7.6 Viewing Anomaly Events
When an anomaly is detected, Sentinel generates an anomaly event. Anomaly event fields contain detailed information about the anomaly.
To view the anomaly events:
-
In the Sentinel Main interface, in the left pane, expand > , click , click
.
-
To view the event field values for an anomaly event, in the search results, click next to the anomaly event.
The following table describes the various event fields in an anomaly event:
|
Anomaly Event Field |
ID |
Sample Value |
Description |
|---|---|---|---|
|
BeginTime |
bgnt |
2014-01-06T07:13:00.000Z |
The start of the time range when the anomaly was detected. |
|
EndTime |
endt |
2014-01-06T07:17:00.000Z |
The end of the time range when the anomaly was detected. |
|
EventName |
evt |
FailedLogins:AbnormalFailedLogins |
The name of the anomaly definition. |
|
EventTime |
dt |
2014-01-06T07:18:54.285Z |
The time when the anomaly event was generated. |
|
Message |
msg |
abnormal failed login activity |
The description in the anomaly definition. |
|
ObserverCategory |
rv32 |
SIEM |
For an anomaly event, this event field is always set to SIEM. |
|
ObserverServiceComponent |
rv150 |
/Create a user session/Failure |
The classifier path which contains the categories displayed in the dashboard. |
|
ObserverTZ |
estz |
Asia/Kolkata |
The time zone in which the anomaly engine is located. |
|
ObserverType |
st |
Y |
For an anomaly event, the event field is always set to Y. |
|
SentinelProcessingComponent |
rt2 |
AbnormalFailedLogins |
The anomaly definition name. |
|
SentinelProcessingComponentID |
rv123 |
2F38BBCA-1A39-42A9-9873-D2C4CE732B0D |
This is the UUID of the dashboard which is associated with the anomaly definition. The UUID remains the same even though the dashboard name changes. |
|
SentinelServiceComponentID |
rv124 |
B7E6B2A7-CDB1-40A8-AA33-8AE99284DE6B |
This is the ID of the anomaly definition. The ID remains the same even though the anomaly definition name changes. |
|
SentinelServiceComponentName |
sres |
FailedLogins |
This is the dashboard name associated with the anomaly definition. |
|
SentinelServiceName |
res |
SecurityIntelligence |
For an anomaly event, this event field is always set to SecurityIntelligence. |
|
Severity |
sev |
5 |
The severity in the anomaly definition. |
|
XDASClass |
xdasclass |
11 |
For an anomaly event, this event field is always set to 11. |
|
XDASDetail |
xdasdetail |
12 |
For an anomaly event, this event field is always set to 12. |
|
XDASIdentifier |
xdasid |
13 |
For an anomaly event, this event field is always set to 13. |
|
XDASOutcome |
xdasoutcome |
1 |
For an anomaly event, this event field is always set to 1. |
|
XDASOutcomeName |
xdasoutcomename |
XDAS_OUT_THRESHOLD_EXCEEDED |
For an anomaly event, this event field is always set to XDAS_OUT_THRESHOLD_EXCEEDED. |
|
XDASProvider |
xdasprov |
0 |
For an anomaly event, this event field is always set to 0. |
|
XDASRegistry |
xdasreg |
0 |
For an anomaly event, this event field is always set to 0. |
|
XDASTaxonomyName |
xdastaxname |
XDAS_AE_ANOMALY |
For an anomaly event, this event field is always set to XDAS_AE_ANOMALY. |
For more information on anomaly event fields, click in the Sentinel Main interface. For more information on the event taxonomy and event fields, see Sentinel Taxonomy.
You can use the event field IDs to create search queries to find specific anomaly events. For example, if you want to search for the anomaly events that were generated because of the anomaly definition AbnormalFailedLogins, specify the following query in the field:
st:y AND rt2:AbnormalFailedLogins
For more information about searching for events, see Searching Events Indexed in Traditional Storage.