You can search for events indexed in scalable storage. By default the search is performed for the last 1 hour. You can change the time range in the Event Visualization interface where the search results are displayed. You can search for events in either of the following ways:
From My Sentinel
Log in the Sentinel and click the Search icon.
From SSDM Main
Log in to the SSDM web console.
You can specify the search criteria by performing any of the following:
Specify the search criteria in the Criteria field.
For information about the syntax for search criteria, see Section A.0, Search Query Syntax.
Click Build criteria to build the criteria using an interactive user interface.
Click Select and Append criteria to reuse an existing criteria from Tags and Filters.
Click Search.
SSDM displays the search results in a new tab. You can further refine the search results based on the desired event fields, time range, and so on. For information about refining the search results, see Discover section in Kibana documentation.
NOTE:If the network latency between SSDM and Elasticsearch nodes is high, the event visualization interface may not launch due to a time-out error. To avoid this issue, increase the time-out period in Kibana. For more information, see Event Visualization Interface May Not Launch Due to Time-Out Error in the Troubleshooting section of the Sentinel Administration Guide.
You can save your search queries for future use so that you can perform a search using the saved query rather than specifying the query manually every time. You can save the search query either as a search in the Event Visualization interface or as a filter in the SSDM home page.
When you save your search query as a search in the Event Visualization interface, it automatically creates a corresponding filter in SSDM and the filter is private to the user that creates the search. Similarly, when you save your search query as a filter in SSDM, it automatically creates a corresponding search object in the Event Visualization interface. These searches are always public. Therefore, the searches are visible to all users regardless of the Sharing type you apply when creating a filter.
Search objects that already exist in the Elasticsearch cluster before it’s configured with SSDM are not listed under Filters by default. You must manually save the pre-existing search objects as filters, if required.
To save the search query:
In the SSDM home page, specify the search criteria in the Criteria field and click Search.
Sentinel displays the search results in the new Event Visualization interface.
(Conditional) To save the search query as a search object, click the Save search icon, specify a unique name for the search, and then click Save.
If you specify a duplicate name, you can still save the search but it will not create a corresponding filter in SSDM for this search.
(Conditional) To save the search query as a filter in SSDM, go to the SSDM home page, and click Save as filter.
Specify a unique name for the filter and an optional description.
In the Sharing drop-down list, select one of the following options to specify the access for this filter:
Private: Allows you to make this filter private. Other users cannot view or access this filter.
Public: Allows you to share this filter with all users.
Users in same role: Allows you to share this filter with users who have the same role as yours.
Users in selected roles: Allows you to share this filter with users in specific roles. If you select this option, a blank field is displayed where you can specify the roles. As you type the role name, a list of roles is displayed.
Select one or more roles.
NOTE:This option is available only for users in the administrator role.
Click Save.
Search objects that already exist in the Elasticsearch cluster before it’s configured with SSDM are not listed under Filters by default. You must manually save the pre-existing search objects as filters, if required. For information about managing searches and filters, see Managing Searches and Filters.