You can use the events in the search results to perform various tasks as you view the search results.
Only users in the following roles can execute actions on events:
Administrator
Incident Administrator
Security Policy Administrator
User
To execute actions on events:
Perform a search, and refine the search results as desired.
For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.
In the search results, select the events on which you want to execute actions.
Click
> .In the
panel > field, select the desired actions, then click .The results of the actions are displayed in the Section 8.0, Manually Performing Actions on Events.
field. For more information on executing actions, seePerform a search, and refine the search results as desired.
For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.
In the search results, select the events you want to export to a file.
Click
>Specify the following information:
File Name: Specify a name for the file to which you want to export the search results.
Event Limit: Specify the maximum number of events to be saved. The event limit must be less than the number of events you selected and the maximum event limit is 200000.
All the search results are written into a .csv file. These files are then compressed into a .zip file for downloading.
(Optional) You can remove the event fields that you do not want to export to the file. Click
, then clear the selections for the fields that you do not want to export to the file.By default, the null fields are excluded and not exported to file.
Click
to export the search result to a file.A download file dialog box is displayed with an option to open or save the .zip file.
Select the desired option, then click
.You must have the View or Create Incidents and Add Events to Incidents permission to add events to incidents.
For more information on Incidents, see Section 12.0, Configuring Incidents.
Perform a search, and refine the search results as desired.
For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.
In the search results, select the events you want to add to an incident.
Click
> .NOTE:Ensure that incidents are available. If there are no incidents available, then you need to create one. For more information on creating incidents seeSection 2.5.4, Creating an Incident.
Click
to view all the available incidents.(Optional) To view incidents based on categories, select a category from the
drop-down list.Select the incident to which you want to add events.
Click
.You can create an incident from a group of events representing something of interest. For example, group together similar events or group together a set of different events that indicate a pattern of interest such as an attack.
You must have the View or Create Incidents and Add Events to Incidents permission to create incidents.
For more information on Incidents, see Section 12.0, Configuring Incidents.
To create an incident from events:
Perform a search, and refine the search results as desired.
For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.
In the search results, select the events you want to add to an incident.
Click
> .Use the following information to create the incident:
Title: Specify a title for the incident.
Description: Specify a description of the incident.
Severity: Select the severity of the incident from the drop-down list.
Priority: Select the priority of the incident from the drop-down list.
Category: Select the category of the incident from the drop-down list.
Responsible: Select the user that is responsible to investigate and close the incident.
iTRAC: Select an iTrac workflow to use to manage the incident.
Click
to create the incident.You must have the Manage Correlation Engine and Rules permission to create a Correlation rule. For more information on creating a Correlation rule by using events, see Section 4.4.5, Creating Correlation Rules From Search Results.
You must have the Manage Correlation Engine and Rules permission to create a Correlation rule. For more information on creating a Correlation rule by using events, see Section 4.4.5, Creating Correlation Rules From Search Results.
If Sentinel is integrated with Identity Management systems, you can view the user identity details of events. You must have the View People Browser permission to view the Identity details.
Perform a search, and refine the search results as desired.
For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.
In the search results, select the events for which you want to view the identity details.
Click
> .Select whether you want to view the identity of the Initiator user, the Target user, or both.
For more information on identity details, see Section 7.0, Integrating Identity Information with Sentinel Events.
The following are the prerequisites to view the Advisor data:
The Advisor feed must be up-to-date, processed, and loaded into the Sentinel database.
The selected event must be from a product supported by Advisor and it must have the Vulnerability field value set to 1.
To view the Advisor data:
Perform a search, and refine the search results as desired.
For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.
In the search results, select the events for which you want to view the Advisor data.
Click
> .The Advisor report is displayed in a new tab.
For more information on Advisor, see Configuring Advisor
in the NetIQ Sentinel 7.0.1 Administration Guide.
You must have the View Asset Data permission to view the asset data of the selected events. You can view the asset information related to a machine or device from which you are receiving events. To view the asset data, you must run the asset management Collector and ensure that the asset data is being added to the Sentinel database.
Perform a search, and refine the search results as desired.
For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.
In the search results, select the events for which you want to view the asset data.
Click
> .The asset data is displayed in a new tab.
For more information on asset data, see Section 10.5.10, Viewing Asset Data.
You must have the View asset vulnerability data permission to view the Vulnerability data. You can view the vulnerabilities of the selected destination systems. To view the Vulnerability data, you must run the Vulnerability Collector and ensure that the Vulnerability scan information is being added to the Sentinel database.
Vulnerabilities can be seen for the current time or for the event time.
View Vulnerabilities at current time: This report queries the database for vulnerabilities that are active (effective) at the current date and time, and displays the relevant information.
View Vulnerabilities at time of event: This report queries the database for vulnerabilities that were active (effective) at the date and time of the selected event, and displays the relevant events.
To view the Vulnerability report:
Perform a search, and refine the search results as desired.
For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.
In the search results, select the events for which you want to view the Vulnerability data.
(Conditional) To view vulnerabilities at the current time, click
> .(Conditional) To view vulnerabilities at the time of the event, click
>For more information on the vulnerability data, see Section 10.5.11, Viewing Vulnerabilities.