3.1 Searching Events Indexed in Traditional Storage

You can run a search to view events indexed in traditional storage. You can also search for events in other Sentinel servers that are distributed across different geographic locations. For more information, see Configuring Data Federation in the Sentinel Administration Guide.

3.1.1 Searching Events in My Sentinel

You can search events from My Sentinel page only if event visualization is enabled. For more information, see Enabling Event Visualization in the Sentinel Installation and Configuration Guide.

To perform a search, launch Sentinel and click the Search Events and Alerts icon. The search results are displayed in a new tab. By default, Sentinel searches for events generated in the last 1 hour. You can further refine the search results based on the desired event fields, time range, and so on. For information about refining the search results, see Kibana documentation.

NOTE:If you do not see events even after enabling event visualization, ensure that you have selected the index pattern security.events.normalized_* to search events.

Saving Searches

You can save your search queries for future use so that you can perform a search using the saved query rather than specifying the query manually every time. You can save the search query either as a search in the Event Visualization interface or as a filter in the Sentinel Main page.

When you save your search query, it automatically creates a corresponding filter in Sentinel and the filter is private to the user who created the search.

To save the search query, click Save, specify a unique name for the search, and then click Save.

Managing Searches and Filters

When you edit or delete a search in the Visualization interface, the changes are applied to the corresponding filter in Sentinel as well. Similarly, when you edit or delete a filter in Sentinel, the changes are applied to the corresponding search in the Visualization interface as well.

You can edit and delete only the filters that you created. The default filters and the filters that other users have shared with you cannot be edited or deleted. For information about managing searches, see Kibana documentation.

3.1.2 Searching Events in Sentinel Main

This section provides information about the following topics:

Performing a Search

To perform a search:

  1. From Sentinel Main, in the Reports and Searches panel, click New search.

  2. You can perform a search by using any of the following:

    • Search criteria: Specify the search criteria in the Search field.

      For information on creating search criteria, see Section A.0, Search Query Syntax.

    • Build criteria: Build a new criteria using the build criteria user interface. For more information, see Creating a Filter by Using the Build Criteria Dialog.

    • Select and Append criteria: Click Select and Append criteria and select from the criteria listed, click Add, and then click Search. You can select criteria from the list of criteria or filter the criteria based on recent criteria, tags, or filters.

      • Show only recent criteria: Select a search criterion from the recent search history. The search history displays a maximum of 15 search expressions. Select the criteria, click Show recent criteria, and then click Add.

      • Show only Filters: You can reuse existing filters to perform a new search. Click Show Filters that lists the existing filters. Select the filter on which you want to perform the search, and then click Add.

      • Show only Tags: You can search events that have a particular tag. Click Show Tags, that lists the tags in the system. Select the tags, and then click Add.

      You can combine multiple criteria, tags, or filters by using the And or Or condition.

  3. (Optional) Select a time period for the search.

    • The default is Last 1 hour.

    • Custom allows you to select a start date and time and an end date and time for the query. The start date should be earlier than the end date, and the time is based on the machine’s local time.

    • Whenever searches all available data, without any time constraints.

  4. (Optional) If you have administrator privileges, you can select other Sentinel servers for the search.

    If you have data federation configured, you can perform a search on other Sentinel servers. For more information, see Configuring Data Federation in the Sentinel Administration Guide.

  5. Click Search.

    The search results are displayed. For information on the search results, see Viewing Search Results.

  6. (Optional) Modify the search criteria by clicking Edit Criteria.

  7. (Optional) Modify the search results by selecting the desired event fields in the search results

    To add an AND or Or condition to the existing criteria, left-click the event field, select the required fields, and then specify the desired condition.

  8. Click Search.

  9. (Conditional) To save the search query, see Saving a Search Query.

Viewing Search Results

Searches return a set of events. When results are sorted by relevance, only the top 50,000 events can be viewed. When results are sorted by time, all the events in the system are displayed.

Occasionally, the search engine might index events faster than they are inserted into the data directory. If you run a search that returns events that were not added in the data directory, you get a message indicating that some events match the search query, but they are not found in the data directory. If you run the search again later, the events are added to the data directory and the search is shown as successful.

The information in each event is grouped into the following categories:

Category

Icon

Description

General

No icon

Generic information about the event, such as severity, date, time, product name, and taxonomy.

Initiator

The source that caused the event to occur. The source can be a device, network port, etc.

Target

The object that is affected by the event. The object can be a file, database table, directory object, etc.

Observer

The service that observed the event activity.

Reporter

The service that reported the event activity.

Tags

No icon

Tags that the events are being tagged with.

Customer value

No icon

Fields set by the customer.

Retention period

No icon

Retention period of the event.

The initiator, target, and observer can be hosts, services, and accounts. In some cases, the initiator, target, and observer can be all the same, such as a user modifying this or her own account. In other cases, the initiator, target, and observer can be different, such as an intrusion detection system detecting a network attack. If an event field has no data, it is not displayed in the results.

Event fields are grouped according to the following categories:

Group

Icon

Description

Host

The initiator or target host information. For example, initiator host IP, target hostname, or target host ID.

User

The initiator or target user information. For example, the initiator username, initiator user department, target user ID, or target username.

Service

The initiator or target service information. For example, the target service name, target service component, or initiator service name.

Domain

Domain information of both the host and user. For example, the target host domain and initiator username.

IPCountry

The country information of the initiator and target trust. For example, the target host country.

Target trust

The target trust and target domain information of the event that was affected. The name can be a group, role, profile, etc.

Target data

The target data name and data container information. The data name is the name of the data object, such as a database table, directory object, or file that was affected by the event. The data container is the full path for data object.

Tenant name

The name of the tenant that owns the event data, applied to all the events in the inbound stream from a given Collector. The tenant name can be the name of the customer, division, department, etc.

Vulnerability

A flag that indicates whether Exploit Detection has matched this attack against known vulnerabilities in the target.

Each event type is represented by a specific icon. The following table lists the icons that represent the various types of events:

Icon

Type of Event

Audit event

Performance event

Anomaly event

Correlation event

Unparsed event

You can view the search results in the summary view and in the detailed view. When you mouse over an event field, the information about the field is displayed.

Summary View

The Summary view of the search results displays the basic information about the event. The basic information includes severity, date, time, product name, taxonomy, and observer category for the event.

Detailed View

  1. To view the report details, click the More link at the top right corner of the search results.

    This displays details such as host/user domain information, IPCountry information, extended target fields like TargetTrust and TargetData, Observer and Reporter fields, customer set variables, default data retention duration information for any individual event, and the tags set for the event.

  2. To view all the details of an event, click the All link.

  3. To view details about all events, click the Show more details link at the top of the search results page.

    You can expand or collapse the details for all events on a page by using the Show more details or Show less details link.

  4. (Optional) Click the get raw data link to open a new Raw Data tab with event source hierarchy and event source fields populated, based on the information received from the event.

    The get raw data link is available only for users in the administrator role.

    If the search result is a system or an internal event, the get raw data link does not appear.

    To verify and download the raw data files, see Verifying and Downloading Raw Data Files in the Sentinel Administration Guide.

Refining Search Results

The search refinement panel can be used to narrow the search results by selecting one or more values for an event field. You can refine the results for one or more event fields.

The set of event fields that is displayed in the search refinement panel is configurable on a per-user basis.

For performance considerations, the maximum sample size used to calculate the event field value statistics is 50,000 events. The actual sample size is displayed in the field count label as Field counts based on the first <sample-size> events where <sample-size> is replaced by the actual sampling size.

To refine search results:

  1. From Sentinel Main, in the Reports and Searches panel, click New Search.

  2. Specify the search criteria, then click Search.

    For more information on how to run an event search, see Searching Events Indexed in Traditional Storage.

  3. Click fields in the REFINE section.The Select Event Fields window is displayed.

  4. To refine the search, select the event fields from the available fields, then click Save.

    The selected event fields are displayed in the REFINE panel.

    A count at the right side of each event field displays the number of unique values that exist for that event field in the data directory. The calculation is based on the first 50,000 events found.

    The event field selection is on a per-user basis. Each user can have a different set of selected event fields.

  5. Click each event field to view the unique values for that event field.

    For example, if the search results contain events that had severities 1, 2, 5, and 4, the event field is displayed as Severity (4).

    The top 10 unique values are initially displayed in the order of most frequent to least frequent.

    The value next to the check box represents the unique value for that event field and the value at the far right represents the number of times the value appears in the search result.

    If there are multiple unique values occurring the same number of times in a search, the values are sorted by the most recent occurrence of the value.

    For example, if events of severity 1 and 4 occurred 34 times in the search results, and an event of severity 4 was logged most recently, the unique value 4 appears at the top of the list.

    To display the unique values in the order of least frequent to most frequent, click reverse.

    When there are more than 10 unique values, you can view and filter either the top 10 or the bottom 10 unique values. You cannot refine your search on both the conditions at the same time.

    In the following scenarios, the number of events returned from a refined search is greater than the number of values listed for an event field:

    • If the refinement performs a new search with additional terms intersected with the initial search string, such as by using an AND operator, the new search is run against all events in the system, including the result set from the initial search. If new events that came into the system match the refined search, they are shown in the resulting set and the event count is greater than the field value count.

    • If there are more than 50,000 events, the event field statistics are calculated only on the first 50,000 events.

      There could be an event field value that occurs 50 times in the first 50,000 events, but it could occur 1,000 times in all other stored events. In this scenario, the displayed value count is 50, but when the search is refined with this value it returns 1,000 events.

  6. Click OK.

    Selected event field values are listed under the event field in the REFINE panel.

    The right panel displays the refined search results, which contain only the selected values.

  7. Repeat Step 3 through Step 6 to further refine the search.

  8. (Optional) Click clear to clear the selected unique event field values from the REFINE panel and to return to the original search results.

  9. (Optional) Click add to search to add the refined search values to the current search tab and to recalculate the search statistics.

    If you have already added the event field value to the current search tab, clicking clear does not return to the previous search results.

Saving a Search Query

You can save a search query, then repeat it as desired. To save a search query, you must first perform a search. When you are satisfied with the search results, you save the search query.

NOTE:You must have the necessary permission to access the specific options. For example, only users in the Report Administrator role can save the search query as a report template.

Saving a Search Query as a Search Template

  1. Perform and refine a search until you are satisfied with the search results.

    For more information, see Searching Events Indexed in Traditional Storage and Refining Search Results.

  2. Click Save as, and then click Save search.

  3. Specify a unique name for the search and provide an optional description.

  4. Specify the following information in the Default Parameters section:

    Data sources: Displays the number of servers that Sentinel will search for events. This option is useful if data federation is enabled. To select the data sources you want to search, click selected data sources, then select the data sources.

    Email to: To e-mail the report template to others, specify the e-mail address. To send the report template to more than one person, specify multiple e-mail addresses separated by a comma.

    Result limit: Specify the number of results to be stored in the search template. By default, 1000 results are stored in a report template.

  5. Click Save.

Saving a Search Query as a Filter

You can save your search queries as filters for future use so you can perform a search using the saved filters rather than specifying the query manually every time.

In Sentinel, when you create a filter, it automatically creates a corresponding Search object in the Event Visualization dashboard. These search objects in the dashboard are always public. Therefore, these search objects are visible to all users regardless of the Sharing type you apply when creating a filter. Similarly, when you save a search query in the Event Visualization dashboard, it also creates a corresponding filter in Sentinel and is private to the user that creates the search object.

To save a search query as a filter:

  1. Perform a search, and refine the search results as desired.

    For more information, see Searching Events Indexed in Traditional Storage and Refining Search Results.

  2. Click Save as, then click Save search as filter.

  3. Specify a unique name for the filter and an optional description.

  4. In the drop-down list, select one of the following options to specify the access for this filter:

    • Private: Allows you to make this filter private. Other users cannot view or access this filter.

    • Public: Allows you to share this filter with all users.

    • Users in same role: Allows you to share this filter with users who have the same role as yours.

    • Users in selected roles: Allows you to share this filter with users in specific roles. If you select this option, a blank field is displayed where you can specify the roles. As you type the role name, a list of roles is displayed.

      Select one or more roles.

      NOTE:This option is available only for users in the administrator role.

  5. Click Save.

    The saved filter is listed in the Filters panel. For more information on filters, see Section 4.0, Configuring Filters.

Saving a Search Query as a Report Template

You can save the search query as a search report.

NOTE:You must have the Manage Reports permission to save the search query as a report template.

  1. Perform a search, and refine the search results as desired.

    For more information, see Searching Events Indexed in Traditional Storage and Refining Search Results.

  2. When you are satisfied with the search results, click Save as, then click Save search as report.

  3. Specify the following parameters:

    Parameter

    Description

    Report name

    Specify a unique name for the report. The name should not exceed 200 characters.

    Based on

    Select the base report from which you want to create the report.

    You can view a sample report by clicking the View Sample button.

    Description

    The description is automatically displayed based on the report that is selected and you can edit the description.

    Criteria

    Criteria is automatically populated based on the report selected and is not editable.

    Additional criteria

    Specify additional search criteria to the existing criteria. To build a new criteria on your own, click Edit Criteria. To build a new criteria from available system objects containing criteria, click Add Criteria.

    The criteria that you add here is appended to the existing criteria.

    Data sources

    Select the source machines on which the reports can be run by clicking the selected data sources link. You can select data sources only if your Sentinel is configured for data federation.

    For more information, see Configuring Data Federationin the Sentinel Administration Guide.

    Additional Criteria

    Specify additional criteria to refine the results. The criteria that you specify here can be edited while scheduling the report. If you specify Criteria name, the name is displayed at the end of the report results.

    NOTE:This parameter is not available for all reports.

    Time Zone

    Specify the time zone with which you want to populate the report. When you schedule the report, the time zone that you specify here is displayed in the report data.

    For example, if the Time Zone is set to US/Pacific-New time, the report data displays the selected time zone.

    By default, it displays the time zone that is set in the client system.

    NOTE:This parameter is not available for all reports.

    Date Range

    If the report includes time period parameters, choose the date range. All time periods are based on the local time for the browser. The From Date and the To Date automatically change to reflect the option you selected.

    • Current Day: Shows events from midnight of the current day until 11:59:00 PM of the current day. If the current time is 8:00:00 AM, the report shows 8 hours of data.

    • Previous Day: Shows events from midnight yesterday until 11:59:00 PM yesterday.

    • Week To Date: Shows events from midnight Sunday of the current week until the end of the selected day.

    • Previous Week: Shows events for the last seven days.

    • Month to Date: Shows events from midnight the first day of the current month until the end of the selected day.

    • Previous Month: Shows events for a month, from midnight of the first day of the previous month until 11:59:00 PM. of the last day of the previous month.

    • Custom Date Range: Shows events for a period whose start and end date are chosen. If you select Custom Date Range, set the start date (From Date) and the end date (To Date) for the report.

    Group By

    Group the events according to specific event field by selecting the event field from the Group by drop-down list.

    NOTE:This parameter is not available for all reports.

    Language

    Choose the language in which the report labels and descriptions should be displayed. The possible values are English, French, German, Italian, Japanese, Traditional Chinese, Simplified Chinese, Spanish, or Portuguese.

    The default value is the language with which the current user logged in, if that language is supported by the report. If the report does not support the language, the report’s default language (typically English) is used.

    The data in the report is displayed in the language that was originally used by the event source.

    Email to

    Specify an e-mail address in the Email to field. If you want to mail the report to more than one user, separate the e-mail addresses with a comma.

    Result limit

    Specify the number of results to be displayed or stored when you run or schedule the report. By default, 1000 results are stored.

    If you specify a value in Group By field, the result limit is based on grouping.

  4. Click Save to save the search as report definition.

    You can see the saved report definition in the Reports and Searches panel in the Sentinel Main interface. To view the reports, see Working with Reports.

Saving a Search Query as a Routing Rule

You must be in the administrator role to save the search query as a routing rule.

  1. Perform a search, and refine the search results as desired.

    For more information, see Searching Events Indexed in Traditional Storage and Refining Search Results.

  2. When you are satisfied with the search results, click Save as, then click Save search as routing rule.

  3. Specify a name for the rule.

  4. (Conditional) To associate one or more tags to the events, click Select tag, select the desired tags, then click Set.

  5. Select where you want to route the events to:

    • All: Events are routed to all Sentinel services, including Correlation and Security Intelligence.

    • Event store only: Events are sent directly to the event store, and are not displayed in Event Views and the search results page.

    • None (drop): Events are dropped or ignored, and are not sent to any Sentinel service.

  6. Select one or more actions to be performed on each event that meets the search criteria. Click the plus and minus icons to add and remove actions.

  7. Click Save.

Saving a Search Query as a Retention Policy

You must be in the administrator role to save the search query as a retention policy.

  1. Perform a search, and refine the search results as desired.

    For more information, see Searching Events Indexed in Traditional Storage and Refining Search Results.

  2. When you are satisfied with the search results, click Save as, then click Save search as retention policy.

  3. Specify a name for the retention policy.

  4. In the Keep at least field, specify the minimum number of days to retain the events in the system. The value must be a valid positive integer.

  5. (Optional) In the Keep at most field, specify the maximum number of days for which the events should be retained in the system.

    The value must be a valid positive integer and must be greater than or equal to the Keep at least value. If no value is specified, the system retains the events in the system until the space is available in primary storage.

  6. Click Save.

    The newly created policy is displayed in the data retention table. For more information on retention policies, see Configuring Data Retention Policies in the Sentinel Administration Guide.

Saving a Search Query as a Security Intelligence Dashboard

You must have the Manage and View Security Intelligence Dashboards permission to create a dashboard.

  1. Perform a search, and refine the search results as desired.

    For more information, see Searching Events Indexed in Traditional Storage and Refining Search Results.

  2. When you are satisfied with the search results, click Save as, then click Save search as dashboard.

  3. Specify the following information to create the dashboard:

    • Name: Specify a unique name for the dashboard.

    • Classifier: Select the classifier that determines the categories displayed in the dashboard. Click the Info link for information on each category.

    • Data Retention Period: Select how long the data for the dashboard is retained.

  4. Click Create dashboard to create the dashboard.

The dashboard is displayed in a new browser tab. A new dashboard is empty because it has not had time to collect any data. For more information on dashboards, see Section 7.0, Analyzing Trends in Data.

Performing Event Operations

You can use the events in the search results to perform various tasks as you view the search results.

Executing Actions

Only users in the following roles can execute actions on events:

  • Administrator

  • Incident Administrator

  • Security Policy Administrator

  • User

You need to configure the actions before executing actions on events. For more information, see Prerequisites for Executing Actions on Events.

To execute actions on events:

  1. Perform a search, and refine the search results as desired.

    For more information, see Searching Events Indexed in Traditional Storage and Refining Search Results.

  2. In the search results, select the events on which you want to execute actions.

  3. Click Event operations > Show action panel.

  4. In the Event Actions panel > Actions drop-down, select the desired actions, then click Execute.

    For more information on executing actions, see Section 11.0, Manually Performing Actions on Events.

    The results of the actions are displayed in the Results field.

Exporting the Search Results to a File

  1. Perform a search, and refine the search results as desired.

    For more information, see Searching Events Indexed in Traditional Storage and Refining Search Results.

  2. In the search results, select the events you want to export to a file.

  3. Click Event operations > Export to file.

  4. Specify the following information:

    File Name: Specify a name for the file to which you want to export the search results.

    Event Limit: Specify the maximum number of events to be saved. The event limit must be less than the number of events you selected and the maximum event limit is 200000.

    All the search results are written into a .csv file. These files are then compressed into a .zip file for downloading.

  5. (Optional) You can remove the event fields that you do not want to export to the file. Click Choose Fields, then clear the selections for the fields that you do not want to export to the file.

    By default, the null fields are excluded and not exported to file.

  6. Click Export to export the search result to a file.

    A download file dialog box is displayed with an option to open or save the .zip file.

  7. Select the desired option, then click OK.

Adding Events to an Incident

You must have the View or Create Incidents and Add Events to Incidents permission to add events to incidents.

For more information on Incidents, see Section 16.0, Configuring Incidents.

  1. Perform a search, and refine the search results as desired.

    For more information, see Searching Events Indexed in Traditional Storage and Refining Search Results.

  2. In the search results, select the events you want to add to an incident.

  3. Click Event Operations > Add to incident.

    NOTE:Ensure that incidents are available. If there are no incidents available, then you need to create one. For more information on creating incidents seeCreating an Incident.

  4. Click Search to view all the available incidents.

  5. (Optional) To view incidents based on categories, select a category from the GroupBy drop-down list.

  6. Select the incident to which you want to add events.

  7. Click OK.

Creating an Incident

You can create an incident from a group of events representing something of interest. For example, group together similar events or group together a set of different events that indicate a pattern of interest such as an attack.

You must have the View or Create Incidents and Add Events to Incidents permission to create incidents.

For more information on Incidents, see Section 16.0, Configuring Incidents.

To create an incident from events:

  1. Perform a search, and refine the search results as desired.

    For more information, see Searching Events Indexed in Traditional Storage and Refining Search Results.

  2. In the search results, select the events you want to add to an incident.

  3. Click Event operations > Create incident.

  4. Use the following information to create the incident:

    Title: Specify a title for the incident.

    Description: Specify a description of the incident.

    Severity: Select the severity of the incident from the drop-down list.

    Priority: Select the priority of the incident from the drop-down list.

    Category: Select the category of the incident from the drop-down list.

    Responsible: Select the user that is responsible to investigate and close the incident.

    iTRAC: Select an iTrac workflow to use to manage the incident.

  5. Click OK to create the incident.

Adding Events to a Correlation Rule

You must have the Manage Correlation Engine and Rules permission to create a Correlation rule. For more information on creating a Correlation rule by using events, see Creating Correlation Rules From Search Results.

Creating a Correlation Rule by Using Events

You must have the Manage Correlation Engine and Rules permission to create a Correlation rule. For more information on creating a Correlation rule by using events, see Creating Correlation Rules From Search Results.

Viewing Identity Details of Events

If Sentinel is integrated with Identity Management systems, you can view the user identity details of events. You must have the View People Browser permission to view the Identity details.

  1. Perform a search, and refine the search results as desired.

    For more information, see Searching Events Indexed in Traditional Storage and Refining Search Results.

  2. In the search results, select the events for which you want to view the identity details.

  3. Click Event operations > Show identity details.

  4. Select whether you want to view the identity of the Initiator user, the Target user, or both.

For more information on identity details, see Section 10.0, Leveraging Identity Information.

Viewing Advisor Report

The following are the prerequisites to view the Advisor data:

  • The Advisor feed must be up-to-date, processed, and loaded into the Sentinel database.

  • The selected event must be from a product supported by Advisor and it must have the Vulnerability field value set to 1.

To view the Advisor data:

  1. Click Filters > Exploit Detected Events or specify vul:1 in the Search field, then click Search.All events that are likely to have exploited a known vulnerability are displayed.

  2. In the search results, select the events for which you want to view the Advisor data.

  3. Click Event operations > View Advisor report.

    The Advisor report is displayed in a new tab.

    For more information on Advisor, see Detecting Vulnerabilities and Exploits in the Sentinel Administration Guide.

Viewing Asset Data

You must have the View Asset Data permission to view the asset data of the selected events. You can view the asset information related to a machine or device from which you are receiving events. To view the asset data, you must run the asset management Collector and ensure that the asset data is being added to the Sentinel database.

  1. Perform a search, and refine the search results as desired.

    For more information, see Searching Events Indexed in Traditional Storage and Refining Search Results.

  2. In the search results, select the events for which you want to view the asset data.

  3. Click Event operations > View assets.

Viewing Vulnerabilities

You must have the View asset vulnerability data permission to view the Vulnerability data. You can view the vulnerabilities of the selected destination systems. To view the Vulnerability data, you must run the Vulnerability Collector and ensure that the Vulnerability scan information is being added to the Sentinel database.

Vulnerabilities can be seen for the current time or for the event time.

  • View Vulnerabilities at current time: This report queries the database for vulnerabilities that are active (effective) at the current date and time, and displays the relevant information.

  • View Vulnerabilities at time of event: This report queries the database for vulnerabilities that were active (effective) at the date and time of the selected event, and displays the relevant events.

To view the Vulnerability report:

  1. Perform a search, and refine the search results as desired.

    For more information, see Searching Events Indexed in Traditional Storage and Refining Search Results.

  2. In the search results, select the events for which you want to view the Vulnerability data.

  3. (Conditional) To view vulnerabilities at the current time, click Event operations > View Vulnerabilities at current time.

  4. (Conditional) To view vulnerabilities at the time of the event, click Event operations > View Vulnerabilities at time of event.