This topic describes the features available in the Investigation > Events view.
A list of events associated with a session is available in the Investigation > Events view. There are two ways to display the Events view:
- Select Investigation > Events in the Security Analytics menu. Security Analytics runs a default query on the last three hours for the default service (if one is set) or displays a dialog in which you can select a service and then runs the default query. The default query selects all events and the Events view displays events on the selected service, with the oldest events first.
- From within the Navigate view, click an event. The Events view displays the events on the selected service based on the drill point in the Navigate view.
The Events view provides three built-in presentations of event data: the Detail view, the List view, and the Log view. The List view and Detail view are intended for viewing packet data events, and they provide more information for each event including the timestamp, event type, event theme, and size.
- The List View shows corresponding source and destination address and port information for events in summary form in a grid.
- The Detail View shows all metadata collected for the event in a paged view.
The Log View is optimized for viewing log information, and provides more information for each log including the timestamp, event type, service type, service class, and the logs.
You can use queries, the time range setting, and profiles to filter the events listed in the Events view. From any view type in Events view, you can extract files, export events, export logs, and open the Event Reconstruction panel by double-clicking an event.
The following figure is an example of events in the Detail View. The Context Lookup panel is visible only if the Context Hub service is configured.
The following figure is an example of events in the List View.
The following figure is an example of the Log View.
The Events view has a toolbar at the top with the following options.
|Select Service||Displays the selected service name next to the icon. Opens the Select a Service dialog, in which you can select a service for which the event list is displayed.|
|Time Range||Displays a drop-down menu for selecting the time range to apply to the event list. You can choose one of the standard options or specify a custom time range.|
|Query||Displays the Create Filter dialog, in which you can enter a custom query directly instead of drilling down the data (see Create a Custom Query)|
|Use Profile||Displays the Use Profile menu; the currently selected profile is displayed in the toolbar. A profile allows you to manage and use profiles that can include custom meta groups, a default column group, and a beginning query. The Profiles apply to the Navigate view (meta groups and queries) and the Events view (column groups and queries).|
|View Type Drop-down||Displays a drop-down menu for selecting the event view type.|
|Actions||Displays a drop-down menu with actions in the Events view:|
|Incidents||Displays a drop-down menu in which you can create a new incident or add to an existing incident.|
|Search Events||Enables you to search for text patterns within the current set of events displayed. If you click in the Search field, it shows a drop-down menu with search options. If you click Apply, it saves the selected options and also updates the search options in the Navigate view and the Investigations profile (see Investigation - Search Options).|
|Settings||Displays the Investigation settings for the Events view (which are also available in the Profile view) so that you can change Investigation settings without navigating away from the Events view. When you change a setting In the Events view the setting is also changed in the Profile view (see Configure Navigate View and Events View).|
The Events view pagination bar at the bottom of the page has options for paging through the Events list.
Context Lookup Panel
After you configure the Context Hub service, you can view the contextual information for the meta values in the Navigate view and the Events view of the Investigation module. For more information on configuring the Context Hub service, see Context Hub Configuration Guide.
For information about performing context lookup for meta values, see View Additional Context for a Data Point.
The Context Hub service is pre-configured with default meta type and meta key mapping. For information about the mapping of the context hub meta value with investigation meta key, see "Manage Meta Type and Meta Key Mapping" in the Context Hub Configuration Guide.
For more information about the lookup results and contextual information for different data sources, see "Context Lookup Panel" in the Context Hub Configuration Guide.