| Search |
Click Search to perform
advanced searches on events. Options include:
- New Search - Select this option to create
a new event search.
- Edit Search - Select this option to select
and edit an event search.
- Manage Search Results - Select this option
to view and manage search results.
|
| Quick Searches |
From this list box, you can run previously saved
searches. Options are displayed in the Quick Searches list
box only when you have saved search criteria that specifies the Include
in my Quick Searches option. |
| Add Filter |
Click Add Filter to add
a filter to the current search results. |
| Save Criteria |
Click Save Criteria to
save the current search criteria. |
| Save Results |
Click Save Results to
save the current search results. This option is only displayed after
a search is complete. This option is disabled in streaming mode. |
| Cancel |
Click Cancel to cancel
a search in progress. This option is disabled in streaming mode. |
False Positive
|
Click False
Positive to open the False Positive Tuning window,
which will allow you to tune out events that are known to be false
positives from creating offenses.
This
option is disabled in streaming mode. For more information about tuning
false positives, see Tuning
false positives.
|
| Rules |
The Rules option is only visible if you have
permission to view rules.
Click Rules to
configure custom event rules. Options include:
- Rules - Select this option to view or
create a rule. If you only have the permission to view rules, the
summary page of the Rules wizard is displayed. If you have the permission
to maintain custom rules, the Rules wizard is displayed and you can
edit the rule. To enable the anomaly detection rule options (Add Threshold
Rule, Add Behavioral Rule, and Add Anomaly Rule), you must save aggregated
search criteria because the saved search criteria specifies the required
parameters.
Note: The anomaly detection rule options are only visible
if you have the Log Activity > Maintain
Custom Rules permission.
Add Threshold Rule - Select this option
to create a threshold rule. A threshold rule tests event traffic for
activity that exceeds a configured threshold. Thresholds can be based
on any data that is collected QRadar.
For example, if you create a threshold rule indicating that no more
than 220 clients can log in to the server between 8 am and 5 pm, the
rules generate an alert when the 221st client attempts to log in.
When
you select the Add Threshold Rule option, the
Rules wizard is displayed, prepopulated with the appropriate options
for creating a threshold rule.
|
| Rules (continued) |
Add Behavioral Rule - Select this option
to create a behavioral rule. A behavioral rule tests event traffic
for abnormal activity, such as the existence of new or unknown traffic,
which is traffic that suddenly ceases or a percentage change in the
amount of time an object is active. For example, you can create a
behavioral rule to compare the average volume of traffic for the last
5 minutes with the average volume of traffic over the last hour. If
there is more than a 40% change, the rule generates a response.
When
you select the Add Behavioral Rule option,
the Rules wizard is displayed, prepopulated with the appropriate options
for creating a behavioral rule.
Add Anomaly Rule - Select this option
to create an anomaly rule. An anomaly rule tests event traffic for
abnormal activity, such as the existence of new or unknown traffic,
which is traffic that suddenly ceases or a percentage change in the
amount of time an object is active. For example, if an area of your
network that never communicates with Asia starts communicating with
hosts in that country, an anomaly rule generates an alert.
When you select the Add Anomaly Rule option,
the Rules wizard is displayed, prepopulated with the appropriate options
for creating an anomaly rule.
|
| Actions |
Click Actions to perform
the following actions:
- Show All - Select this option to remove
all filters on search criteria and display all unfiltered events.
- Print - Select this option to print
the events that are displayed on the page.
- Export to XML > Visible Columns -
Select this option to export only the columns that are visible on
the Log Activity tab. This is the recommended option. See Exporting
events.
- Export to XML > Full Export
(All Columns) - Select this option to export all event
parameters. A full export can take an extended period of time to complete.
See Exporting events.
- Export to CSV >Visible Columns -
Select this option to export only the columns that are visible on
the Log Activity tab. This is the recommended option. See Exporting events.
- - Select this option
to export all event parameters. A full export can take an extended
period of time to complete. See Exporting
events.
- Delete - Select this option to delete
a search result. See Managing
event and flow search results.
- Notify - Select this option to specify
that you want a notification emailed to you on completion of the selected
searches. This option is only enabled for searches in progress.
Note: The Print, Export to
XML, and Export to CSV options
are disabled in streaming mode and when viewing partial search results.
|
| Search toolbar |
- Advanced Search
- Select Advanced Search from the list box
to enter an Ariel Query
Language (AQL) search string to specify the fields that you want returned.
- Quick Filter
- Select Quick Filter from the list box to search payloads by using
simple words or phrases.
|
| View |
The default view on the Log Activity tab
is a stream of real-time events. The View list
contains options to also view events from specified time periods.
After you choose a specified time period from the View list,
you can then modify the displayed time period by changing the date
and time values in the Start Time and End
Time fields. |