12.1 Searching Events Indexed in Traditional Storage

You can run a search to view events indexed in traditional storage. You can also search for events in other Change Guardian servers that are distributed across different geographic locations. For more information, see Section 19.0, Configuring Data Federation.

This section provides information about the following topics:

12.1.1 Performing a Search

To perform a search:

  1. Log in to the Change Guardian Main interface:

    https://<IP_Address/DNS_Change Guardian_server:8443>/sentinel/views/main.html

    Where IP_Address/DNS_Change Guardian_server is the IP address or the DNS name of the Change Guardian server and 8443 is the default port for the Change Guardian server.

  2. In the Reports and Searches panel, click New search.

  3. You can perform a search by using any of the following:

    • Search criteria: Specify the search criteria in the Search field.

      For information on creating search criteria, see Section A.0, Search Query Syntax.

    • Build criteria: Build a new criteria using the build criteria user interface.

    • Select and Append criteria: Click Select and Append criteria and select from the criteria listed, click Add, and then click Search. You can select criteria from the list of criteria or filter the criteria based on recent criteria, tags, or filters.

      • Show only recent criteria: Select a search criterion from the recent search history. The search history displays a maximum of 15 search expressions. Select the criteria, click Show recent criteria, and then click Add.

      • Show only Filters: You can reuse existing filters to perform a new search. Click Show Filters that lists the existing filters. Select the filter on which you want to perform the search, and then click Add.

      • Show only Tags: You can search events that have a particular tag. Click Show Tags, that lists the tags in the system. Select the tags, and then click Add.

      You can combine multiple criteria, tags, or filters by using the And or Or condition.

  4. (Optional) Select a time period for the search.

    • The default is Last 1 hour.

    • Custom allows you to select a start date and time and an end date and time for the query. The start date should be earlier than the end date, and the time is based on the machine’s local time.

    • Whenever searches all available data, without any time constraints.

  5. (Optional) If you have administrator privileges, you can select other Change Guardian servers for the search.

    If you have data federation configured, you can perform a search on other Change Guardian servers. For more information, see Section 19.0, Configuring Data Federation.

  6. Click Search.

    The search results are displayed. For information on the search results, see Viewing Search Results.

  7. (Optional) Modify the search criteria by clicking Edit Criteria.

  8. (Optional) Modify the search results by selecting the desired event fields in the search results

    To add an AND or Or condition to the existing criteria, left-click the event field, select the required fields, and then specify the desired condition.

  9. Click Search.

  10. (Conditional) To save the search query, see Saving a Search Query.

12.1.2 Viewing Search Results

Searches return a set of events. When results are sorted by relevance, only the top 50,000 events can be viewed. When results are sorted by time, all the events in the system are displayed.

Occasionally, the search engine might index events faster than they are inserted into the data directory. If you run a search that returns events that were not added in the data directory, you get a message indicating that some events match the search query, but they are not found in the data directory. If you run the search again later, the events are added to the data directory and the search is shown as successful.

The information in each event is grouped into the following categories:

Category

Icon

Description

General

No icon

Generic information about the event, such as severity, date, time, product name, and taxonomy.

Initiator

The source that caused the event to occur. The source can be a device, network port, etc.

Target

The object that is affected by the event. The object can be a file, database table, directory object, etc.

Observer

The service that observed the event activity.

Reporter

The service that reported the event activity.

Tags

No icon

Tags that the events are being tagged with.

Customer value

No icon

Fields set by the customer.

Retention period

No icon

Retention period of the event.

The initiator, target, and observer can be hosts, services, and accounts. In some cases, the initiator, target, and observer can be all the same, such as a user modifying this or her own account. In other cases, the initiator, target, and observer can be different, such as an intrusion detection system detecting a network attack. If an event field has no data, it is not displayed in the results.

Event fields are grouped according to the following categories:

Group

Icon

Description

Host

The initiator or target host information. For example, initiator host IP, target hostname, or target host ID.

User

The initiator or target user information. For example, the initiator username, initiator user department, target user ID, or target username.

Service

The initiator or target service information. For example, the target service name, target service component, or initiator service name.

Domain

Domain information of both the host and user. For example, the target host domain and initiator username.

IPCountry

The country information of the initiator and target trust. For example, the target host country.

Target trust

The target trust and target domain information of the event that was affected. The name can be a group, role, profile, etc.

Target data

The target data name and data container information. The data name is the name of the data object, such as a database table, directory object, or file that was affected by the event. The data container is the full path for data object.

Tenant name

The name of the tenant that owns the event data, applied to all the events in the inbound stream from a given Collector. The tenant name can be the name of the customer, division, department, etc.

Vulnerability

A flag that indicates whether Exploit Detection has matched this attack against known vulnerabilities in the target.

Each event type is represented by a specific icon. The following table lists the icons that represent the various types of events:

Icon

Type of Event

Audit event

Performance event

Anomaly event

Correlation event

Unparsed event

You can view the search results in the summary view and in the detailed view. When you mouse over an event field, the information about the field is displayed.

Summary View

The Summary view of the search results displays the basic information about the event. The basic information includes severity, date, time, product name, taxonomy, and observer category for the event.

Detailed View

  1. To view the report details, click the More link at the top right corner of the search results.

    This displays details such as host/user domain information, IPCountry information, extended target fields like TargetTrust and TargetData, Observer and Reporter fields, customer set variables, default data retention duration information for any individual event, and the tags set for the event.

  2. To view all the details of an event, click the All link.

  3. To view details about all events, click the Show more details link at the top of the search results page.

    You can expand or collapse the details for all events on a page by using the Show more details or Show less details link.

12.1.3 Refining Search Results

The search refinement panel can be used to narrow the search results by selecting one or more values for an event field. You can refine the results for one or more event fields.

The set of event fields that is displayed in the search refinement panel is configurable on a per-user basis.

For performance considerations, the maximum sample size used to calculate the event field value statistics is 50,000 events. The actual sample size is displayed in the field count label as Field counts based on the first <sample-size> events where <sample-size> is replaced by the actual sampling size.

To refine search results:

  1. Log in to the Change Guardian Main interface.

    https://<IP_Address/DNS_Change Guardian_server:8443>/sentinel/views/main.html

    IP_Address/DNS_Change Guardian_server is the IP address or the DNS name of the Change Guardian server and 8443 is the default port for the Change Guardian server.

  2. In the Reports and Searches panel, click New Search.

  3. Specify the search criteria, then click Search.

    For more information on how to run an event search, see Searching Events Indexed in Traditional Storage.

  4. Click fields in the REFINE section.The Select Event Fields window is displayed.

  5. To refine the search, select the event fields from the available fields, then click Save.

    The selected event fields are displayed in the REFINE panel.

    A count at the right side of each event field displays the number of unique values that exist for that event field in the data directory. The calculation is based on the first 50,000 events found.

    The event field selection is on a per-user basis. Each user can have a different set of selected event fields.

  6. Click each event field to view the unique values for that event field.

    For example, if the search results contain events that had severities 1, 2, 5, and 4, the event field is displayed as Severity (4).

    The top 10 unique values are initially displayed in the order of most frequent to least frequent.

    The value next to the check box represents the unique value for that event field and the value at the far right represents the number of times the value appears in the search result.

    If there are multiple unique values occurring the same number of times in a search, the values are sorted by the most recent occurrence of the value.

    For example, if events of severity 1 and 4 occurred 34 times in the search results, and an event of severity 4 was logged most recently, the unique value 4 appears at the top of the list.

    To display the unique values in the order of least frequent to most frequent, click reverse.

    When there are more than 10 unique values, you can view and filter either the top 10 or the bottom 10 unique values. You cannot refine your search on both the conditions at the same time.

    In the following scenarios, the number of events returned from a refined search is greater than the number of values listed for an event field:

    • If the refinement performs a new search with additional terms intersected with the initial search string, such as by using an AND operator, the new search is run against all events in the system, including the result set from the initial search. If new events that came into the system match the refined search, they are shown in the resulting set and the event count is greater than the field value count.

    • If there are more than 50,000 events, the event field statistics are calculated only on the first 50,000 events.

      There could be an event field value that occurs 50 times in the first 50,000 events, but it could occur 1,000 times in all other stored events. In this scenario, the displayed value count is 50, but when the search is refined with this value it returns 1,000 events.

  7. Click OK.

    Selected event field values are listed under the event field in the REFINE panel.

    The right panel displays the refined search results, which contain only the selected values.

  8. Repeat Step 4 through Step 7 to further refine the search.

  9. (Optional) Click clear to clear the selected unique event field values from the REFINE panel and to return to the original search results.

  10. (Optional) Click add to search to add the refined search values to the current search tab and to recalculate the search statistics.

    If you have already added the event field value to the current search tab, clicking clear does not return to the previous search results.

12.1.4 Saving a Search Query

You can save a search query, then repeat it as desired. To save a search query, you must first perform a search. When you are satisfied with the search results, you save the search query.

NOTE:You must have the necessary permission to access the specific options. For example, only users in the Report Administrator role can save the search query as a report template.

Saving a Search Query as a Search Template

  1. Perform and refine a search until you are satisfied with the search results.

    For more information, see Searching Events Indexed in Traditional Storage and Refining Search Results.

  2. Click Save as, and then click Save search.

  3. Specify a unique name for the search and provide an optional description.

  4. Specify the following information in the Default Parameters section:

    Data sources: Displays the number of servers that Change Guardian will search for events. This option is useful if data federation is enabled. To select the data sources you want to search, click selected data sources, then select the data sources.

    Email to: To e-mail the report template to others, specify the e-mail address. To send the report template to more than one person, specify multiple e-mail addresses separated by a comma.

    Result limit: Specify the number of results to be stored in the search template. By default, 1000 results are stored in a report template.

  5. Click Save.

Saving a Search Query as a Filter

You can save your search queries as filters for future use so you can perform a search using the saved filters rather than specifying the query manually every time.

To save a search query as a filter:

  1. Perform a search, and refine the search results as desired.

    For more information, see Searching Events Indexed in Traditional Storage and Refining Search Results.

  2. (Conditional) If you are using Change Guardian with traditional storage, click Save as, then click Save search as filter.

  3. Specify a unique name for the filter and an optional description.

  4. In the drop-down list, select one of the following options to specify the access for this filter:

    • Private: Allows you to make this filter private. Other users cannot view or access this filter.

    • Public: Allows you to share this filter with all users.

    • Users in same role: Allows you to share this filter with users who have the same role as yours.

    • Users in selected roles: Allows you to share this filter with users in specific roles. If you select this option, a blank field is displayed where you can specify the roles. As you type the role name, a list of roles is displayed.

      Select one or more roles.

      NOTE:This option is available only for users in the administrator role.

  5. Click Save.

    The saved filter is listed in the Filters panel.

Saving a Search Query as a Report Template

You can save the search query as a search report.

NOTE:You must have the Manage Reports permission to save the search query as a report template.

  1. Perform a search, and refine the search results as desired.

    For more information, see Searching Events Indexed in Traditional Storage and Refining Search Results.

  2. When you are satisfied with the search results, click Save as, then click Save search as report.

  3. Specify the following parameters:

    Parameter

    Description

    Report name

    Specify a unique name for the report. The name should not exceed 200 characters.

    Based on

    Select the base report from which you want to create the report.

    You can view a sample report by clicking the View Sample button.

    Description

    The description is automatically displayed based on the report that is selected and you can edit the description.

    Criteria

    Criteria is automatically populated based on the report selected and is not editable.

    Additional criteria

    Specify additional search criteria to the existing criteria. To build a new criteria on your own, click Edit Criteria. To build a new criteria from available system objects containing criteria, click Add Criteria.

    The criteria that you add here is appended to the existing criteria.

    Data sources

    Select the source machines on which the reports can be run by clicking the selected data sources link. You can select data sources only if your Change Guardian is configured for data federation.

    For more information, see Section 19.0, Configuring Data Federation.

    Additional Criteria

    Specify additional criteria to refine the results. The criteria that you specify here can be edited while scheduling the report. If you specify Criteria name, the name is displayed at the end of the report results.

    NOTE:This parameter is not available for all reports.

    Time Zone

    Specify the time zone with which you want to populate the report. When you schedule the report, the time zone that you specify here is displayed in the report data.

    For example, if the Time Zone is set to US/Pacific-New time, the report data displays the selected time zone.

    By default, it displays the time zone that is set in the client system.

    NOTE:This parameter is not available for all reports.

    Date Range

    If the report includes time period parameters, choose the date range. All time periods are based on the local time for the browser. The From Date and the To Date automatically change to reflect the option you selected.

    • Current Day: Shows events from midnight of the current day until 11:59:00 PM of the current day. If the current time is 8:00:00 AM, the report shows 8 hours of data.

    • Previous Day: Shows events from midnight yesterday until 11:59:00 PM yesterday.

    • Week To Date: Shows events from midnight Sunday of the current week until the end of the selected day.

    • Previous Week: Shows events for the last seven days.

    • Month to Date: Shows events from midnight the first day of the current month until the end of the selected day.

    • Previous Month: Shows events for a month, from midnight of the first day of the previous month until 11:59:00 PM. of the last day of the previous month.

    • Custom Date Range: Shows events for a period whose start and end date are chosen. If you select Custom Date Range, set the start date (From Date) and the end date (To Date) for the report.

    From Date

    Lets you set the from date.

    To Date

    Lets you set the to date.

    Event Name

    Name of the event.

    Default value is *

    Severity

    0

    1

    All

    Email to

    Specify an e-mail address in the Email to field. If you want to mail the report to more than one user, separate the e-mail addresses with a comma.

    Result limit

    Specify the number of results to be displayed or stored when you run or schedule the report. By default, 1000 results are stored.

    If you specify a value in Group By field, the result limit is based on grouping.

  4. Click Save to save the search as report definition.

    You can see the saved report definition in the Reports and Searches panel in the Change Guardian Main interface. To view the reports, see Working with Reports.

Saving a Search Query as a Routing Rule

You must be in the administrator role to save the search query as a routing rule.

  1. Perform a search, and refine the search results as desired.

    For more information, see Searching Events Indexed in Traditional Storage and Refining Search Results.

  2. When you are satisfied with the search results, click Save as, then click Save search as routing rule.

  3. Specify a name for the rule.

  4. (Conditional) To associate one or more tags to the events, click Select tag, select the desired tags, then click Set.

  5. Select where you want to route the events to:

    • All: Events are routed to all Change Guardian services, including Correlation and Security Intelligence.

    • Event store only: Events are sent directly to the event store, and are not displayed in Event Views and the search results page.

    • None (drop): Events are dropped or ignored, and are not sent to any Change Guardian service.

  6. Select one or more actions to be performed on each event that meets the search criteria. Click the plus and minus icons to add and remove actions.

  7. Click Save.

Saving a Search Query as a Retention Policy

You must be in the administrator role to save the search query as a retention policy.

  1. Perform a search, and refine the search results as desired.

    For more information, see Searching Events Indexed in Traditional Storage and Refining Search Results.

  2. When you are satisfied with the search results, click Save as, then click Save search as retention policy.

  3. Specify a name for the retention policy.

  4. In the Keep at least field, specify the minimum number of days to retain the events in the system. The value must be a valid positive integer.

  5. (Optional) In the Keep at most field, specify the maximum number of days for which the events should be retained in the system.

    The value must be a valid positive integer and must be greater than or equal to the Keep at least value. If no value is specified, the system retains the events in the system until the space is available in primary storage.

  6. Click Save.

    The newly created policy is displayed in the data retention table. For more information on retention policies, see Section 19.0, Configuring Data Federation.

12.1.5 Performing Event Operations

You can use the events in the search results to perform various tasks as you view the search results.

Executing Actions

Only users in the following roles can execute actions on events:

  • Administrator

  • Security Policy Administrator

  • User

You need to configure the actions before executing actions on events.

To execute actions on events:

  1. Perform a search, and refine the search results as desired.

    For more information, see Searching Events Indexed in Traditional Storage and Refining Search Results.

  2. In the search results, select the events on which you want to execute actions.

  3. Click Event operations > Show action panel.

  4. In the Event Actions panel > Actions drop-down, select the desired actions, then click Execute.

    The results of the actions are displayed in the Results field.

Exporting the Search Results to a File

  1. Perform a search, and refine the search results as desired.

    For more information, see Searching Events Indexed in Traditional Storage and Refining Search Results.

  2. In the search results, select the events you want to export to a file.

  3. Click Event operations > Export to file.

  4. Specify the following information:

    File Name: Specify a name for the file to which you want to export the search results.

    Event Limit: Specify the maximum number of events to be saved. The event limit must be less than the number of events you selected and the maximum event limit is 200000.

    All the search results are written into a .csv file. These files are then compressed into a .zip file for downloading.

  5. (Optional) You can remove the event fields that you do not want to export to the file. Click Choose Fields, then clear the selections for the fields that you do not want to export to the file.

    By default, the null fields are excluded and not exported to file.

  6. Click Export to export the search result to a file.

    A download file dialog box is displayed with an option to open or save the .zip file.

  7. Select the desired option, then click OK.

Viewing Identity Details of Events

If Change Guardian is integrated with Identity Management systems, you can view the user identity details of events. You must have the View People Browser permission to view the Identity details.

  1. Perform a search, and refine the search results as desired.

    For more information, see Searching Events Indexed in Traditional Storage and Refining Search Results.

  2. In the search results, select the events for which you want to view the identity details.

  3. Click Event operations > Show identity details.

  4. Select whether you want to view the identity of the Initiator user, the Target user, or both.

Viewing Advisor Report

The following are the prerequisites to view the Advisor data:

  • The Advisor feed must be up-to-date, processed, and loaded into the Change Guardian database.

  • The selected event must be from a product supported by Advisor and it must have the Vulnerability field value set to 1.

To view the Advisor data:

  1. Click Filters > Exploit Detected Events or specify vul:1 in the Search field, then click Search.All events that are likely to have exploited a known vulnerability are displayed.

  2. In the search results, select the events for which you want to view the Advisor data.

  3. Click Event operations > View Advisor report.

    The Advisor report is displayed in a new tab.

Viewing Asset Data

You must have the View Asset Data permission to view the asset data of the selected events. You can view the asset information related to a machine or device from which you are receiving events. To view the asset data, you must run the asset management Collector and ensure that the asset data is being added to the Change Guardian database.

  1. Perform a search, and refine the search results as desired.

    For more information, see Searching Events Indexed in Traditional Storage and Refining Search Results.

  2. In the search results, select the events for which you want to view the asset data.

  3. Click Event operations > View assets.

Viewing Vulnerabilities

You must have the View asset vulnerability data permission to view the Vulnerability data. You can view the vulnerabilities of the selected destination systems. To view the Vulnerability data, you must run the Vulnerability Collector and ensure that the Vulnerability scan information is being added to the Change Guardian database.

Vulnerabilities can be seen for the current time or for the event time.

  • View Vulnerabilities at current time: This report queries the database for vulnerabilities that are active (effective) at the current date and time, and displays the relevant information.

  • View Vulnerabilities at time of event: This report queries the database for vulnerabilities that were active (effective) at the date and time of the selected event, and displays the relevant events.

To view the Vulnerability report:

  1. Perform a search, and refine the search results as desired.

    For more information, see Searching Events Indexed in Traditional Storage and Refining Search Results.

  2. In the search results, select the events for which you want to view the Vulnerability data.

  3. (Conditional) To view vulnerabilities at the current time, click Event operations > View Vulnerabilities at current time.

  4. (Conditional) To view vulnerabilities at the time of the event, click Event operations > View Vulnerabilities at time of event.