There are several concepts that you will use repeatedly when investigating incidents. By learning to take advantage of these up front, you will streamline your interactions with the console. Below is a video that highlights the basics of working with views and dashboards.
Filter by data source
Most views and dashboards, by default, display a wide range of data. There are times when you might like to have a view display data for a specific data source. By selecting the data source in the system tree in the left panel of the SIEM console, you will automatically filter to show only events from that source.
You can shift-click and control-click to select multiple data sources. You can also leverage the Display popup at the top of this panel to change how your data sources are shown. For example, changing from Physical Display to Device Type Display groups all your data sources by type, allowing you easily to group similar data sources together.
Filter by time
Other times you will want to see events for a particular time range. Perhaps you need to run a report for a particular week, or are investigating an incident that happened on a known day in the past. The time filter in the top-right corner of the SIEM console gives you a great deal of flexibility in selecting specific time frames.
It’s helpful to understand conventions used for naming time filters.
- “Current”: the time period we are in the middle of right now. For example, if today is June 10th, and you set a filter to show “Current Month”, you will see data from June 1 – June 31. Since events for June 11-31 have not happened yet, you will only see 10 days worth of events with this filter, in this example.
- “Previous”: the previous time period. For example, if today is June 10th and you set a filter to show “Previous Month”, you will see data from May 1 – May 31.
- “Last”: the last 24, 48, or 72 hours. For example if the time is 11:00am EST and you set the filter to show “Last 24 hours”, you will see data starting from 11:00am EST the previous day to 11:00am EST the current day.
Note that you can always select “Custom Time” to set very granular time filters, if necessary.
Filter by other fields
The right-side panel in the SIEM console is called the filter panel. This panel allows you to create ad-hoc queries very simply, by filling in the proper fields. To apply a filter, simply enter the desired criteria into the filter panel, and hit Enter, or refresh your view. When the filter is applied, a gold funnel icon will appear at the top of the view panel as an indicator.
By default, ESM displays a limited set of filter options. You can control the filter options displayed via the row of icons at the top of the filter panel:
When multiple filters are defined in the filters panel, they are all combined by default with “AND” logic. Other logic options are available via the icons above each field. Each field provides options for entering multiple filter criteria; enable Hints via the checkbox at the top of the screen for full description of the options for each filter field.
Filter by view binding
Binding is a powerful concept that allows panes in a view to act as filters on each other, allowing you to quickly drill into data elements that are most interesting to you. When a view pane is bound to a pane above it, making a selection in the parent pane acts as a filter on the child pane. Below is an example.
In the example above, we see thousands of malware related events. The panel on the left shows the malware event category, and the right-hand panel provides details. The right panel (Event Summary) is bound to the left panel (Malware Category). By making a selection in the Malware Category pane, the Event Summary pane is automatically filtered to show only the events with the selected Malware Category (in this case, 138 Botnet events):
Panels in a view may be configured with cascading bindings, such that a selection at a high-level panel cascades to all the panels in a view. The example below shows how a single selection in the Normalized Groups pane (top left corner) becomes a filter that flows to the rest of the view.
To de-select a binding filter, simply double-click in the whitespace of the source pane.
Filter by drilldown
Drilldowns allow you to take a source object (for example, a user, application, or IP address) and break it down into sub-groups by another field. To drilldown, simply select the one or more object you’re interested in, and open the Drilldown menu to select a field to group them by. In our case, let’s assume we’re interested in knowing the breakdown of country associated with our malware events. We’ll start with a Destination IP panel, pre-filtered to show our malware events. We’ll select to drilldown by Destination Country (Event Drilldown/Geolocation/Destination Country).
When we make this selection, a new view is created on the fly (in this case, called “Drilldown 2”). This view starts with the Event Destination IPs pane where we made our original selection, and also incorporates the new Event Destination Country pane, which was our drilldown selection.
This new drilldown view acts just like any other view. It has integrated binding to link the drilldown groupings to the parent pane, and it supports filtering via any of the other options discussed above. You can add additional panes by performing additional drilldowns; each new pane will be automatically bound to the pane from which it was sourced.
If you would like to see your individual events, you can perform a drilldown to Events. This will provide you an Event Details pane you can use to explore events in fine-grained detail.
Another tool that is worth learning early on is Summarize. Summarize provides the ability to “pivot” on an object of interest. It re-directs you to your pre-configured Summarize View (set per-user under options/Views), with a filter set in the Filter Panel to reflect the object of interest. Summarize is often used to get a higher level view of something that has caught your eye. For example, if you see a suspicious event associated with a particular user, you might summarize on that user to see all the related activity for that user over a selected timeframe.
Here we see a user associated with a malicious attack.
We’ll select the user Jason Waters, and select Summarize from the popup menu on that view pane.
This brings us to our configured Summarize View, with a filter automatically applied based on the user we selected. We are now looking at all the events associated with Jason Waters over the timeframe we have selected. This gives us a bigger view of what Jason has been up to, and allows us to begin a detailed investigation.
A similar option to “Summarize” is “Look Around”. The Look Around menu option allows you to perform a time-based query to find events that occurred near to the selected event in time. When you choose Look Around, you are provided the option to apply optional filters to ensure you get only events that match specific criteria (for example, all events within 30 minutes that have the same source IP address).