Viewing normalized events

Events are collected in raw format, and then normalized for display on the Log Activity tab.

About this task

Normalization involves parsing raw event data and preparing the data to display readable information about the tab. When events are normalized, the system normalizes the names as well. Therefore, the name that is displayed on the Log Activity tab might not match the name that is displayed in the event.
Note: If you selected a time frame to display, a time series chart is displayed. For more information about using time series charts, see Time series chart overview.
By default, the Log Activity tab displays the following parameters when you view normalized events:
Table 1. Log Activity tab - Default (Normalized) parameters
Parameter Description
Current Filters The top of the table displays the details of the filters that are applied to the search results. To clear these filter values, click Clear Filter.
Note: This parameter is only displayed after you apply a filter.
View From this list box, you can select the time range that you want to filter for.
Current Statistics When not in Real Time (streaming) or Last Minute (auto refresh) mode, current statistics are displayed, including:
Note: Click the arrow next to Current Statistics to display or hide the statistics
  • Total Results - Specifies the total number of results that matched your search criteria.
  • Data Files Searched - Specifies the total number of data files searched during the specified time span.
  • Compressed Data Files Searched - Specifies the total number of compressed data files searched within the specified time span.
  • Index File Count - Specifies the total number of index files searched during the specified time span.
  • Duration - Specifies the duration of the search.
    Note: Current statistics are useful for troubleshooting. When you contact Customer Support to troubleshoot events, you might be asked to supply current statistical information.
Charts Displays configurable charts that represent the records that are matched by the time interval and grouping option. Click Hide Charts if you want to remove the charts from your display. The charts are only displayed after you select a time frame of Last Interval (auto refresh) or above, and a grouping option to display. For more information about configuring charts, see Chart management.
Note: If you use Mozilla Firefox as your browser and an ad blocker browser extension is installed, charts do not display. To displayed charts, you must remove the ad blocker browser extension. For more information, see your browser documentation.

Offenses icon

Click this icon to view details of the offense that is associated with this event. For more information, see Chart management.

Note: Depending on your product, this icon is might not be available. You must have IBM QRadar SIEM.
Start Time Specifies the time of the first event, as reported to QRadar by the log source.
Event Name Specifies the normalized name of the event.
Log Source Specifies the log source that originated the event. If there are multiple log sources that are associated with this event, this field specifies the term Multiple and the number of log sources.
Event Count Specifies the total number of events that are bundled in this normalized event. Events are bundled when many of the same type of event for the same source and destination IP address are detected within a short time.
Time Specifies the date and time when QRadar received the event.
Low Level Category Specifies the low-level category that is associated with this event.

For more information about event categories, see the IBM QRadar Administration Guide.
Source IP Specifies the source IP address of the event.
Note: If you select the Normalized (With IPv6 Columns) display, refer to the Source IPv6 parameter for IPv6 events.
Source Port Specifies the source port of the event.
Destination IP Specifies the destination IP address of the event.
Note: If you select the Normalized (With IPv6 Columns) display, refer to the Destination IPv6 parameter for IPv6 events.
Destination Port Specifies the destination port of the event.
Username Specifies the user name that is associated with this event. User names are often available in authentication-related events. For all other types of events where the user name is not available, this field specifies N/A.
Magnitude Specifies the magnitude of this event. Variables include credibility, relevance, and severity. Point your mouse over the magnitude bar to display values and the calculated magnitude.
If you select the Normalized (With IPv6 Columns) display, then the Log Activity tab displays the following extra parameters:
Table 2. Log Activity tab - Normalized (With IPv6 Columns) parameters
Parameter Description
Source IPv6 Specifies the source IP address of the event.
Note: IPv4 events display 0.0.0.0.0.0.0.0 in the Source IPv6 and Destination IPv6 columns.
Destination IPv6 Specifies the destination IP address of the event.
Note: IPv4 events display 0.0.0.0.0.0.0.0 in the Source IPv6 and Destination IPv6 columns.

Procedure

  1. Click the Log Activity tab.
  2. Optional: From the Display list box, select Normalized (With IPv6 Columns).
    The Normalized (With IPv6 Columns) display shows source and destination IPv6 addresses for IPv6 events.
  3. From the View list box, select the time frame that you want to display.
  4. Click the Pause icon to pause streaming.
  5. Double-click the event that you want to view in greater detail. For more information, see Event details.