events list has a bright white arrow that you can click to change the sorting direction. - To change the sort order, click to change to Ascending or to change to Descending order.
The direction of the arrow changes and the events are reloaded in the selected order.
- Move the mouse over a sortable column and click the arrow ( or ).
View the Meta Keys Included in a Column Group
To view details of a column group:
- Go to Investigate > Events and click to load events.
The events for the default service and the default time range are loaded in the Events panel. The Summary List column group or the column group from your last session is applied to the list. - To display the Column Groups menu, click the Column Groups menu title. The Column Group menu title includes the title of the currently selected column group. If this is your first visit after logging in, the Summary List group is selected; any subsequent visits use the column group selected in the previous session. When opened, the menu displays a list a list of built-in column groups (RSA), shared custom column groups, and your private custom column groups. The figure shows the Version 11.6 menu initially when Summary List is selected by default and all types of column groups are visible: Private, Shared, and RSA.
- (Optional) To control the types of column groups that are visible in the list, use any combination of the visibility options (blue = selected, black = not selected):
Private = display private groups that only you can manage
Shared = display shared groups that anyone in your organization can manage
RSA = display built-in groups that only RSA can manage
The visibility options work together with the Filter Column Groups field. If the visibility option is hiding built-in groups (which include "RSA" in the group name) and you search for a name that contains "RSA," the list is empty. The figure below shows private and shared visibility options selected. - Hover over the Summary List group and click the information icon () to see which columns are included in the group.
This figure shows the columns for the Summary List. The Collection Time and Type column are always the first two columns in the Events list, but are not listed in the Column Group Details dialog. - Do one of the following.
- To close the dialog, click Close.
- If you want to apply the column group, click Select Column Group.
The dialog closes and the Events list is updated to reflect the selected column group.
Select a Column Group
- With the Events panel open in the 11.4 or later Events view, click the Column Group menu title.
The menu drops down to display a list of column groups with a filtering option and a New Column Group option. The list is sorted alphabetically and the selected column group is displayed in the menu label. The first option in the list is highlighted. The selected column group has a slightly different background color than the highlighted column group.
The following figure shows the menu after RSA Endpoint Analysis was highlighted, but RSA Email Analysis is still selected. - Do one of the following:
- If the highlighted group is the one you want to apply, press ENTER.
- (Version 11.5 and later) If you want to see only certain types of groups, use the visibility options (Private, Shared, and RSA) to hide one or two group types.
- Begin typing text in the Filter column groups field to search for a column group name. As you type, the list is filtered to show only the column group names that contain that string.
When you see the group that you want to apply, click it or use the down or up arrow to highlight it, then press ENTER.
The Events list is refreshed to include only columns in the selected column group, and the menu title includes the selected group name. Your selection persists when you navigate away from the Events view. The order of the columns in the Events list reflects the order of the meta keys in the column group. A column group may contain more columns that are only visible when you scroll to the right. For optimal viewing, the first 15 columns are displayed by default when you select a column group.
Note: If a meta key in a column group is not part of the selected service, it does not appear in the Filter Events panel or in the Events panel.
Create a Custom Column Group
- Go to Investigate > Events and submit a query to load data in the Events panel.
- In the Events panel toolbar, click the Column Group menu title.
The menu drops down to display a list of column groups with the Visibility Options and Filter Column Groups field at the top and the + New Column Group option at the bottom. - Select + New Column Group.
The Create Column Group dialog is displayed. Version 11.5 includes the Sharing option. - In the Group Name field, type a unique name (maximum length of 256 characters) for the new column group, for example, Custom Column Group A.
- (Version 11.5 and later) If you want to share the new column group with your organization, set the Share with my organization option.
- To add a meta key to the column group, select and add each meta key as follows:
- Type a text string in the Filter meta keys field and look for meta keys that contain that text in the Available Meta Keys list.
- When you see the meta key that you want to add, click the add icon that precedes the meta key name.
The meta key is added to the end of the Displayed Meta Keys list. (This list is also filtered using the text you typed.) The maximum number of meta keys in a column group is 40. If you attempt to add another meta key when 40 are already included in the Displayed Meta Keys list, a message advises you that the group has the maximum number of meta keys.
- Type a text string in the Filter meta keys field and look for meta keys that contain that text in the Available Meta Keys list.
- (Optional) To find and remove a meta key from the column group, type a text string in the Filter meta keys field and look for meta keys that contain that text in the Displayed Meta Keys list. When you see the column that you want to remove, click the remove icon ( ) that precedes the meta key name in the Displayed Meta Keys list.
The meta key is moved back to the Available Meta Keys list. - (Optional) To change the order of the displayed meta keys in the Displayed Meta Keys list, place the cursor over the list order icon (). When the cursor changes to the drag and drop icon (), drag the meta key up or down in the list.
- Do one of the following:
- To close the dialog without creating the custom column group, click Cancel.
- To create the group, click Save Column Group.
The new column group is saved and becomes available for all analysts. The buttons change to Done and Select Column Group.
- Do one of the following:
- To close the dialog, click Done.
- To close the dialog and select the new column group, click Select Column Group.
The new group is added to the Column Groups menu (in alphabetical order), and if you clicked Select Column Group, the Events list is updated to show the columns in the new column group.
Delete a Custom Column Group
You can delete any custom column group that is not currently applied in the Events list and not part of a query profile. The built-in column groups are read only, and cannot be deleted. In Version 11.5 and later, a confirmation message allows you to confirm or cancel the deletion. When you delete a custom column group, it is removed from the Column Group menu.
Caution: When you delete a custom column group (Version 11.4) or a shared column group (Version 11.5), the effect is global and the group is no longer available to any analyst.
To delete a custom column group
- Go to Investigate > Events and click to load events.
The events for the default service and the default time range are loaded in the Events panel. The Summary List column group or the column group from your last session is applied to the list. This figure shows the initial view with the Summary List column group selected. The label on the Column Group menu includes the name of the selected column group. - To delete a column group, highlight a custom column group as shown in the following figure and click the edit icon () to the right of the name.
- The Column Group Details dialog opens with the details for the selected group displayed.
- Click the delete group icon ().
If the column group is currently in effect, the following message is displayed: This column group cannot be deleted because it is currently active.
In Version 11.5, a confirmation message gives you the opportunity to confirm or cancel the deletion. Click Cancel or Delete Column Group.
In Version 11.4, if the column group is not in effect and is not a built-in column group, there is no request for confirmation before the column is deleted.
The group is deleted and removed from the Column Groups menu. The column group no longer appears anywhere for any analyst working in Investigate.
Edit a Custom Column Group
You can create a shared or private copy of any column group that is not open for editing. After you create the copy, you can edit the new group in the usual way.
- Go to Investigate> Events and submit a query to load data in the Events panel.
- In the Events panel toolbar, click the Column Group menu title.
The menu drops down to display a list of column groups. - Highlight the column group that you want edit. This figure shows a custom column group highlighted, with the edit icon displayed to the right.
- Click the edit icon ().
The Column Group Details dialog is displayed so that you can edit the Group Name and Displayed Meta Keys. You can add or delete meta keys and rearrange the order of the meta keys in the list. - (Optional) In the Group Name field, edit the name of the column group.
-
(Optional) To add a meta key to the column group, select and add each meta key as follows:
- Type a text string in the Filter meta keys field and look for meta keys that contain that text in the Available Meta Keys list. Or just scroll through the list to find the meta key.
- When you see the meta key that you want to add, click the add icon that precedes the meta key name.
The meta key is added to the end of the Displayed Meta Keys list. (This list is also filtered using the text you typed.) This figure shows the group name changed to Column Group C and ad.computer.dst added to the Displayed Meta Keys list.
- (Optional) To find and remove a meta key from the column group, type a text string in the Filter meta keys field to look for meta keys that contain that text in the Displayed Meta Keys list, or simply scroll through the list. When you see the column that you want to remove, click the remove icon ( ) that precedes the meta key name in the Displayed Meta Keys list.
The meta key is moved back to the Available Meta Keys list. - (Optional) To change the order of the displayed meta keys in the Displayed Meta Keys list, place the cursor over the list order icon (). When the cursor changes to the drag and drop icon (), drag the meta key up or down in the list.
- Do one of the following:
- To close the dialog without saving the changes to the custom column group, click Reset.
- To save the edits to the column group, click Update Column Group.
The updated column group is saved globally for all analysts, and the buttons change to Done and Select Column Group.
- Do one of the following:
- To close the dialog, click Close.
- To close the dialog and select the updated column group, click Select Column Group.
The column group is updated, and if you clicked Select Column Group, the Events list is updated to show the columns in the new column group.
Create a Copy of a Column Group
(Version 11.5 and Later) You can copy any column group, built-in or custom, shared or private, as long as it does not have unsaved edits in progress. This is useful when you want a customized version of a built-in group. Also since you cannot change a custom group from private to shared or from shared to private, creating a copy allows you to select a different Sharing setting. When you create a copy of a column group, the same name is used with a number appended. For example, if you copy RSA HTTP, the first copy is named RSA HTTP-1, and a second copy of the same group is named RSA HTTP-2. After you create the copy, you can edit the new group to give it a new name and manage meta keys in the group.
Note: Some column groups created in the Legacy Events view may have more the 40 columns, which is above the limit for column groups in the Events view. If you copy a group with more than 40 columns, you must remove the excess columns when you edit the column group.
To copy a column group:
- Go to Investigate > Events and submit a query to load data in the Events panel.
- In the Events panel toolbar, click the Column Group menu title.
The menu drops down to display a list of column groups with the Filter Column Groups field at the top and the + New Column Group option at the bottom. The first group on the list is highlighted, and the selected group has a light blue background. - Highlight the column group that you want copy. This figure shows RSA HTTP highlighted. The information icon () is displayed to the right.
- Do one of the following:
- Click the information icon ().
- Click the edit icon ().
The Column Group Details dialog is displayed. This figure shows the dialog for a built-in group.
- Click the Copy icon ().
The Copy Column Group dialog is displayed with a -n appended to the column group name. The following figure has -2 because it is the second copy of this column group. - (Optional) In the Group Name field, edit the name of the column group.
- If you want to share the new column group with your organization, set the Share with my organization option. By default the new group is private.
- Do one of the following:
- To close the dialog without copying the group, click Cancel.
- To save the copy of the column group, click Save Column Group.
The copy of the column group is saved, and the buttons change to Done and Select Column Group.
- Do one of the following:
- To close the dialog, click Close.
- To close the dialog and select the copy of the column group, click Select Column Group.
The column group is copied, and if you clicked Select Column Group, the Events list is updated to show the columns in the copy of the column group. The figure below has two copies of the RSA HTTP column group, one shared and one private.
- Do one of the following:
-
To close the dialog without editing, click Close.
-
To close the dialog and select the copy of the meta group, click Select Meta Group.
The group is added to the Meta Group menu. The figure below has a private copy of the RSA HTTP meta group.
Create a Column Group FolderCreate a Column Group Folder
You can create custom column group folders which reside at the current level and are be added as a private or shared folder. And, if the folder name already exists then you are prompted to provide a unique name.
-
With the Filter Events panel open in the Events view, click the Column Groups menu title. The menu drops down to display a list of column groups and folders.
- Click .
The Create Folder dialog is displayed. -
In the Folder Name field, type a unique name (maximum length of 255 characters) for the new meta group folder.
- Click Create Folder.
-
Edit and Move Column Group Folder
After you create a column group folder you can edit or move it, however the folders inside RSA Groups (RSA Live content and RSA OOTB Groups) cannot be edited and moved. The folders inside private and shared folders can be edited and moved only within their respective groups. For example, you cannot move a shared folder into a private folder and vice-versa.
-
With the Filter Events panel open in the Events view, click the Column Group menu title and highlight the column group that you want edit.
- Click .
The Edit Folder dialog is displayed. -
In the Folder Name field, type a unique name for the column group folder.
- Select the location of the folder to be edited.
- Click Update Folder.
Copy Column Group Folder
You can copy column group folders from private to shared, private to private, shared to shared and shared to private groups. When you copy a folder the content inside it gets copied. When you copy a private folder into a shared folder, the folder and its content no longer remain private.
-
With the Filter Events panel open in the Events view, click the Column Group menu title. The menu drops down to display a list of column groups and folders.
- Select a folder you want to copy.
- Click edit and the click copy .
The Copy Folder dialog is displayed. -
In the Folder Name field, type a unique name for the new meta group folder.
- Select the location of the folder to be edited.
- Click Copy Folder.
Copy Group Folder Deployed from Live
You can copy column group folder deployed from Live located under RSA Groups category to any other location like Shared groups or to a private folder.
-
With the Filter Events panel open in the Events view, click Column Group menu title. The menu drops down to display a list of column groups and folders.
- Click on a Live Column Group folder you want to copy.
- Click
The Copy Folder dialog is displayed. - Select the location of the folder to be copied.
- Click Copy Folder.
The folder is created with the original name of the folder and appended with the 'copy' in the end.
Delete Column Group FolderDelete Column Group Folder
If you don't want to retain a folder you can delete it. However, once the folder is deleted it cannot be retrieved.
-
With the Filter Events panel open in the Events view, click the Column Group menu title. The menu drops down to display a list of column groups and folders.
- Select a folder to be deleted.
- Click edit .
The Edit Folder dialog is displayed. - Click delete .
A warning message is displayed to confirm the action. - (Optional) Select the checkbox, if you want to delete the folder along with all the contents inside the selected folder.
If you do not select the checkbox, then the content will be moved to the parent folder after the required folder is deleted. - Click OK to delete.
Work with Column Groups in the Legacy Events View
This section includes procedures for working in the 11.4 Legacy Events view (and the 11.3 Events view). Three different forms of the events list with hard-coded columns are built in and labeled as follows: Detail View, List View, Log View. You can remove columns, rearrange the order, and change the width of a column. In addition the built-in or custom column groups are available; these give you more flexibility in choosing columns.
Column groups are shared globally, per service, across Investigate. Any changes you make to custom column groups are applied globally, affecting all analysts using the service. If you delete a column group, the column group is no longer available to anyone who is investigating the service.
Select a Column Group
Note: Investigate profiles can include custom column groups. If a custom column group is used in a profile and you are viewing events in the Legacy Events view using a custom column group, you cannot change the view type (Detail, List, or Log).
To select a column group:
- With the Legacy Events view open, select Custom Column Groups in the View drop-down menu. The menu label reflects the selected option: Detail View, List View, Log View, or the currently selected column group.
- Select one of the column groups from the submenu.
The Legacy Events view is refreshed to reflect the custom column group.
Create a Custom Column Group in the Legacy Events ViewCreate a Custom Column Group in the Legacy Events View
- Go to Investigate > Legacy Events.
- Select Manage Column Groups in the View drop-down menu. The View option is named for the current value, for example, Detail View, List View, Log View, or the currently selected column group.
The Manage Column Groups dialog is displayed. - To add a new column group in the column group panel, click and type the name of the new group in the resulting field.
The column definition panel opens on the right with the group name filled in. You can edit the group name. - To add a column to the group, click , and click in the empty Meta Key field to display the Meta Key drop-down list. Select a meta key field from the list, and repeat this step until the column set is complete.
- (Optional) To delete a meta key from the column group, click .
- (Optional) To rearrange the sequence in which the columns appear in the Events list, drag meta keys to the desired position.
- (Optional) To set the default width for a column, click in the corresponding value in the Width column, and type a new column width.
- (Optional) To revert to the previous settings for the column group, and undo all of your changes, click Cancel.
- When ready to save, do one of the following:
- To save the edited column group and refresh the Legacy Events view with the column group settings, click Save and Apply.
- To save the edited column group without refreshing the Legacy Events view, click Save.
Delete a Column Group (Legacy Events View)
- Go to Investigate > Legacy Events.
- Select Manage Column Groups in the View drop-down menu. The View option is named for the current value, for example, Detail View, List View, Log View, or the currently selected column group.
The Manage Column Groups dialog is displayed. - To delete a custom column group in the column group panel, select one or more custom column groups and click in the toolbar.
A confirmation request is displayed. - Do one of the following:
- To delete the column group and refresh the Legacy Events view, click Yes.
- If you decided not to delete the column group , click No.
The selected column groups are deleted and no longer appear anywhere for this service in Investigate.
Edit a Column Group (Events View)
- Go to Investigate > Legacy Events.
- Select Manage Column Groups in the View drop-down menu. The View option is named for the current value, for example, Detail View, List View, Log View, or the currently selected column group.
The Manage Column Groups dialog is displayed. - Do one of following:
- To edit a custom column group in the column group panel, select the checkbox before the name.
The column definition panel opens on the right. - To clone and edit a built-in column group or a custom column group, select the checkbox before the name and click the clone icon ().
The column definition panel opens on the right.
- To edit a custom column group in the column group panel, select the checkbox before the name.
- (Conditional) If you are editing a clone of a group, type the new name of the group.
- To add a column to the group, click , and click in the empty Meta Key field to display the Meta Key drop-down list. Select a meta key field from the list, and repeat this step until the column set is complete.
- (Optional) To delete a meta key from the column group, click .
- (Optional) To rearrange the sequence in which the columns appear in the Events list, drag meta keys to the desired position.
- (Optional) To set the default width for a column, click in the corresponding value in the Width column, and type a new column width.
- (Optional) To revert to the previous settings for the column group, and undo all of your changes, click Cancel.
- When ready to save, do one of the following:
- To save the edited column group and refresh the Legacy Events view with the column group settings, click Save and Apply.
- To save the edited column group without refreshing the Legacy Events view, click Save.
Import and Export a Column Group (Legacy Events View)
You can export custom column groups for use by other members of your team, and other analysts can import column groups if you give them a copy of the exported file.
To export a column group
- Go to Investigate > Legacy Events.
- Select Manage Column Groups in the View drop-down menu. The View option is named for the current value, for example, Detail View, List View, Log View, or the currently selected column group. Each of these views is a differently formatted events list, and each column represents one meta key.
The Manage Column Groups dialog is displayed. - To export a column group, select the checkbox before the name and click the Export option ().
The column group is exported to your local file system as a .jsn file, for example, CustomColumnGroupsExport.jsn. If you export another group, the next file is named CustomColumnGroupsExport-2.jsn to differentiate. - To import a column group that you have available on your local file system, click the Import option ().
The Import Column Groups dialog is displayed. - Browse your local drive to find the column group (jsn file), and click Upload.
The column group is added to the list. If it has the same name as an existing column group, a message is displayed and the column group is not imported.