|
Policy events |
Displays a list policy events and associated data.
Hide Query Show Query metadata.eventType = UserActivityAuditEvent | e metadata.customerIDString = ?cid| event.OperationName =~ in(values=["create_policy","update_policy","assign_policy","enable_policy","remove_policy","disable_policy","delete_policy","update_precedence"]) | count()
| Gauge |
|
Detections |
Displays a table of event detections and associated data
(timestamp, sensor ID, ComputerName, User,Severity, Local IP,
etc.)
Hide Query Show Query metadata.eventType=DetectionSummaryEvent |event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid |SensorId := event.SensorId| ComputerName:=event.ComputerName|User:=event.UserName|DetectName:=event.DetectName|Severity:=event.SeverityName|LocalIP:=event.LocalIP|Tactic:=event.Tactic|Technique:= event.Technique| Description:= event.DetectDescription|Objective:=event.Objective |table([@timestamp,SensorId,ComputerName,User,DetectName,Severity,LocalIP,Tactic,Technique,Objective,Description])
| Table |
|
Policty events by Users |
Displays aggregated, policy-related events by user using metadata.
Hide Query Show Query metadata.eventType = UserActivityAuditEvent | metadata.customerIDString = ?cid| event.OperationName =~ in(values=["create_policy","update_policy","assign_policy","enable_policy","remove_policy","disable_policy","delete_policy","update_precedence"]) |User:=event.UserId|groupby(User)|events:=rename(_count)
| Pie Chart |
|
Techniques over Time |
Displays a chart of detected event techniques over a 1 hour
timespan.
Hide Query Show Query metadata.eventType = DetectionSummaryEvent |event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid|timechart(span=1h, event.Technique)
| Time Chart |
|
Detection Events |
Displays a summary of detection events by computer name and
customer IDS string.
Hide Query Show Query metadata.eventType = DetectionSummaryEvent|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid|count("metadata.eventType")
| Gauge |
|
Firewall Events |
Displays a table of firewall events and associated data (host
name, device ID, event type, event policy name, etc.)
Hide Query Show Query * | metadata.eventType=FirewallMatchEvent |select([event.HostName,event.DeviceId,event.EventType,event.PolicyName,event.RuleName,event.HostName,event.CommandLine,event.ImageFileName,event.LocalAddress,event.RemoteAddress])
| Table |
|
Outbound Blocked Requests |
Displays a flowchart of outbound blocked requests using firewall
data from local address to remote address.
Hide Query Show Query * | metadata.eventType=FirewallMatchEvent
| event.RuleId = 1|sankey(source="event.LocalAddress",target="event.RemoteAddress")
| Sankey |
|
Blocked Requests - Outbound |
Displays a list of outbound blocked requests.
Hide Query Show Query * | metadata.eventType=FirewallMatchEvent event.RuleId=1|count()
| Gauge |
|
Detections by Technique |
Displays a chart of detections by technique.
Hide Query Show Query metadata.eventType = DetectionSummaryEvent |event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid|top(event.Technique)
| Bar Chart |
|
Detection by Tactic |
Displays a chart of event detections by tactic.
Hide Query Show Query metadata.eventType=DetectionSummaryEvent |groupby(event.Tactic)
| Bar Chart |
|
Tactic over Time |
Displays a chart of event tactics over a 1 hour timespan by
computer name and customer IDS string.
Hide Query Show Query metadata.eventType = DetectionSummaryEvent |event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid|timechart(span=1h, event.Tactic)
| Time Chart |
|
User Activity by ServiceName |
Displays a chart of user activity by username.
Hide Query Show Query * | metadata.eventType=UserActivityAuditEvent|metadata.customerIDString = ?cid|groupby(event.ServiceName)
| Bar Chart |
|
Policy events types |
Displays a pie chart of policy events by type using audit data.
Hide Query Show Query metadata.eventType = UserActivityAuditEvent | metadata.customerIDString = ?cid|event.OperationName =~ in(values=["create_policy","update_policy","assign_policy","enable_policy","remove_policy","disable_policy","delete_policy","update_precedence"]) | groupby(event.OperationName)
| Pie Chart |
|
Tactics |
Displays a pie chart of top event tactics.
Hide Query Show Query metadata.eventType = DetectionSummaryEvent |event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid|top(event.Tactic)
| Pie Chart |
|
Events by eventtype |
Displays a chart of events by event type using metadata.
Hide Query Show Query metadata.customerIDString = ?cid|metadata.eventType!=ReconNotificationSummary*|groupBy(metadata.eventType)
| Bar Chart |
|
User Activity Events |
Displays user activity events using customer IDS string.
Hide Query Show Query * | metadata.eventType=UserActivityAuditEvent| metadata.customerIDString = ?cid|count()
| Gauge |
|
User Activity Events |
Displays a table of user activity events and associated data
(customer ID, user ID, service, operation).
Hide Query Show Query metadata.eventType = UserActivityAuditEvent | event.OperationName = *| metadata.customerIDString = ?cid|akey0:=event.AuditKeyValues[0].Key
|aval0:=event.AuditKeyValues[0].ValueString
|akey1:=event.AuditKeyValues[1].Key
|aval1:=event.AuditKeyValues[1].ValueString
|akey2:=event.AuditKeyValues[2].Key
|aval2:=event.AuditKeyValues[2].ValueString
|akey3:=event.AuditKeyValues[3].Key
|aval3:=event.AuditKeyValues[3].ValueString
|akey4:=event.AuditKeyValues[4].Key
|aval4:=event.AuditKeyValues[4].ValueString
|akey5:=event.AuditKeyValues[5].Key
|aval5:=event.AuditKeyValues[5].ValueString
|akey6:=event.AuditKeyValues[6].Key
|aval6:=event.AuditKeyValues[6].ValueString
|akey7:=event.AuditKeyValues[7].Key
|aval7:=event.AuditKeyValues[7].ValueString
|akey8:=event.AuditKeyValues[8].Key
|aval8:=event.AuditKeyValues[8].ValueString
|akey9:=event.AuditKeyValues[9].Key
|aval9:=event.AuditKeyValues[9].ValueString
|akey10:=event.AuditKeyValues[10].Key
|aval10:=event.AuditKeyValues[10].ValueString
|akey11:=event.AuditKeyValues[11].Key
|aval11:=event.AuditKeyValues[11].ValueString
|akey12:=event.AuditKeyValues[12].Key
|aval12:=event.AuditKeyValues[12].ValueString
|akey13:=event.AuditKeyValues[13].Key
|aval13:=event.AuditKeyValues[13].ValueString
|akey14:=event.AuditKeyValues[14].Key
|aval14:=event.AuditKeyValues[14].ValueString
|akey15:=event.AuditKeyValues[15].Key
|aval15:=event.AuditKeyValues[15].ValueString
|akey16:=event.AuditKeyValues[16].Key
|aval16:=event.AuditKeyValues[16].ValueString
|akey17:=event.AuditKeyValues[17].Key
|aval17:=event.AuditKeyValues[17].ValueString
|akey18:=event.AuditKeyValues[18].Key
|aval18:=event.AuditKeyValues[18].ValueString
|akey19:=event.AuditKeyValues[19].Key
|aval19:=event.AuditKeyValues[19].ValueString
|akey20:=event.AuditKeyValues[20].Key
|aval20:=event.AuditKeyValues[20].ValueString
|rename(metadata.customerIDString, as="Customer ID")|User := rename(event.UserId)|UserIP := rename(event.UserIp) |Service:=event.ServiceName |Operation:=event.OperationName|table([@timestamp,"Customer ID",User,UserIP,Service,Operation,akey0,aval0,akey1,aval1,akey2,aval2,akey3,aval3,akey4,aval4,akey5,aval5,akey6,aval6,akey7,aval7,akey8,aval8,akey9,aval9,akey10,aval10])
| Table |
|
Blocked Requests - Inbound |
Displays a list of blocked inbound access requests using metadata.
Hide Query Show Query * | metadata.eventType=FirewallMatchEvent event.RuleId=3|count()
| Gauge |
|
Identity Protection Events |
Displays a list of identity protection events.
Hide Query Show Query * | metadata.eventType=IdentityProtectionEvent|count()
| Gauge |
|
Events over time |
Displays a list of events over time
Hide Query Show Query metadata.eventType!=ReconNotificationSummary* |metadata.customerIDString = ?cid|timechart(span=5m,metadata.eventType)
| Time Chart |
|
Inbound Blocked Requests |
Displays a flowchart of inbound blocked requests from remote
address to local address.
Hide Query Show Query * | metadata.eventType=FirewallMatchEvent
| event.RuleId = 3|sankey(source=event.RemoteAddress, target=event.LocalAddress)
| Sankey |
