Investigation - Search Options

Document created by RSA Information Design and Development on Jun 26, 2017Last modified by RSA Information Design and Development on Jul 28, 2017
Version 2Show Document
  • View in full screen mode
  

You can search for events in both the Investigation Navigate view and the Events view. In the Navigate view, you can click a meta value, such as HTTP, to drill into the data and then enter a search string in the Search field to search for events within that subset of data. The search opens a tab in the Events view, brings your drill and time range forward, and shows your search results. You can also drill into the data using queries before starting a search.

Procedures related to searching in Investigation views are described in Configure Navigate View and Events View, Filter and Search Results in the Events View, and Drill into Data in the Values Panel.

The Investigation Navigate and Event views enable you to search for text patterns within the current set of events. You can perform a keyword text search or do regex (Regular Expression) matching. 

Keyword Text Search

The text search provides these capabilities:

  • Each whitespace delimited word is ANDed, so that every word must be found, but the order or location position in relation to the other words is irrelevant. For example, if you search on Mark Albert, both Mark and Albert must be found in the session, but they need not be together or in any specific order.
  • The word OR is special. If you search Mark OR Albert, either Mark or Albert must be found in the session to match; both are not required.
  • You can mix or match implicit ANDs and ORs together in the search string. The explicit OR has higher precedence than the implicit (whitespace) AND. The following examples make the same logical statement, which requires that both the terms cheese and dumplings be present in a match and one of toast or bread:
    cheese toast OR bread dumplings
    cheese AND (toast OR bread) AND dumplings
  • You can exclude words from search results using the - operator. For example, searching for cheese -toast would return any result that has the word cheese, unless the word toast is also present.
  • The keyword search can match metadata stored in the following patterns:
    • IPv4 and IPv6 addresses. Any term that can be recognized as an IP address will be converted to the native metadata format so that it can be found in indexed metadata.
    • IPv4 CIDR ranges. You can use CIDR notation to locate IPv4 addresses within a range.
    • Timestamps. Timestamps are matched against the native time meta, and any additional time meta fields stored with the Time type. 
    • Numbers. The search function will attempt to automatically identify decimal search terms and match them against numeric meta data fields.

Options Controlling Search Behavior

To access the Search box and search options in the Navigate or Events views:

  1. In the Security Analytics menu, select Investigation > Navigate or Events.
  2. In the Investigate dialog, select a service and click Navigate.
    You can see the Search Events field in the toolbar. 
    SearchEventsField.png
    Troubleshooting: If you cannot see the Search Events field in the toolbar, click ic-more.png on the right side of the toolbar.
  3. Click in the Search field to view the Search Events drop-down menu.
    SearchEvents.png

The options selected in this box change how the search is executed. The default search mode is to use the search indexes for text keywords within meta and raw.

Note:
Because the Search Indexes checkbox is selected by default, the search returns results based on data that is indexed.
If you want to search for a complete set of meta or raw data, select those checkboxes and clear the Search Indexes checkbox. There is no specific search order. The search will take longer, but it will contain a more complete set of data.
For more information, see the Msearch call topic in the Core Database Tuning Guide.

The following table describes the Investigation search options.

                                 
Feature Description
Search IndexesSearches the indexes first, before scanning the meta data or any raw data. Searching the index is the fastest way to locate keywords within a large data set. The index search utilizes any relevant indexes present within your data collection.

Caution:
- The index search only returns results on indexed data.
- Substring matches will not be located by index searches. If you require substring matches, clear this checkbox and use a non-index search mode.

MetaSearches the metadata. Your keyword or regex pattern will be matched against any parsed meta data.
RAW (Network/Log)Searches the log text. Every event is decoded and content is searched for matches on the keyword or regex pattern.
If you select all data with no filters on an Archiver, execution time may be excessive and a warning may be displayed.

Caution: Searching raw network sessions causes sessions to be decoded, which is very time intensive. You may want to disable raw searches when looking at network-only collections.

Case InsensitiveIgnores case when searching.
Regular ExpressionSearches using a Perl regular expression, rather than text. By default Security Analytics executes a text search. To execute a regular expression search, select the Regular Expression option.

Caution:
- Regular expression searches can be very slow.
- When combining regular expressions and index search options, the regular expression pattern is matched against unique index values instead of meta values. This produces results faster, but it is not an exhaustive search of all the meta data or raw data.

ApplySets the default search options to apply to a search in the Navigate and Events views. This also updates your Investigation preferences in your Profile (Profile > Preferences > Investigation tab). The preferences are saved and effective immediately.
You can select search options to use for a particular search without changing your default search preferences.

Regular Expression Search Syntax

A regular expression search uses Perl regular expression syntax, which is documented in detail in http://perldoc.perl.org/perlre.html.

Raw Text Keyword Search (new for 10.6)

The Log Decoder has the capability to create a raw text index for unparsed log events. This functionality creates metadata items that form a full-text index on downstream services such as Concentrators and Archivers. When you enable the Search Indexes option in your search preferences, your search automatically utilizes the text index. Note that the text index produces meta items that have a coarse granularity.  For example, the default text indexer configuration truncates text terms. By comparing the index matches against raw data, the search engine will find accurate results for your search. However, you can improve search times by disabling the raw search checkbox. If you do so, results will be returned faster, but you may see false positive hits in your search results.

Search Examples

The following examples show searches from the Navigate and Events views.

Search in the Navigate View

To search within the currently displayed data in the Navigate view:

  1. To drill into the data, click a meta value, such as HTTP, in the Navigate panel.
    ClickMetaValueHTTP.png 
  2. Type a search string in the Search field and press Enter or click Search
    NavViewSearchExG.png
    The following example shows search results for the google search string in a new tab in the Events view. The drill (query) and time range from the Navigate view are brought forward into the Events view (service=80 and Last 24 Hours in this example). 
    NavViewSearchExG2.png
  3. To clear the search box and return to the normal Events view, click the X in the search box.

Search in the Events View

To search within the currently displayed data in the Events view:

  1. Type a search string in the Search box, and press Enter or click Search.
    The search results are displayed in the Events view. Events that match the search criteria are displayed in the Event view grid. In the Details view and List view, matches are highlighted in the Details column. In addition, when searching RAW, matches are highlighted in the Log view Logs column. Below is an example of the search results for the search term Washington in the Events Detail view. Note that search matches are not highlighted in any Event Reconstruction.
    EventsViewSearchEX.png
  2. If you want to narrow the search, change the query and time.
  3. If you want to stop the search and return to the Events view, click Cancel
    Any results that are displayed remain.
  4. To clear the search box and return to the normal Events view, click the X in the search box.
You are here
Table of Contents > Investigation Reference Materials > Search Options in the Investigation Views

Attachments

    Outcomes