You can save a search query, then repeat it as desired. To save a search query, you must first perform a search. When you are satisfied with the search results, you save the search query.
NOTE:You must have the necessary permission to access the specific options. For example, only users in the Report Administrator role can save the search query as a report template.
Perform and refine a search until you are satisfied with the search results.
For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.
Click
, and then click .Specify a unique name for the search and provide an optional description.
Specify the following information in the
section:Targets: Displays the number of servers that Sentinel will search for events. This option is useful if distributed search is enabled. To select the targets you want to search, click
, then select the targets.Email to: To e-mail the report template to others, specify the e-mail address. To send the report template to more than one person, specify multiple e-mail addresses separated by a comma.
Result limit: Specify the number of results to be stored in the search template. By default, 1000 results are stored in a report template.
Click
.Perform a search, and refine the search results as desired.
For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.
When you are satisfied with the search results, click
, then click .Specify a unique name for the filter and an optional description.
In the drop-down list, select one of the following options to specify the access for this filter:
Private: Allows you to make this filter private. Other users cannot view or access this filter.
Public: Allows you to share this filter with all users.
Users in same role: Allows you to share this filter with users who have the same role as yours.
Users in selected roles: Allows you to share this filter with users in specific roles. If you select this option, a blank field is displayed where you can specify the roles. As you type the role name, a list of roles is displayed.
Select one or more roles.
NOTE:This option is available only for users in the administrator role.
Click
.The saved filter is listed in the Filters panel. For more information on filters, see Section 3.0, Configuring Filters.
You can save the search query as a search report.
NOTE:You must have the Manage Reports permission to save the search query as a report template.
Perform a search, and refine the search results as desired.
For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.
When you are satisfied with the search results, click
, then click .Specify the following parameters:
Parameter |
Description |
---|---|
Report name |
Specify a unique name for the report. The name should not exceed 200 characters. |
Based on |
Select the base report from which you want to create the report. You can view a sample report by clicking the button. |
Description |
The description is automatically displayed based on the report that is selected and you can edit the description. |
Criteria |
Criteria is automatically populated based on the report selected and is not editable. |
Additional Criteria |
Specify additional search criteria to the existing criteria. To build a new criteria on your own, click . To build a new criteria from available system objects containing criteria, click .The criteria that you add here is appended to the existing criteria. |
Targets |
Select the source machines on which the reports can be run by clicking the link. You can select the targets only if your Sentinel is configured for distributed search.For more information, see |
Additional Criteria |
Specify additional criteria to refine the results. The criteria that you specify here can be edited while scheduling the report. If you specify , the name is displayed at the end of the report results.NOTE:This parameter is not available for all reports. |
Time Zone |
Specify the time zone with which you want to populate the report. When you schedule the report, the time zone that you specify here is displayed in the report data. For example, if the Time Zone is set to US/Pacific-New time, the report data displays the selected time zone. By default, it displays the time zone that is set in the client system. NOTE:This parameter is not available for all reports. |
Date Range |
If the report includes time period parameters, choose the date range. All time periods are based on the local time for the browser. The To Date automatically change to reflect the option you selected. and the
|
Group By |
Group the events according to specific event field by selecting the event field from the drop-down list.NOTE:This parameter is not available for all reports. |
Language |
Choose the language in which the report labels and descriptions should be displayed. The possible values are English, French, German, Italian, Japanese, Traditional Chinese, Simplified Chinese, Spanish, or Portuguese. The default value is the language with which the current user logged in, if that language is supported by the report. If the report does not support the language, the report’s default language (typically English) is used. The data in the report is displayed in the language that was originally used by the event source. |
Email to |
Specify an e-mail address in the field. If you want to mail the report to more than one user, separate the e-mail addresses with a comma. |
Result limit |
Specify the number of results to be displayed or stored when you run or schedule the report. By default, 1000 results are stored. If you specify a value in field, the result limit is based on grouping. |
Click
to save the search as report definition.You can see the saved report definition in the Viewing Events.
panel in the Sentinel Web interface. To view the reports, seeYou must be in the administrator role to save the search query as a routing rule.
Perform a search, and refine the search results as desired.
For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.
When you are satisfied with the search results, click
, then click .Specify a name for the rule.
(Conditional) To associate one or more tags to the events, click
, select the desired tags, then click .Select where you want to route the events to:
All: Events are routed to all Sentinel services, including Correlation and Security Intelligence.
Event store only: Events are sent directly to the event store, and are not displayed in Active Views and the search results page.
None (drop): Events are dropped or ignored, and are not sent to any Sentinel service.
Select one or more actions to be performed on each event that meets the search criteria. Click the plus and minus icons to add and remove actions.
Click
.You must be in the administrator role to save the search query as a retention policy.
Perform a search, and refine the search results as desired.
For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.
When you are satisfied with the search results, click
, then click .Specify a name for the retention policy.
In the
field, specify the minimum number of days to retain the events in the system. The value must be a valid positive integer.(Optional) In the
field, specify the maximum number of days for which the events should be retained in the system.The value must be a valid positive integer and must be greater than or equal to the
value. If no value is specified, the system retains the events in the system until the space is available in local storage.Click
.The newly created policy is displayed in the data retention table. For more information on retention policies, see Configuring Data Retention Policies
in the NetIQ Sentinel 7.1 Administration Guide.
You must have the Manage and View Security Intelligence Dashboards permission to create a dashboard.
Perform a search, and refine the search results as desired.
For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.
When you are satisfied with the search results, click
, then click .Specify the following information to create the dashboard:
Name: Specify a unique name for the dashboard.
Classifier: Select the classifier that determines the categories displayed in the dashboard. Click the
link for information on each category.Data Retention Period: Select how long the data for the dashboard is retained.
Click
to create the dashboard.The dashboard is displayed in a new browser tab. A new dashboard is empty because it has not had time to collect any data. For more information on dashboards, see Section 5.0, Analyzing Trends in Data.