Use Saved Queries to Encapsulate Common Areas for Investigation

Saved Queries  offer a quick and easy way to define a meta group, column group, and a limiting filter (pre-query condition) that you can apply in the Navigate view, the Events view, and the Legacy Events view. The same query profiles are shared between all views, and they are available in the Springboard (Version 11.5) for use in panels. Private query profiles created in the Events view are only available in the Events view for the analyst who created them.

Each query profile specifies a meta group, column group, and sometimes includes a pre-query condition appropriate for the type of investigation.

In a query profile:

Built-In Saved Queries

You cannot edit or delete built-in profiles, but you can copy an existing profile and edit the copy in the Navigate view, the Legacy Events view, or the Events view. In the Navigate view, the built-in profile names begin with the RSA prefix and are grouped under Default Profiles. The Events view does not support grouping of query profiles. This figure is an example of a built-in query profile as listed in the Query Profiles menu.

netwitness_qpbuiltinrow.png

The NetWitness Platform has these built-in profiles:

  • RSA Email Analysis
  • RSA Endpoint Analysis
  • RSA File Analysis
  • RSA Threat Analysis
  • RSA User & Entity Behavior Analysis
  • RSA Web Analysis
  • Behaviors of Compromise
  • Enablers of Compromise
  • Indicators of Compromise
  • MITRE ATT&CK tactics
  • MITRE ATT&CK techniques

Built-in query profiles make it easy for you to query a specific area of interest; for example, selecting the built-in RSA Email Analysis query profile automatically specifies the meta group, and column group, and pre-query conditions that are most useful for investigating email activity. As you become familiar with the meta keys, you can create your own custom query profiles.

Live Saved Queries

In 11.6 and later, NetWitness supports deploying the investigate content from live and are marked by the live symbol (netwitness_liveicon_25x23.png) under the query profiles group drop down. The query profiles are categorized as RSA Groups (RSA Live content and RSA OOTB Groups), and Shared Groups. The groups are displayed as non-editable folders and sub-folders except for Shared Groups that can be edited. All private content is displayed outside these groups. For example, the below image shows private content below the Shared Groups folder. The number inside () depicts the number of contents inside a folder and > symbol helps you to drill down inside the folder.
query_profile12.png

Custom Saved Queries

Custom query profiles are shared globally within your organization in Version 11.4. In Version 11.5 and later, you can create shared query profiles as before, and can also create private query profiles. If you edit a shared custom query profile, your changes are applied globally. If you delete a shared custom query profile, the profile is deleted and no longer available for all analysts.

Note: If a Springboard panel is using a query profile as a filter, the profile can be edited, but cannot be deleted in the Events view. However, nothing prevents deletion of the profile in the Navigate view or the Legacy Events view. In this case, Springboard panels that use the deleted query profile as a filter continue to work, but the filter is removed and unexpected results may be displayed in the panel. Refer to "Managing the Springboard" in the NetWitness Platform Getting Started Guide for details.

When you create a query profile in Version 11.5, you can choose to share it or you can keep it private (default); you cannot change a shared profile to private or a private profile to shared. Private query profiles are not visible or usable in the Navigate view, the Legacy Events view, or the Springboard. Icons identify the profile type in the Query Profile menu. These are examples of a shared and a private custom query profile as listed in the Query Profile menu, with the edit icon displayed at the end of the row.

netwitness_qpprivateprofrow.png netwitness_qpsharedprofrow.png

Dialogs for Managing Saved Queries

The queries are listed in alphabetical order in the Saved Queries menu in a way that makes built-in queries distinguishable from custom queries that you imported or created. While the functionality for managing saved queries is similar in the Navigate view, the Legacy Events view, and the Events view, the dialogs are different. The following figure illustrates the Saved Queries menu in the Version 12.3.1  Events view. This menu lists the same queries that are available in the Navigate view and the Legacy Events view. You can create, copy, edit, delete, and apply queries.

query_profile12.png

This is an example of the Manage Profiles dialog in the Navigate and Legacy Events views.

netwitness_profgrpnam_711x531.png

Note: Query profiles are available in the Navigate view, the Legacy Events view, and the Events view; in Version 11.4.1 and earlier, they are shared globally across users. If one user modifies or deletes a custom query profile it has an effect on what is available to the other users. In the Events view, use the Query Profiles menu to work with profiles. In the Navigate or Legacy Events view toolbar, select Profile > Manage Profiles to open the Manage Profiles dialog. In Version 11.5, custom profiles can be shared globally, but private custom profiles created in the Events view are not available in the Navigate view or the Legacy Events view.

From the Query Profiles menu (11.4 and later Events view):

  • You can apply a query profile and use options in the menu to create (Create Query Profile dialog), copy, edit, and delete (Query Profile Details dialog) custom query profiles.
  • Selecting a profile applies the meta group, column group, and pre-query condition, and these are visible in the Meta Group menu title, Column Group menu title, and the query bar.
  • In Version 11.4, the Events view does not use meta groups or profile groups defined in other views. Version 11.5 allows you to use meta groups and to create private custom query profiles, in addition to the previously available shared custom query profiles.
  • If a query profile created in the Legacy Events view uses the Log View, Detail View, or List View instead of a column group, the same profile in the Events view uses the Summary List column group.

From the Manage Profiles dialog (Navigate view and Legacy Events view):

  • You can configure, add, delete, import, and export profiles and profile groups.
  • You can organize your custom query profiles in profile groups (Version 11.2 and later). When upgrading to Version 11.4 from an earlier version, only profile groups that contain profiles are imported. The built-in query profiles are in the Default Profiles group, which cannot be edited. Analysts can create new query profile groups, which anyone can use.
  • After creating profiles, you can edit a profile group to add profiles, remove profiles, or move profiles from one group to another. When you create a profile, it is not added to any profile group by default.
  • Selecting a profile applies the meta group, column group, and pre-query condition, and the label of the Profile menu is replaced with the query profile name. The following figure illustrates the RSA Email Analysis query profile selected in the Navigate view or Legacy Events view.

    netwitness_navprofdisplay.png

View Saved Queries Details (Events View)

If you want to know which meta groups, column groups, and limiting filters (called pre-query conditions) define a saved query, you can view the details of the query.

To view the details:

  1. Go to Investigate > Events and click Saved Queries.
    The Saved Queries menu opens with a list of available profiles. This menu displays a list a list of built-in query profiles (RSA), shared custom profiles, and your private custom profiles with visibility options and a filter field make it easier to find a particular query profile.
    query_profile_update.png
  2. Hover over a query profile in the list and click the information icon (netwitness_cgblueinfoicon.png) to see the meta group, column group, and pre-query conditions configured for the profile.
    This figure shows the details for the RSA Email Analysis profile, one of the built-in profiles. In Version 11.5.1, an icon identifies the type of meta group and column group (shared, private, or RSA).
    query_profile_modify1.png
  3. Do one of the following:
    1. To close the dialog, click Close.
    2. If you want to apply the profile, click Select Saved Query.
      The dialog closes. The Events list is updated to reflect the selected query profile. If the profile uses a different column group, the query is re-executed with the pre-query conditions and column group for the selected profile. If only the pre-query conditions are different, existing filters in the query bar are removed and the pre-query conditions (for example, this filter: service=24,25,109,110,995,143,220,993) is added in the query bar, but the query is not submitted. The first 15 columns in the associated column group are used in the Events list.
      1. (Optional) Create additional filters in the query bar before executing the query (see Filter Results in the Events View).
        netwitness_qpquerybarpreq.png
      2. (Optional) If you want to select different columns from the associated column group before executing the query, click netwitness_ic-settings.png above the Events list on the right.
        The Column Selection list is displayed and you can choose up to 40 columns to display (see Use Columns and Column Groups in the Events List.
        netwitness_qpcolseldd.png

Apply a Saved Queries (Events View)

When a saved query is applied, there is no indication of it in the Saved Queries menu, but you can see if a column group or meta group is in effect. If pre-query conditions are applied, the filters are visible at the beginning of the query bar as shown in this figure:

netwitness_qpquerybarpreq.png

Note: If you do not see enough results or the right results in the Events view, an applied profile may be limiting results with pre-query conditions.

To apply a query profile:

  1. Go to Investigate > Events and click Saved Queries in the query bar.
    The Saved Queries  menu opens with a list of available queries.
    query_profile_12_version.png
  2. Use the Down and Up arrow keys or the mouse to highlight a profile.
  3. Click the highlighted profile.
    The query profile settings are applied immediately. The Events list is updated to reflect the selected profile. If the profile uses a different column group the query is re-executed with the pre-query conditions and column group for the selected profile. If only the pre-query conditions are different, existing filters in the query bar are removed and the pre-query conditions are added in the query bar. The netwitness_qryiconblue.png button becomes active so that you can resubmit the query with the new pre-query conditions. You can add more filters as usual before or after resubmitting the query.

Create or Edit a Custom Saved Queries (Events View)

To create or edit a custom saved queries

  1. Go to Investigate > Events and click Saved Queries in the query bar.
    The Saved Queries menu opens with a list of available queries.
    create_nw_query_prfile_12.png
  2. Do one of the following:
    1. To create a new saved query, click + New Saved Query.
      The Saved Queries dialog is displayed. The Create Saved Query  dialog shows a new empty profile that includes the currently selected meta group, column group, and filter that you have currently typed in the Query bar as a pre-query condition.
      CGQP.png
    2. To edit an existing query profile, highlight a custom query profile in the menu, and click the edit (netwitness_cgediticon.png) icon.
      The Query Profile Details dialog is displayed. The Version 11.5.1 dialog (on the right) identifies the type of meta group and column group as shared, private, or RSA.
      QPDetailsDgEmail1.png
  3. In the Profile Name field, type a unique profile name that has no more than 80 characters.
    In the Create Query dialog, the Save Query Profile button is activated. In the Query Profile Details dialog, the Select Query Profile button is relabeled as Update Query Profile.
  4. (Version 11.5 and later), do one of the following
    1. If you want to share the new query profile with your organization, set the Location to Shared Groups from the drop-down menu. You cannot change a query profile from shared to private after it is created.
    2. If you want to create a private query profile that only you can see and manage, leave the Location to Top Level (Private). You cannot change a query profile from private to shared after it is created.
  5. (Version 11.5 and later) Select a meta group from the Meta Group drop-down list. If a shared group and a private group have the same name, the private group is listed before the shared group. In Version 11.5.1, an icon before the group name distinguishes private from shared.
  6. Select a column group from the Column Group drop-down list. In Version 11.5, there can be shared or private groups and they can have the same name. In this case, the private group is listed before the shared group. In Version 11.5.1, an icon in front of the group name distinguishes private from shared.
  7. In the Pre-Query Conditions field, check the default filters from the query bar and add or remove filters if you wish.
  8. Click Save Query Profile or Update Query Profile.
    The new profile is saved or the edited profile is updated with your changes.
  9. To close the dialog, click Close.

Delete a Custom Query Profile (Events View)

Built-in query profiles are read only, and cannot be deleted, but you can delete any custom query profile. A confirmation message allows you to confirm or cancel the deletion. When you delete a shared query profile, the effect is global and the profile is no longer available to any analyst.

Note: If a Springboard panel is using a query profile as a filter, the profile can be edited, but cannot be deleted in the Events view. However, nothing prevents deletion of the profile in the Navigate view or the Legacy Events view. In this case, Springboard panels that use the deleted query profile as a filter continue to work, but the filter is removed and unexpected results may be displayed in the panel. Refer to "Managing the Springboard" in the NetWitness Platform Getting Started Guide for details.

To delete a custom query profile

  1. Go to Investigate > Events and click Query Profiles in the query bar.
    The Query Profiles menu opens with a list of available profiles.
    delete_query_12version.png
  2. Highlight a custom query profile that you want to delete, and click the edit (netwitness_cgediticon.png)icon.
    The Query Profile Details dialog is displayed.
    delete_query_12version1.png
  3. Click the delete icon (netwitness_cgdeleteicon.png).
     A confirmation message gives you the opportunity to confirm or cancel the deletion. Click Cancel or Delete Saved Query.
    The query is deleted and removed from the Saved Queries menu. The profile no longer appears anywhere for any analyst working in Investigate.

Copy a Saved Query

You can copy any query profile, built-in or custom, shared or private, as long as it does not have unsaved edits in progress. This is useful when you want a customized version of a built-in profile. Also since you cannot change a custom profile from private to shared or from shared to private, creating a copy allows you to select a different Sharing setting. When you copy a profile, the same name is used with a number appended. For example, if you copy RSA Email Analysis, the first copy is named RSA Email Analysis-1, and a second copy of the same profile is named RSA Email Analysis-2. After you create the copy, you can edit the new profile to give it a new name and edit the pre-query conditions, meta group, and column group in the profile.

Note: If you are making a shared copy of a private query profile that uses a private meta group or column group, a message notifies you that a shared copy of the meta group or column group is being created and used in the query profile. It may take a little longer to copy the query profile when a private meta group or column group has to be copied.

To copy a query profile

  1. Go to Investigate > Events and click Query Profiles in the query bar.
    The Query Profiles menu opens with a list of available profiles.
  2. Highlight the query profile that you want copy. This figure shows RSA Email Analysis highlighted. The information icon (netwitness_cgblueinfoicon.png) is displayed to the right.
    delete_query_12_2.png
  3. Do one of the following:
    1. Click the information icon (netwitness_cgblueinfoicon.png).
    2. For a custom profile, click the edit icon (netwitness_cgediticon.png).
      The Query Profile Details dialog is displayed. This figure shows the dialog for a built-in profile.
      QPDetailsDgEmail1231.png
  4. Click the Copy icon (netwitness_cloneicon.png).
    The Copy Saved Query dialog is displayed with a number appended to the profile name to create a unique name among all saved queries.
    QPCopy1.png
  5. (Optional) In the Saved Query Name field, edit the name of the saved query.
  6. If you want to share the new profile with your organization, set the Location to Shared Groups from the drop-down menu. By default the new profile is private. If the profile being copied has a private column group or meta group, a shared copy is created and used in the copy of the profile.
  7. Do one of the following:
    1. To close the dialog without copying the profile, click Cancel.
    2. To save the clone of the query profile, click Save Saved Query.
      The clone is saved, and the Query Profile Details dialog for the cloned profile is displayed.
  8. Do one of the following:
    1. To close the dialog, click Close.
    2. To close the dialog and select the new profile, click Select Saved Query.
      The clone is added to the Query Profiles menu.

Create a Saved Query Folder

You can create query profiles folders which reside at the top level and are be added as a private or shared folders. And, if the folder name already exists then you are prompted to provide a unique name.

  1. In the Events view, select the Query Profiles menu title. The menu drops down to display a list of meta groups and folders with the Filter Query Profiles field at the top and the netwitness_newfolder_22x17.png option at the bottom.
    create_nw_query_prfile_12.png

  2. Click netwitness_newfolder.png.
    The Create Folder dialog is displayed.
    folder_name.png
  3. In the Folder Name field, type a unique name for the new query profile group folder.

  4. Click Create Folder.

Edit and Move Saved Queries Folder

After you create a saved queries group folder you can edit or move it, however the folders inside RSA Groups (RSA Live content and RSA OOTB Groups) cannot be edited and moved. The folders inside private and shared folders can be edited and moved only within their respective groups. For example, you cannot move a shared folder into a private folder and vice-versa.

  1. In the Events view, select the Query Profiles menu title that you want edit.
  2. Click netwitness_cgediticon.png.
    The Edit Folder dialog is displayed.
    QPEditFolder.PNG
  3. In the Folder Name field, type a unique name for the query profile folder.
  4. Select the location of the folder to be edited.
  5. Click Update Folder.

Copy Query Profile Folder

You can copy saved queries  folder from private to shared, private to private, shared to shared and shared to private groups. When you copy a folder the content inside it gets copied except for the sub-folders. When you copy a private folder into a shared folder, the folder and its content no longer remain private.

  1. In the Events view, click the Query Profiles menu title. The menu drops down to display a list of query profiles and folders.

  2. Select a folder you want to copy.
  3. Click edit netwitness_cgediticon.png and then click netwitness_copyicon_24x25.png.
    QPEditFolder.PNG
    The Copy Folder dialog is displayed.
    QPCopyFolder.png
  4. In the Folder Name field, type a unique name (maximum length of 80 characters) for the new saved queries group and folder.

  5. Select the location of the folder to be edited.
  6. Click Copy Folder.

Copy Saved Queries Group Folder Deployed from Live

You can copy saved queries group folder deployed from Live located under RSA Groups category to any other location like Shared groups or to a private folder.

  1. In the Events view, click Saved  Queries Group menu title. The menu drops down to display a list of query profiles groups and folders.

  2. Click on a Live Query Profiles Group folder you want to copy.
  3. Click netwitness_livecopyicon.png
    The Copy Folder dialog is displayed.
    QPLiveFolder.png
  4. Select the location of the folder to be copied.
  5. Click Copy Folder.
    The folder is created with the original name of the folder and its contents are displayed as the original meta group name appended with a -n.

Delete Saved Queries Folder

If you don't want to retain a folder you can delete it. However, once the folder is deleted it cannot be retrieved.

  1. In the Events view, click the Saved Queries menu title. The menu drops down to display a list of query profile groups and folders.

  2. Select a folder to be deleted.
  3. Click edit netwitness_cgediticon.png.
    The Edit Folder dialog is displayed.
    QPEditFolder.PNG
  4. Click delete netwitness_deleteicon.png.
    A warning message is displayed to confirm the action.
    Qpdelete.png
  5. (Optional) Select the checkbox, if you want to delete the folder along with all the contents inside the selected folder.
    If you do not select the checkbox, then the content will be moved to the parent folder after the required folder is deleted.
  6. Click OK to delete.

Add Springboard Panels from Events View

(From 12.0 and later) Administrators and Analysts can now create a Springboard panel from Investigate > Events view. Analysts can add any number of filters on the query bar and convert them into Springboard panels with important system indicators for threat hunting and investigation.

Springboard123.png

IMPORTANT: Ensure that you create a custom private board first in order to add the Springboard panel.

Note: From 12.3 version and later, analysts can create panels with different colors using the Visualization Color Theme option. It allows analysts to visualize their data more effectively and helps them perform analysis and investigations more efficiently.

To add a Springboard panel from Events view

  1. Go to Investigate > Events.

  2. Create a query that consists of one or more filters that contain a meta key, operator, and optional value.
  3. Click netwitness_three_dots_16x26.png > Generate Springboard Panel.
    The Generate Springboard Panel dialog is displayed.

    springboard_panel_color.png

  4. Enter the following details:
      • Name: Enter a unique name for the panel. The name can include letters, numbers, spaces, and special characters, such as _ - ( ) [ ].

     

    Note: The query profile will be created with the same name as the Springboard panel.

     

    • Meta Group: It is selected by default.

    • Column Group: It is selected by default.

    • Location: It is the location where the query profile will be saved.

    • Pre-Query Conditions: Displayed based on the input criteria entered in the search query panel.

    • Meta Key: Select the appropriate meta key value from the drop-down list.

    • Default Sorting: Select the appropriate sorting from the drop-down list.

    • Visualization Type: Select the appropriate visualization type from the drop-down list.

    • Visualization Color Theme: Select the appropriate visualization color theme from the drop-down list.

      Note: The Multiple color option is available only for the Donut chart.

    • Visualization Metric: Select the appropriate visualization metric from the drop-down list.

  5. Click Save.

    The panel will be added successfully to the custom private board in the Springboard.

Navigate to the Manage Profiles Dialog (Navigate and Legacy Events Views)

  1. Go to Investigate > Navigate or Legacy Events. (If the Investigate dialog is displayed, select a service and click Navigate.)
  2. In the toolbar, select Profile > Manage Profiles.
    netwitness_mngprofopt.png
    The Manage Profiles dialog is displayed.
    netwitness_mngpro112.png

Create, Edit, or Delete a Profile Group (Navigate or Legacy Events View)

You can create a custom profile group to organize different profiles. Once created, the only edit you can make directly to a profile group is to edit the name of the profile group. To add or remove a profile in a group, edit the profile and assign it to a different profile group as described in Create and Edit Profiles (Navigate or Legacy Events View).

Note: If you migrated profile groups from Version 11.3, empty groups were not migrated.

  1. In the Manage Profiles dialog, do one of the following:

    • To select an existing profile group to edit, double-click the profile group.
    • To add a new profile group, click netwitness_add.png and select Add New Profile Group.

    Note: If you want to edit one of the built-in profile groups, click netwitness_duplicate_button.png to make an editable copy.

    A folder with a blank field is displayed at the bottom of the Profiles list in the left column.
    netwitness_profgrpnam.png

  2. To edit or enter the name of the profile group, double-click the Profile Group and type in the entry field. The name must be between 2 and 80 characters.
    The profile group name is applied to a new profile group or to the profile group you edited. The profile group is now available when configuring a profile.
  3. To delete a profile group do one of the following:
    • If you want to delete a profile group but keep the profiles, click the checkbox to select the group, uncheck the profiles in the group, and click delete.
    • If you want to delete a profile group and the profiles that the group contains, click the checkbox to select the group, and leave the profiles that you want to delete checked.
      A dialog asks for confirmation that you want to delete the group. If you left the mark in the checkbox next to the profiles, the group and the profiles in the group are deleted. If you unchecked the profiles, only the profile group is deleted and the profiles are moved out of the group and available to add to another profile group.

Create and Edit Profiles (Navigate or Legacy Events View)

  1. In the Manage Profiles dialog, do one of the following:

    • To select an existing profile to edit, click the checkbox beside the name.
    • To add a new profile in Version 11.2 and later, click netwitness_add.png or click the down arrow next to netwitness_add.png and select Add New Profile.
    • To create a new profile in versions prior to 11.2, click netwitness_add.png.

    Note: If you want to edit one of the built-in profiles, click netwitness_duplicate_button.png to create a copy, and edit the copy.

    The definition of the profile is available to edit in the right panel. This figure illustrates the definition of one of the built-in profiles.
    netwitness_ootbprofprop112.png

  2. Edit or enter the profile name by typing in the Name field. The name must be between 2 and 80 characters.
  3. (Optional for Version 11.2 and later) If you want to add the profile to a profile group, select a profile group from the Profile Group drop-down list.
    If you select a profile group, the profile is added to the group when you save the changes. If you do not select a profile group, the profile is not part of a group.
  4. Select a meta group from the Meta Group drop-down list. You can add custom meta groups as described in Use Meta Groups to Focus on Relevant Meta Keys. Private meta groups created in the Events view are not available in the Navigate view.
  5. Select a column group for the Column Group drop-down list. You can add custom column groups as described in Use Columns and Column Groups in the Events List. Private column groups created in the Events view are not available in the Navigate view.
  6. Type queries to filter results in the PreQuery field. PreQuery follows the same syntax as the Query builder. The PreQuery in the figure uses a meta group called service = 24,25,109,110,995,143,220,993.
  7. Click Save to save the profile without using it, or click Save and Apply to save the profile and use it immediately.
    If you click Save and Apply, a confirmation dialog is displayed before applying the selected profile. For Version 11.2 and later, the PreQuery that you entered in the Manage Profiles dialog is displayed in the breadcrumb.
    netwitness_profapp.png

Delete a Profile (Navigate or Legacy Events View)In the Manage Profiles dialog, select a profile by clicking the checkbox beside the name.

  1. Note: You cannot delete any of the built-in profiles.

  2. Click netwitness_delete.png.
    A prompt requests confirmation that you want to delete the profile, and the profile is deleted. The option name in the toolbar reverts to Profile to show that no profile is in effect.

Change the Active Profile (Navigate or Legacy Events View)

If you do not see enough results or the right results in the Navigate or Events views, you may have an active profile that is applying a PreQuery. If you do not want to use any profiles, you can click Deactivate Profile in the Profile drop-down menu.

To use a different profile:

  1. In the Navigate or Legacy Events view toolbar, open the Profiles drop-down menu.
  2. Hover over the Profile option to display a drop-down list of available profiles.
  3. Select the profile you want to use.
    The profile settings are applied immediately.

If you want to change the active profile from the Manage Profile dialog:

  1. In the Navigate or Legacy Events view toolbar, select Profiles > Manage Profiles.
    The Manage Profiles dialog is displayed.
  2. Select a profile from the left panel and click Save and Apply.
    A confirmation dialog is displayed.
  3. Click Yes.
    The profile settings are applied immediately.

Import Profiles (Navigate or Legacy Events View)

In the Navigate view and the Legacy Events view, you can upload or import .jsn files that have been downloaded from another service. When profile groups are exported and then imported, the grouping of profiles is maintained.

  1. In the Manage Profiles dialog, click netwitness_ic-import.png in the left panel toolbar.
    The Profile Import dialog is displayed.
  2. Click Browse or the Upload File field to select a file from your computer.
  3. When the file is selected, click Upload.
    The profile is displayed in the left panel.

Download Profiles (Navigate or Legacy Events View)

In the Navigate view and the Legacy Events view, profiles are downloaded as .jsn files.

  1. In the Manage Profiles dialog, select one or more profiles from the left panel.
  2. In the left panel toolbar, click netwitness_ic-export.png.
    The download begins immediately.