FortiSIEM Overview of Historical Search Results and Charts

Overview of Historical Search Results and Charts

When your search runs, you will see both a Results List in the bottom pane of the screen, and a chart in the middle pane. The types of charts that are displayed depend both on the data being analyzed, and whether or not you have specified any Group By conditions in your search. You can also add dimensions to your search results and change the chart display type for further analysis.

Non-Aggregated Search Results

Trend

Results List

Aggregated Search Results

Results List

Trend

Pie Chart

Bar Chart

Scatter Plot

Bubble Plot

Tree Map

Heat Map

Non-Aggregated Search Results

Non-aggregated searches are searches that don’t use any Group By conditions to process the results. These types of searches produce two views of the results:

View Description Screen Example Notes
Trend Shows the trend over time for search results
Results List Shows the results of the search based on the Search Display fields you selected

Aggregated Search Results

Aggregated searches are those that use a Group By condition to process the results.

View Description Screen Example Notes
Results

List

Shows the results of the search based on the Group By and Display fields you selected This example shows the search results for Top Event Types by Count

Filter Condition: Empty

Group By Condition: Event Type

Selected Display Fields: Event Type and COUNT(Matched Events)

 

Trend Shows the time trend of aggregated fields

(one at a time)

There are two trend views of results for aggregated searches, the line chart, shown here as the first chart, and the stack chart, shown as the second chart.

In this example, the line chart illustrates when the events occurred. The stacked display avoids line crossings, but the values have to be read off as the

height and not the absolute value. For example, the event count for PIX-302015 at 9:00 hours is 20,000-14000 = 6000.

Pie

Chart

Shows the proportion

for the

COUNT(Matched

Events) attribute

For any set of results where you are charting Count (Matched Events), click the Pie Chart icon to view a proportional representation of the results.

 

Bar

Chart

Shows the distribution of aggregated fields For any set of results where you are charting Count (Matched Events), click the Bar Chart icon to view the distribution of events for your results.
Scatter

Plot

Shows the correlation

between two aggregated fields

Scatter plots can show the correlation between two aggregated dimensions, effectively converting a one dimensional chart into a two dimensional one. In this case, a report is run with these parameters:

Filter Condition: Event Types PH_DEV_MON_SYS_CPU_UTIL and PH_D

EV_MON_SYS_MEM_UTIL

Group By attribut: Host Name

Display Fields: AVG(CPU Utilization) and AVG(Memory Utilization)

The results are first presented as a stacked trend and bar chart. When you click on the Scatter Plot Chart icon, you can now see the display fields as two dimensions, which shows that most devices use more memory than CPU. Hovering your mouse cursor over an item in the chart displays the values for the selected host.

Bubble

Plot

Shows the correlation

between two aggregated fields with a third dimension as size

A bubble pot is a scatter plot with a third dimension field added to indicate size. In this example, the same type of search that was used to generate the scatter plot example is run, though the display field Last (System Uptime) ha s been added as a Size indicator.
Tree

Map

A hierarchical tree-structured visualization that can be used to analyze dominating components of multidimensional data A tree map is a hierarchical tree-structured visualization that you can use to analyze dominant components of multi-dimensional data. A classic example is an attempt to understand Top Talkers in a network.

In this example, a search is run with these parameters:

Filter Conditions: Group:Permit Traffic

Group by attributes: Destination TCP/UDP Port, Destination IP, Source IP

Display Fields: Destination TCP/UDP Port, Destination IP, Source IP, COUNT(Matched Events)

The results, which run to 400 pages with approximately 10,000 entries, do not provide any information about:

The proportion of the Top Destination Port

The proportion of Top Source IPs for a given Destination Port

The proportion of Top Destination IPs for a given Destination Port and Source IP

By switching to a Tree chart, you can now see:

Top ports are 161 (SNMP) and 53 (DNS) – with SNMP taking roughly 1.5 times the connections

The top destinations for DNS are: 192.168.0.10 (Internal DNS)

208.67.222.222 (External DNS)

The top sources going to 192.168.0.10 on the DNS port are

192.168.20.116, 192.168.65.125

The top sources going to 208.67.222.222 on DNS port are 192.168.0.10

You can now drill down on port 53 for a closer view by clicking 53.00 in the tree map, which results in the third screenshot in this example.

 

 

 

Heat

Map

visualizes calculated measures in two dimensions using a color grade that helps users to understand intensity A heat map visualizes two display fields using a color gradient that indicates intensity. A classic example is an attempt to understand which host is talking on which network port.

In this example, a search is run with these parameters:

Filter Conditions: Group:Permit Traffic

Group By attributes: Destination TCP/UDP Port, Source IP

Display Fields: Destination TCP/UDP Port, Source IP, COUNT(Matched Events)

The first screenshot shows the results as a stacked trend chart. The second shows the results as a heat map with the Sample set to 1000. You can now hover your mouse cursor over indicators of higher intensity to view specific information. In this case 192.168.0.10, which appears as a small red bar in the lower left corner, is a heavy contributor to traffic on Port 53. In addition, vertica l lines indicate multiple hosts communicating on the same port, for example ports 22, 53, 80, 443, while horizontal lines indicate same host talking across multiple ports.

 

 

Refining the Results from Historical Search

Overview of Historical Search Results and Charts describes the charts that you can use to visualize historical search results, but there are also a variety of methods you can use to drill down into search results and refine your queries.

Charting a Specific Row from Historical Search Results

Charting Multiple Aggregation Attributes on the Same Historical Search Results Chart

Drilling Down on Search Results by Time Interval

Using Search Results to Refine Historical Searches Using Tabs to View Multiple Search Results

Charting a Specific Row from Historical Search Results

When your chart loads, the top five items are displayed as color-coded stack charts, as show in the example of this screenshot. However, you may want to remove results from the chart to get a clearer view of what is happening with a specific result. Here, for example, there are spikes for 192.168.19.65 that are clearly visible at various intervals, but the chart results for the other IPs obscure much of what is happening with this source IP.

The solution is to remove the other Source IPs from the chart. In the Chart column of the Results List, click on the items you want to remove from or add to the chart. In this example, all four of the other IPs have been removed from the chart to obtain a clearer visualization of the activity for 192.168.19.65.

 

 

 

 

Charting Multiple Aggregation Attributes on the Same Historical Search Results Chart

When you run a query, the resulting chart typically displays the first aggregated attribute in the Results List. However, if there are other aggregated attribute values in the search results, you can add those to the chart as a second dimension.

This screenshot shows the results for the report Top Router Network Intf By Util, Error, Discards, which includes the values for a single aggregated attribute, AVG(In Intf Util), for incoming interface utilization.

In this case, it could also be informative to understand more about the outbound interface utilization. In the second Chart For menu, AVG(Out Intf Util) is selected, and this is added as a second dimension to the chart beneath the 0 line, as shown in this screenshot.

 

Drilling Down on Search Results by Time Interval

When you run a search, the chart displays results for the time interval you set in your original query. However, you can also drill down to 5 minute, 10 second, and 1 second time intervals for a closer inspection of the results.

  1. Hover your mouse cursor over the result and time interval you want to drill down on until the information pop-up appears, as shown in the first example screenshot.
  2. Click to drill down and view the results for a 5 minute interval.
  3. Follow the same process to drill down to the 10 second and one second intervals.

This series of screenshots illustrates starting from the original search results, and then drilling down to the 5 minute interval.

 

 

 

 

 

 

 

Using Search Results to Refine Historical Searches

In this screenshot of search results you can see a small but sudden spike in the SUM(Total Bytes) for Destination TCP/UDP Port 20756, which is represented by the color purple in the chart. In order to understand what is happening in this time interval, you can select this port and the time period of interest, and use these as filter criteria for a deeper investigation.

 

  1. In the Results List, select the row containing the item of interest.
  2. Click the Filter menu, and you will see the attributes of the selected item as filter options.
  3. Select the attribute you want to use for your filter.

In this case, you would select Destination TCP/UDP Port = 20756.

Adding a Specific Attribute Value to a Filter

You can also click in the cell of the Results List that contains the attribute value you want to use in your filter, and then select Add to Filter from the pop-up menu that appears when you hover your mouse cursor over the attribute value.

  1. In the Show menu select Raw Messages.

This will include the raw event logs in the Incident Details.

  1. In the Display Fields menu, add or remove any display fields you want for the refined search results.

In this case two fields are added, Destination TCP/UDP Port and Total Bytes.

  1. In the chart, click on the time period that is of interest to add it to the search criteria.
  2. Click Run.

This screenshot shows the results for the selected port and time period, indicating that two events originating from Seattle WA were responsible for the spike.

 

  1. Click in the Raw Event Log column for an event to view the event details.

See Selecting Attributes for Structured Searches, Display Fields, and Rules for more information on how to view the attributes for reported events and add them to the display fields for your results.

Using Tabs to View Multiple Search Results

There may be occasions when you want to be able to run and compare the results of multiple searches.

  1. Run your first search.
  2. In the upper-left corner of the search screen, click +. A new tab will open up in the Analytics Window.
  3. Run your second search in the new tab.

New Tabs for Drill-Down and Refined Searches

If you refine an existing search, zoom in on a time period, or use the time interval drill-down to examine search results, new tabs are automatically generated for each level of drill down, and for each refined search.  When you select an attribute to use in a refined search, you can also select Add to Filter in New Tab from the Options menu.

 

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.