Events

The Search page allows you to view events, log messages, and web violations, all of which can generate incidents. The ability to view the details of an event is a key part of threat management. The Events page allows you to search for and view a list of events and event details, such as target host, response events, event correlation, threat scenario logs, and more.

To access the Events page, click the Search tab, and then click the Events subheading.

View events

Available event list options include :

  • Range—To display events based on when they occurred, select a value in the Range drop-down list, which appears above the event list.
You can select Enable range greater than 1 day, but use of a range greater than one day can decrease performance.
  • Acknowledge events—To acknowledge events, select the box next to each event to update, or click Select all at the bottom of the list, and then click Mark as acknowledged.
  • Status or type—To display events by status or type, at the bottom of the list of events, next to Show Events, select one or more of the following options and click Apply:
    • Acknowledged—Shows events that have been acknowledged
    • Correlative—Shows events that are correlated
    • Informative—Shows events that are informative
    • Non-Processed Only—Shows events that have not yet been processed
  • View event details—To view the details of an event, including header and payload information, the target host, response events, event correlation and payload reconstruction. For more information, see Events.

Search events

You can use any combination of the available search features—the event number search, search filters, and right-click options—on the Events page to either search for a specific event, or narrow a long list of events. Each method provides a different type of search capability.

Event number search

The Search box provides a simple way to search for events by event ID number. In the Event # box, which is located above the list of events, type the event ID number for the event you want to find, and then click Search.

Search filters

The most detailed way to search events is to use search filters. You can use search filters to combine different search parameters, such as event classification, threat rating, and signature. In addition, you can use the Saved Filters drop-down menu to select a set of filters you created.

To search events using search filters:

  1. Access the Events page, and then click Search Filters.
  2. (Optional) In the Saved Filters drop-down list, select a previously saved filter, if applicable, and click Load or Load in New Window.
  3. Under Search Filters, select a category to filter by in the first drop-down list.
  4. In the second drop-down list, select an search operation for the category (for example, does not contain).
  5. In the search term blank, enter a search value. The type of entry field that is used depends on the selected category; for example, a text box is used for Signature, a list of defined values is used for Classification, and date and time fields are used for Date.
  6. (Optional) Click Add another filter to add an additional search parameter, and repeat steps 2 - 4. If you have created several filters and want to delete one, click Remove to discard the filter.
  7. Click Apply Filters to run your search query.
    Only those events that satisfy the search criteria are displayed.
  8. (Optional) To save your defined filters, specify a name in the Save filters as: box, and click Save.
  9. (Optional) To discard defined filters and applied results, click Clear.
  10. (Optional) To hide the Search Filters configuration area, click Search Filters.

Right-click options

Right-click options allow you to filter and sort listed events by column values and defined values.

Available right-click options vary, depending on the content of the row in which you right-clicked.

To filter and sort events using right-click options:

  1. Access the Events page and click Search Filters or Apply Filters to bring up your events.
  2. In the list of events, right-click a value for an event and select one of the following options:

    • Only show rows with this value
    • Hide rows with this value
    • Clear show/hide/sort settings for this column—This option returns the column to its default view.
    • Sort list by this column
    • Roll up by this column

    You can also click on the column heading to sort the list by the column.

To discard applied filters and results, click Clear.

View event details

Within each event are details about the event, such as target host, response events, event correlation, threat scenario logs, and more. When viewing event details, you can scan involved IP addresses and look up WHOIS and NetBIOS information.

To view the details of an event:

  1. Access the Events page, and then click Search Filters or Apply Filters.
  2. In the displayed list of events, click the event to view.
  3. Use the tabs at the bottom of the page to view the following event details:
    • Header and Payload—Provides a dump of header and payload data.
    • Target Host—Provides details of the target host, if available.
    • Response Events—Provides a list of response events.
    • Event Correlation—Lets you correlate events based on field values. To use, select a value from the Search field drop-down list and click the plus sign icon ( ). For the corresponding field that appears, select an appropriate value. Repeat this task to include additional fields, and then click Go.
    • Threat Scenario Logs—Lists any threat scenario logs, if available.
    • Payload Reconstruction—Provides data dumps of payloads for the main event and any response events.

Update an event

When you investigate an event, you can update the event by acknowledging the event, creating an incident from the event, and adding the event to a case for tracking. You can also block the host at fault.

To update an event:

  1. Access the Events page, and then click Search Filters or Apply Filters.
  2. In the displayed list of events, click the name of the event to update.
    Event details appear.
  3. Use the following options to update the event, as needed:
    • Action—To perform an action on an event, select one of the following values, and click Update:
      • Block Host—Block the host
      • Create Incident—Create an incident record for this event
      • Acknowledge Event—Mark the event as acknowledged
    • Add to Case—To add the event to the Case Creation cart, in the left navigation area, click Add to Case. For more information on cases, see Cases.

View real-time NetBIOS, WHOIS, and IP Address Scan information

When evaluating blocks, you may find it useful to view real-time information about NetBIOS, WHOIS, and the IP address for the source and destination of the event.

You can view NetBIOS for IPv4, and WHOIS for IPv4 and IPv6.

To view real-time NetBIOS, WHOIS, and IP Address Scan information:

  1. Access the Events page, and then click Search Filters or Apply Filters.
  2. In the list of displayed events, click the Name of the event to view.
  3. On the Event Details page, right-click the source, destination, or proxy IP addresses.
  4. From the displayed list, select Lookup Whois Information, Lookup NetBIOS Information, or Scan This IP Address Now.

Create an incident from an event

This feature is supported in Threat Manager only.

Incidents let you track a potential issue until it is resolved. When Threat Manager identifies a threat, it creates an incident with the related information. In addition to these automatically-created incidents, you can create an incident based on an event that has occurred.

To create an incident from an event:

  1. Access the Events page, and then click Search Filters or Apply Filters.
  2. In the list of displayed events, click the name of the event for which to create an incident.
  3. In the Action: drop-down, select Create Incident, and then click Go.
  4. Specify property values.
  5. Click Save.

When specifying property values, you can specify correlation criteria to identify related events and log messages to include in the incident. At the bottom of the window, in the Event Correlation tab, from the Search field drop-down menu, select the value you want to add to the correlation criteria, and then click the plus sign icon ().

You can add multiple correlation criteria. Transpose allows you to specify criteria for ports or IP addresses, and to specify whether the ports or IP addresses are the source or destination for the event.

If you add both the Source Address and Transpose criteria, Threat Manager finds events for which that IP address is either the source or destination address. For each correlation criteria, select whether you want to include or exclude the current event value by selecting the is… or is not… option for each criteria.

Add an event to a case

To add an event to a case, you must first add the event to the Case Creation cart and then process the cart. Use the respective procedure below to select one or multiple events at a time. For more information on cases, see Cases.

To select an event to add to a case:

  1. Access the Events page, and then click Search Filters or Apply Filters.
  2. In the displayed list of events, right-click the name of the event and click Add to case
  3. Use one of the following procedures to add the event from the Case Creation cart to a case (process the cart):

To select multiple events to add to a case:

  1. Access the Events page, and then click Search Filters or Apply Filters.
  2. Select the box for each event to add to a case.
  3. Right-click an area in the list of events and select Add to Case.
  4. Use one of the following procedures to add the event from the Case Creation cart to a case (process the cart):