Showing results for 
Show  only  | Search instead for 
Did you mean: 

SIEM Foundations: Learn basic navigation in ESM 10x


There are several concepts that you will use repeatedly when investigating incidents.  By learning to take advantage of these up front, you will streamline your interactions with the console.


Filter by data source

Most views and dashboards, by default, display a wide range of data.  There are times when you might like to have a view display data for a specific data source.  By selecting the data source in the system tree in the left panel of the SIEM console, you will automatically filter to show only events from that source.


You can shift-click and control-click to select multiple data sources.  You can also leverage the Display popup at the top of this panel to change how your data sources are shown.  For example, changing from Physical Display to Device Type Display groups all your data sources by type, allowing you easily to group similar data sources together.


Filter by time

Other times you will want to see events for a particular time range.  Perhaps you need to run a report for a particular week, or are investigating an incident that happened on a known day in the past.  The time filter in the top-right corner of the SIEM console gives you a great deal of flexibility in selecting specific time frames.


It’s helpful to understand conventions used for naming time filters.

  • “Current”: the time period we are in the middle of right now.  For example, if today is June 10th, and you set a filter to show “Current Month”, you will see data from June 1 – June 31.  Since events for June 11-31 have not happened yet, you will only see 10 days worth of events with this filter, in this example.
  • “Previous”: the previous time period.  For example, if today is June 10th  and you set a filter to show “Previous Month”, you will see data from May 1 – May 31.
  • “Last”: the last 24, 48, or 72 hours. For example if the time is 11:00am EST and you set the filter to show  “Last 24 hours”, you will see data starting from 11:00am EST the previous day to 11:00am EST the current day.

Note that you can always select “Custom Time” to set very granular time filters, if necessary.


Filter by other fields

New to 10.x, the search tool in the ESM console is directly available in the search bar located at the top of each tabbed dashboard view.  The search bar provides a type-ahead feature that anticipates all the search variables and syntax the user is trying to access.  A drop down menu appears making it convenient for the user to select one of the offered suggestions.



The default operator is '=', and this can be changed to '!=' as a way to make an inverse exclusionary search.  Just click on the '=' operator and a drop-down menu appears.



After assigning the appropriate value to the variable, make sure to click "Apply".


After reviewing the search condition, you must click on the "Blue" magnifying glass in order to initiate the search.  Please note that when multiple search conditions are entered via the search bar, the implied operator between the conditions is AND.  If your search requires the use of 'OR' operator you will need to create a search using the "Advanced Search".  "Advanced Search" supports access multiple conditions with the mixed use of 'OR' and 'AND' statements.



Below is an example using the "Advanced Search" when needed to access the 'OR' operator or in creating complex statements that use both 'AND' and 'OR'. 



Filter by other fields – In legacy Flash-based views


The 10.x version of ESM is a shift away from the Flash-based GUI towards HTML.  Until all the legacy parts of the console that rely on Flash are eliminated, the previous tools and methods on searching fields are still available during the transition.


The right-side panel in the SIEM console is called the filter panel.  This panel allows you to create ad-hoc queries very simply, by filling in the proper fields.  To apply a filter, simply enter the desired criteria into the filter panel, and hit Enter, or refresh your view.  When the filter is applied, a blue funnel icon will appear at the top of the view panel as an indicator.



By default, ESM displays a limited set of filter options.  You can control the filter options displayed via the row of icons at the top of the filter panel:



When multiple filters are defined in the filters panel, they are all combined by default with “AND” logic.  Other logic options are available via the icons above each field.  Each field provides options for entering multiple filter criteria; enable Hints via the checkbox at the top of the screen for full description of the options for each filter field.


Filter by view binding

Binding is a powerful concept that allows panes in a view to act as filters on each other, allowing you to quickly drill into data elements that are most interesting to you.  When a view pane is bound to a pane above it, making a selection in the parent pane acts as a filter on the child pane.  Below is an example.




In the example above, we see thousands of malware related events.  The panel on the left shows the malware event category, and the right-hand panel provides details.  The right panel (Event Summary) is bound to the left panel (Malware Category).  By making a selection in the Sub-Groups pane, the Event Summary pane is automatically filtered to show only the events with the selected Malware Category (in this case, 481 Malicious Software events):



Panels in a view may be configured with cascading bindings, such that a selection at a high-level panel cascades to all the panels in a view.  The example below shows how a single selection in the Normalized Groups pane (top left corner) becomes a filter that flows to the rest of the view.



To de-select a binding filter, simply double-click in the whitespace of the source pane.


Filter by drilldown

Drilldowns allow you to take a source object (for example, a user, application, or IP address) and break it down into sub-groups by another field.  To drilldown, simply select the one or more object you’re interested in, and open the Drilldown menu to select a field to group them by.  In our case, let’s assume we’re interested in knowing the breakdown of country associated with our malware events.  We’ll start with a Destination IP panel, pre-filtered to show our malware events.  We’ll select to drilldown by Destination Country (Event Drilldown/Geolocation/Destination Country).



When we make this selection, a new view is created on the fly (in this case, called “Drilldown 2”).  This view starts with the Event Destination IPs pane where we made our original selection, and also incorporates the new Event Destination Country pane, which was our drilldown selection.




This new drilldown view acts just like any other view.  It has integrated binding to link the drilldown groupings to the parent pane, and it supports filtering via any of the other options discussed above.  You can add additional panes by performing additional drilldowns; each new pane will be automatically bound to the pane from which it was sourced.


If you would like to see your individual events, you can perform a drilldown to Events.  This will provide you an Event Details pane you can use to explore events in fine-grained detail.



Another tool that is worth learning early on is Summarize.  Summarize provides the ability to “pivot” on an object of interest.  It re-directs you to your pre-configured Summarize View (set per-user under options/Views), with a filter set in the Filter Panel to reflect the object of interest.  Summarize is often used to get a higher level view of something that has caught your eye.  For example, if you see a suspicious event associated with a particular user, you might summarize on that user to see all the related activity for that user over a selected timeframe.


Here we see a user associated with a malicious attack.





We’ll select the user Jason Waters, and select Summarize from the popup menu on that view pane.



This brings us to our configured Summarize View, with a filter automatically applied based on the user we selected.  We are now looking at all the events associated with Jason Waters over the timeframe we have selected.  This gives us a bigger view of what Jason has been up to, and allows us to begin a detailed investigation.




A similar option to “Summarize” is “Look Around”.  The Look Around menu option allows you to perform a time-based query to find events that occurred near to the selected event in time.  When you choose Look Around, you are provided the option to apply optional filters to ensure you get only events that match specific criteria (for example, all events within 30 minutes that have the same source IP address).

Version history
Revision #:
4 of 4
Last update:
‎01-25-2018 09:22 AM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community