Investigation: Filter and Search Results in the Events View

Document created by RSA Information Design and Development on Jul 28, 2016
Version 1Show Document
  • View in full screen mode

If you opened the Events view from a Navigate view drill point, the view opens to the Detail view of events by default. Analysts who do not have permissions to use the Navigate view can query services directly from the Events view. There are several configuration options to filter the information displayed in the Events view.

Note: When an Archiver is the currently selected service in the Events view and you are searching against a Broker or Concentrator, the search is slower than if searching against a Broker or Concentrator because the data on the Archiver is compressed and there is typically more data.

Filter Events Displayed in the Events View

  1. In the Security Analytics menu, select Investigate > Events.
    The Events view is displayed.
  2. To select a time range other than the default (Last 3 Hours), in the toolbar, click the time range field and select a value. For example, Last Hour.
    The Events view is refreshed with the selected time range.
  3. To enter a query for the selected service and time range, in the toolbar, click Query.
    The Simple Query dialog is displayed.
  4. If you want to enter a simple query using the auto-complete feature to select meta and operators, do one of the following:
    1. Click in the Select Meta field and select a meta key from the drop-down list.
    2. Select an operator from the drop-down list in the Operator field.
    3. Type a value to match in the Value field.
    4. Select Network or Log data, and click Apply.
      The matching data is displayed in the Events view.
  5. If you want to enter a more complex query based on your knowledge of the meta and operators:
    1. Click Advanced.
      The Advanced Query dialog is displayed.
    2. Type a query. As you type the query, beginning with the meta key, drop-down lists of available meta keys and operators are displayed. When finished, click Apply
  6. If you want to select a query from a list of recent queries:
    1. Select Recent.
      The Recent Query dialog is displayed.
    2. Select a query and click Apply.
      The matching results for the query are displayed in the Detail View in the Events view. Notice that the breadcrumb reflects the query (tcp.dstport exists, in the example).
    3. In the breadcrumb, you can click any of the crumbs to display the Query menu. You can insert a new query before a crumb, and append a new query to the end of breadcrumb. After each edit in the breadcrumb, Security Analytics refreshes the results.

Search for Events in the Events View

You can search the currently displayed data in the Events view by entering a search string in the Search field. The search string can be a regex (Regular Expression) or it can be a simple text search. 

Text Search

The text search provides these capabilities:

  • Each whitespace delimited word is ANDed, so that every word must be found, but the order or location position in relation to the other words is irrelevant. For example, if you search on Mark Albert, both Mark and Albert must be found in the session, but they need not be together or in any specific order.
  • The word OR is special. If you search Mark OR Albert, either Mark or Albert must be found in the session to match; both are not required.
  • You can mix or match implicit ANDs and ORs together in the search string. The explicit OR has higher precedence than the implicit (whitespace) AND. The following examples make the same logical statement, which requires that both the terms cheese and dumplings be present in a match and one of toast or bread.
    cheese toast OR bread dumplings
    cheese AND (toast OR bread) AND dumplings
  • You can exclude words from search results using the - operator. For example, searching for cheese -toast would return any result that has the word cheese, unless the word toast is also present.
  • Words in a search match any exactly matching substring within the session content; for example, each is found in beach.

Regular Expression Search

A regular expression search uses Perl regular expression syntax, which is documented in detail in

To search within the currently displayed data in the Events view:

  1. (Optional) To configure search preferences:
    1. Click in the Search field to display the Search Events drop-down menu.
    2. Select the search options to apply to the search. You must select Meta or RAW; you can also select both of these options.              
      MetaSearch the meta data.
      RAW (Network/Log)Search the log text. Every event is decoded and content is searched. If you select all data with no filters on an Archiver, execution time may be excessive and a warning may be displayed.
      Case InsensitiveIgnore case when searching.
      Regular ExpressionThe search string is a Perl regular expression, rather than text. By default, Security Analytics executes a text search. To execute a regular expression search, you must select the Regular Expression option.
    3. To save the search settings, click Apply.
      The preferences are saved and effective immediately. These preferences remain in effect during the session.
  2. To execute the search, place the cursor in the Search box, type a search string, and press Return or click Search.
    The search results are displayed in the Events view. Events that match the search criteria are displayed in the Event view grid. In the Details view and List view, matches are highlighted in the Details column. In addition, when searching RAW, matches are highlighted in the Log view Logs column. Below is an example of the search results for the search term flags_syn in the Events Detail view. Note that search matches are not highlighted in any Event Reconstruction.
  3. If you want to narrow the search, change the query and time as described above in Filter Events Displayed in the Events View.
  4. If you want to stop the search and return to the Events view, click Cancel
    Any results that are displayed remain.
  5. To clear the search box and return to the normal Events view, click the X in the search box.
You are here: Conduct an Investigation > Examine Events > Filter and Search Results in the Events View