Novell Doc: Sentinel 6.1 Rapid Deployment User Guide - Investigating an Event or Events

3.9 Investigating an Event or Events

The right-click option Investigate allows you to:

Perform an event query for the last hour on a single event for:
- Other events with the same target IP address
- Other events with the same source (initiator) IP address
- Other targets with the same event name
  
  NOTE:You cannot perform a query on a null (empty) field.
Graphically display the mappings between any two fields in the selected events. This is particularly useful to view the relationship between the initiators (IP, port, event, sensor type, Collector) and the targets (IP, port, event, sensor type, Collector name) of the selected events, but any fields can be used

Figure 3-5 is an illustration of initiator IP addresses mapped to target IP addresses.

Figure 3-5 Graph Mapper

3.9.1 Investigate: Event Query

This function allows you to perform an event query within the last hour for events similar to the selected event.

In a Navigator or Snapshot window, right-click an event, click Investigate, and select one of three options given below:

Option	Function
Show More Events to this target	Events with the same destination IP address
Show More Events from this source	Events with the same initiator IP address
What are the target objects of this event?	Events with the same event name as the selected event

An event table opens, showing the chosen event information.

3.9.2 Investigate: Graph Mapper

To create a graph map:

In a Real Time Event Table, right-click an event or events and select Investigate >Show Graph.

The following is a graphic depiction of Sensor Name to Event Name of severity 5 in an organic format. You can view a graphic mapping in the following formats:
- Circular
- Hierarchical
- Organic
- Orthogonal
You must specify the From and To fields and click Finish. The Graph Mapper window displays.

3.9.3 Historical Event Query

You can query the database for the past events through a historical event query. The events can be queried according to the filter and severity criteria in required batch size. You can export the results in HTML or CSV file format.

To query events in the Historical Event Query window:

In the Active Views tab, select Active Views > Event Query. You can also open the Historical Event Query window by clicking the Historical Query icon on the toolbar. The Historical Event Query window displays.
Click Filter. In Filter Selection window, select a filter from the list of available filters.
Click Severity icon. The Select Severity Values window displays.
Select one or more values for Severity and click OK.
Select a From and To date and time.The time you select corresponds your system time.
Select a batch size. The events queried display in the batch size you specify.

If you select a batch size of 100, the first 100 events are displayed in the window. After the query is processed, the Begin Searching icon changes to the More results icon. You can see next 100 events along with the previous events by clicking the More results icon.
Click the Begin Searching icon. The query is processed. You can cancel the search by clicking the Cancel search icon.

HINT:Select HTML or CSV from the drop-down list to export query results.

3.9.4 Active Browser

The Active Browser provides the ability to browse through a selected set of data to look for patterns and perform investigation. You can view the selected events in the Active Views in the Active Browser. When you open the Active Browser using Analysis > Offline Query and click Browse against a specific offline query, the events table is displayed only when the number of events is less than or equal to1000.

The events are grouped according to the meta tags. In these meta tags, various sub categories are defined. The numbers in the parentheses against these sub categories displays the total number of event counts corresponding to the value of the meta tag.

To view events in Active Browser:

In the Active Views tab, select the event or events you want to view in Active Browser.
Right-click the event or events and select View in the Active Browser. The selected event/s displays in the Active Browser window.

or

In the Active Views tab, select Active Views > Event Query. Historical Event Query window displays.
In the Historical EventQuery window, run a query and click the Active Browser tab. The selected query displays in the Active Browser window.

NOTE:The Active Browser tab is enabled only if the query results in at least one event display.

To view events in Active Browser in the Analysis tab:

In the Analysis tab, select the query you want to view in the Active Browser.
Click Browse. The selected query result displays in the Active Browser window.

To search in the Active Browser:

Specify the value or text you want to search for in the Search field.
Press Enter or click the Search icon next to the Search field to search.

NOTE:You can move between the various searches by using the Forward and Backward buttons above the Search field.

To add attributes in Active Browser:

Click the Add an attribute for categorization icon as shown below:
Select an attribute in the Add an Attribute for categorization window that displays.
Click OK.