Browsing Feed Service events

This section describes how you can browse in RSA NetWitness the events sent from Feed Service.

To display in RSA NetWitness those events that are sent from Feed Service:

1. On the RSA NetWitness menu, select Investigation > Navigate.

   The Investigate window opens.

2. On the Services tab, select the Concentrator that stores events from Feed Service (or the Log Decoder to which Feed Service sends events) and click the Navigate button.

   

   Investigate window

3. On the Navigate toolbar, select Query.

   

   Query toolbar button

   A window for creating a query opens (the Create window).

4. Select Advanced and specify the following query:

   device.type='cybertrace'

   

   Specifying device type

5. Click OK.

The Navigate view will display the events from Feed Service.

Displaying events from Feed Service

Page top