Rules

FortiSIEM continuously monitors your IT infrastructure and provides you with information you can use to analyze performance, availability, and security. There may also be situations in which you want to receive alerts when exceptional, suspicious, or potential failure conditions arise. You can accomplish this by using rules that define the conditions to watch out for, and which trigger an incident when those conditions arise. This incident will appear on the Incident Summary dashboard, and you can also configure a notification policy that will send email and SNMP alerts that the incident has occurred. FortiSIEM includes over 500 system-defined rules, which you can see in Analytics > Rules, but you can also create your own rules as described in the topics in this section.

Creating Rules

FortiSIEM constantly monitors your IT infrastructure for events and collects information about them, but you can also set rules that will trigger incidents from events and send notifications when they occur. These topics describe the concepts and processes for creating rules.

Creating a Rule

Defining Rule Conditions

Example of a Rule with a Single Condition Sub-Pattern

Example of a Rule with Multiple Sub-Patterns

Defining the Incident Generated by a Rule

Defining Rule Exceptions

Defining Clear Conditions Testing a Rule

Creating a Rule

Creating a new rule involves defining the attributes of the incident that is triggered by the rule, as well as the triggering conditions and any exceptions or clear conditions.

2. Go to Analytics > Rules.
3. Select the group where you want to add the new rule.
4. Click New.
5. Enter a Rule Name and Description.
6. For Status, keep the rule Inactive.

You can activate the rule after you’re finished creating and testing it.

7. Select an Incident Category for the incident triggered by the rule.

You can click Add and enter a custom incident category.

8. Select a Severity to associate with the incident triggered by the rule.
9. Select Update the Perf Status column on summary dashboard if you want the incident to display in the Performance Status column of the Exec Summary
10. For Attributes, enter the functional area, such as Security, that you want to associate the rule with.
11. Enter a Notification Frequency for how often you want notifications to be sent when an incident is triggered by this rule.
12. Under Conditions, click Add Subpattern to create the rule conditions.

See Defining Rule Conditions for detailed information on selecting event and aggregation attributes to use with rules. You can also see examples of rules with a single subpattern and multiple sub patterns.

13. Enter the time interval during which the rule conditions will apply.

The minimal interval is 120 seconds.

14. Next to Actions, click Edit to define the incident that will be generated by this rule.

See Defining the Incident Generated by a Rule for more information.

15. Next to Watch Lists, click Edit to add a watch list to the rule.

See Adding a Watch List to a Rule for more information.

16. If you want to define any Exceptions for the rule, click Edit. See Defining Rule Exceptions for more information.
17. If you want to define any Clear Conditions for the rule, click Edit.

See Defining Clear Conditions for more information.

18. Click Save.

Your new rule will be saved to the group you selected in an inactive state. Before you activate the rule, you should test it.

 

Defining Rule Conditions

Rule conditions define the event attributes and thresholds that will trigger an incident. Rule conditions are built from sub-patterns of event attribute filters and aggregation functions. You can specify more than one subpattern and the relationships and constraints between them.

Setting the Relationship between Subpatterns

Setting Inter-subpattern Constraints

Examples of inter-subpattern relationships and constraints

Specifying a Subpattern

A subpattern defines the characteristics of events that will cause a rule to trigger an incident. A subpattern involves defining event attributes that will be monitored, and then defining the threshold values for aggregations of event attributes that will trigger an incident.

Example of a rule with a single subpatten

This screenshot shows an example of a subpattern with a single event filter and a single event aggregation condition. Expressed as a sentence, this rule would be “When there are more than three events on a single Host IP where average CPU utlization is equal to 95%, trigger an incident.”

 

Event Filters

Event filter criteria determine which event attributes and values will be monitored by the rule, and are set in a way that is similar to the way you set event attributes for structured historical searches and real time searches. See Selecting Attributes for Structured Searches, Display Fields, and Rules for more information on finding attributes to use in your event filters.

Event Aggregation

While you could have a rule that triggers an incident on a single instance of a particular event, it is more likely that you will want your rule to trigger an incident when some number of events have been found that meet your event filter criteria.

Group By Attributes

This determines which event attributes will be used to group the events before the group constraints are applied, in a way that is similar to the way the Group By attribute is used to aggregate the results of structured searches. Aggregate Conditions

The group aggregation conditions set the threshold at which some aggregation of events will trigger a rule to create an incident. You create an aggregation condition by using the Expression Builder to set a function, and then enter the Operator and Value for the aggregation condition. Examples of Group By and Aggregate Conditions Settings

Scenario	Group By Attributes	Aggregate Conditions
10 or more events	none	COUNT(Matched events) >= 10
Connections to 100 or more distinct destination IPs from the same source IP	Source IP	COUNT (DISTINCT Destination IP) >= 100
Connections to 100 or more distinct destination IPs from the same source IP on the same destination port	Source IP, Destina tion Port	COUNT (DISTINCT destination IP) >= 100
Average CPU Utilization on the same server > 95% over 3 samples	Host IP	COUNT (Matched Events) >= 3 AND AVG(CPU Util) > 95
Logins from the same source workstation to 5 or more accounts on the same target server	Source IP, Destina tion IP	COUNT(DISTINCT user) >= 5

Setting the Relationship between Subpatterns

Example of a rule with multiple subpatterns

If you have more than one sub-pattern, you must specify the relationship between them with these operators.

Operator	Meaning
AND	Sub-pattern P1 AND Sub-pattern P2 means both sub-patterns P1 and P2 have to occur
OR	Sub-pattern P1 OR Sub-pattern P2 means either P1 or P2 have to occur
FOLLOWED-BY	Sub-pattern P1 FOLLOWED-BY Sub-pattern P2 means P1 has to be followed by P2 in time
AND-NOT	Sub-pattern P1 AND-NOT Sub-pattern P2 means P1 must occur while P2 must not; the time order between P1 and P2 is not important
NOT-FOLLOWED-BY	Sub-pattern P1 NOT-FOLLOWED-BY P2 means P1 must occur and P2 must not occur after P1

Setting Inter-subpattern Constraints

You may want to relate attributes of a sub-pattern to the corresponding attributes of another sub-pattern, in a way that is similar to a JOIN operation in an SQL, by using the relationship operators  <, >, <=, >=, =, !=. Examples of inter-subpattern relationships and constraints

Scenario	Sub-pattern P1 – filter	P1 – Group-by attribute set	P1 Group constraint	Sub-pattern P2 filter	P2-group-by attribute	P2 group constraint	Inter-P1-P2 relationships	Inter-P1-P2 constraints
5 login failures from the same source to a server not followed by a successful logon from the same source to the same server	Event type = Login Success	Source IP, Destination IP	COUNT (Matched Event) >= 5	Event type = Login failure	Source IP, Destination IP	COUNT(Matched Event) > 0	P1 NOT_FOLLOWED_BY P2	P1’s Source IP = P2’s Source IP
An security attack to a server followed by the server scanning the network, that is, attempting to communicate to 100 distinct destination IP addresses in 5 minute time windows	Event type = Attack	Destination IP	COUNT (Matched Event) > 0	Event Type = Connection Attempted	Source IP	COUNT (DISTINCT Destination IP) > 100	P1 FOLLOWED_BY P2	P1’s Destination IP = P2’s Source IP
Average CPU > 95% over 3 sample on a server AND Ping loss > 75%	Event Type = CPU_Stat	Host IP	COUNT(Matched Event) >= 3 AND AVG(cpuUtil) > 95	Event Type = PING Stat	Host IP	pingLossPct > 75	P1 AND P2	P1’s Host IP = P2’s Host IP

Example of a Rule with a Single Condition Sub-Pattern

This topic shows an example of how to create a rule with a single sub-pattern based on the condition that Average CPU on a server is more than 95% over 3 sample measurements.

Attribute	Group By Attribute	Aggregate Conditions
Avg CPU Util	Host IP	COUNT (Matched Event) >= 3

1. For Rule Name, enter Hi Avg CPU.
2. For Description enter Average CPU on a server is more than 95% over 3 sample measurements.
3. For Severity, select 9 – High.
4. For Attributes, select All.
5. Set the Notification Frequency for 1 Hour.
6. Next to Conditions, click Add Subpattern.
7. For Subpattern Name, enter Pattern 1.
8. Under Filters, set these options:

Option	Setting
Attribute	Avg CPU Util
Operator	>=
Value	95

 

9. Under Aggregate Conditions, click the Expression Builder icon next to the Attribute field, select COUNT(Matched Events) from the Add Function menu, and then click OK.
10. Under Aggregate Conditions, select = for Operator and enter 3 for Value.
11. Under Group By, select Host IP.
12. Click Save.
13. Enter 5 for the time interval during which the conditions will apply.
14. You would now complete the rule by Defining the Incident Generated by a Rule, and any exceptions or clear conditions. You could also a ssociate it with a notification policy.

This screenshot shows the subpattern settings for this example.

 

 

 

 

 

 

 

The following steps describe how to create a rule that matches the above example 1:

1. Enter a name for the rule in the ‘Rule Name’ text box.
2. Enter a description for the rule in the ‘Description’ text box.
3. Use the drop down menu to choose a ‘Severity’ for the rule.
4. Click on the ‘+ Add Condition’ button.
   1. Chose the ‘Function’ for the rule. In this case ‘AVG’ is chosen.
   2. Choose the ‘Attribute’ for the rule. In this case ‘CPU Util’ is chosen.
   3. Chose the ‘Operator’ for the rule. In this case ‘>=’ is chosen.
   4. Enter the ‘Value’ for the rule. In this case ’95’ is entered.
5. Select the devices to apply the rule to.
6. Enter the number of events that must occur for the rule to fire. In this case ‘3’ is used.
7. Enter the time frame for the rule. In this case ‘600’ seconds is used.

 

Example of a Rule with Multiple Sub-Patterns

This topic provides an example of a rule with two sub-patterns, and also how to use the Event Type attribute as a filter.

Rule Conditions

Creating Sub-Pattern P1

Creating Sub-Pattern P2

Defining the Relationship Between Patterns

Defining the Incident to be Generated by the Rule

Rule Conditions

The purpose of this rule is to trigger an incident when five login failures from the same source to a server are not followed by a successful login from the same source to the same server within one hour. This requires two sub-patterns, the first one to detect “five login failures from the same source to a server,” and a second one to detect “a successful logon from the same source to the same server.” The two sub-patterns need to be interrelated to make the complete rule.

Sub-pattern 1 (P1)

Event Filter Attribute	Group By Attributes	Aggregate Conditions
Event type = Logon Failure	Source IP, Destination IP	COUNT (Matched Event) >= 5

Sub-pattern 2 (P2)

Event Filter Attribute	Group By Attributes	Aggregate Conditions
Event type = Logon Success	Source IP, Destination IP	COUNT(Matched Event) > 0

P1/P2 Interrelationships and Constraints

Interrelationships	Constraints
P1 NOT_FOLLOWED_BY P2	P1’s Source IP = P2’s Source IP, P1’s Destination IP = P2’s Destination IP

Creating Sub-Pattern P1

The following steps describe how to create a rule that matches the above example 2:

1. Log in to your Supervisor node.
2. Go to Analytics > Rules.
3. Click New.
4. For Rule Name, enter Suspicious Login Failure.
5. For Description, enter the rule conditions stated in the introduction to this topic.
6. For Severity, select 10 – High.
7. For Attributes, select All.
8. Next to Conditions, click Add Subpattern.

You will now create the first subpattern for “five login failures from the same source to a server.”.

9. For Subpattern Name, enter LogonFailures.

To create this sub pattern you will want to specify that all types of logon failures should be monitored. For this reason, you will want to specify an entire folder of event types as the rule condition, rather than a single attribute of a event.

10. For Attribute, select Event Type.
11. For Operator, select IN.
12. For Value, click … to open the CMDB Browser.
13. In the CMDB Browser, go to Event Types > Security > Logon Failure, and click Folder >> to select the Logon Failure events group. Your filter condition, as shown in the screenshot, can be read as “For any type of event in the Logon Failure event group . . .”
14. Under Aggregate Conditions, click the Expression Builder icon next to Attribute and select COUNT(Matched Events).
15. For Operator, enter >=.
16. For Value, enter 5.
17. Under Group By, enter Source IP for Attribute, and then click + to add another Group By
18. Enter Destination IP.
19. Click Save.

This screenshot shows the complete entry for sub-pattern P1.

Creating Sub-Pattern P2

1. In your rule, next to Conditions, click Add Subpattern.
2. For Subpattern Name, enter LogonSuccess.
3. For Attribute, select Event Type.
4. For Operator, select IN.
5. For Value, click … to open the CMDB Browser.

This button only becomes active if you select Event Type as an attribute.

6. In the CMDB Browser, go to Event Types > Security > Logon Failure, and click Folder >> to select the Logon Failure events group. Your filter condition, as shown in the screenshot, can be read as “For any type of event in the Logon Failure event group . . .”
7. Under Aggregate Conditions, click the Expression Builder icon next to Attribute and select COUNT(Matched Events).
8. For Operator, enter >.
9. For Value, enter 0.
10. Under Group By, enter Source IP for Attribute, and then click + to add another Group By
11. Enter Destination IP.
12. Click Save.

This screenshot shows the complete entry for sub-pattern P2.

Defining the Relationship Between Patterns

You will now see both of your sub-patterns listed under the Conditions for your rule definition.

1. Makes sure that LogonFailures is selected as the first pattern under If this Pattern occurs, and under Next Op, select NOT_FOLLOW ED_BY.
2. Select LoginSuccess as the second subpattern.
3. Click AddSubpattern Relationship.
4. For the first relationship definition, select LogonFailures for Subpattern, Source IP for Attribute, and = for Operator.
5. For the second subpattern, select LogonSuccess for Subpattern, Source IP for Attribute, and AND for Next Op.
6. Under Row, click +.
7. For the second relationship definition, for the first subpattern, select LogonFailure for Subpattern, Destination IP for Attribute, and = fo r Operator.
8. For the second subpattern, select LogonSuccess for Subpattern, and Destination IP for

This screenshot shows the full pattern and relationship definition for the two subpatterns.

Defining the Incident to be Generated by the Rule

1. In your rule definition, click Edit next to Generate Incident.
2. For Incident Name, enter Suspicious_Login_Failure.
3. Under Incident Attributes, select Source IP for Event Attribute, LoginFailures for Subpattern, and Source IP for Filter Attribute.
4. Under Row, click +.
5. For the second incident attribute, select Destination IP for Event Attribute, LoginFailures for Subpattern, and Destination IP for Filter Attribute.
6. Under Triggered Event Attributes, make sure that Event Receive Time, Event Type, Reporting IP, and Raw Event Log are listed in the Selected Attributes.
7. Click OK.

This screenshot shows the complete Incident Definition.

 

Creating Filter Criteria and Display Column Sets

When you create searches, you have the option to select saved filter criteria and column sets to use. This topic describes how to create those sets.

1. Log in to your Supervisor node.
2. In the Analytics tab, select either Display Column Sets or Filter Criteria Sets, depending the type of set you want to create.
3. Click New.
4. Add the filter criteria or display columns that you want to the set.

See Using Expressions in Structured Searches and Selecting Attributes for Structured Searches and Display Fields for more information about building searches and display columns.

5. Click Save.

You set will be saved to the list of sets, and you will be able to use it in searches by clicking the … button next to the Filter Criteria text field in structured searches or the Display Columns menu for both structured and simple searches.

Related Links

Using Expressions in Structured Searches and Rules

Selecting Attributes for Structured Searches, Display Fields, and Rules

 

 

 

 

 

Using Geolocation Attributes in Searches and Search Results

When you view the results of a search, you will see that IP address fields in the results, such as Source IP or Destination IP, often have a flag added to them to indicate the geolocation of that IP address. This topic describes the geolocation information that is associated with event attributes, and provides examples of how to use this information in searches and search results.

Event and Geolocation Attributes

Using Geolocation Attributes in Searches

Viewing Geographic Locations from Search Results

Event and Geolocation Attributes

The event attributes Source IP, Destination IP, Host IP, and Reporting IP include geolocation attributes that you can use in search queries and as display fields in search results. In Incident Reports you may also see country flags included with IP addresses for Incident Source and Incid ent Target, which have the same geolocation attributes as Source IP and Destination IP.

Event Attribute	Geolocation Attributes
Source IP	Source Country Source City Source State Source Organization Source Longitude Source Latitude
Destination IP	Destination Country Destination City Destination State Destination Organization Destination Longitude Destination Latitude
Host IP	Host Country Host City Host State Host Organization Host Longitude Host Latitude
Reporting IP	Reporting Country Reporting City Reporting State Reporting Organization Reporting Longitude Reporting Latitude

Using Geolocation Attributes in Searches

You can use geolocation attributes in both real time and historical structured searches. For example, setting a search attribute to Source Country != United States will remove all Source IPs with a geolocation of United States from the search results.

This screenshot shows the results of using Source Country != United States and Event Severity = 1 as the search criteria. The Source IP display field contains only IP addresses associated with countries other than the United States, as indicated by the national flags next to each IP address in the Source IP column.

If you use a geolocation attribute such as Source Country as a Display Field or Group By condtion, then the results will include name information for that attribute, rather than a national flag.

This screenshot shows the results of the same query used previously, but with Group By = Source Country.

Viewing Geographic Locations from Search Results

If your search results contain geographic information, click the Locations button to view that information on a map.

This screenshot shows the results for the first example query presented in a map. Clicking on a number in the map will provide you with an overview of incidents for that location.

 

Keywords and Operators for Simple Searches

Both historical and real time searches have a simple search option that searches for keywords in the raw ASCII tex of event logs. You can use operators in your keyword searches to combine terms or create simple search filters.

Keyword Operators

Examples of Using Keyword Search Operators

Quotes and Backslash Characters in Search Terms

Keyword Operators

You can use the operators AND, OR, AND NOT between keywords. If you enter more than one keyword, then AND is assumed as the operator between them. You can also use parentheses () to change the precedence of the operators.

Examples of Using Keyword Search Operators

Search String	Results
TCP	Finds all events with TCP in the event logs
TCP 80	Finds all events with TCP and 80 in the event logs
TCP AND (80 OR 443)	Finds all events with TCP and 80 or 40 in the event logs
TCP AND NOT 80	Finds all events with TCP but not 80

Quotes and Backslash Characters in Search Terms

If the search string contains quotation marks or back-slash characters, you must escape them by prefixing them with a backslash character. For example, if you wanted to search for [location]=”United States” then you would need to enter [location]=\”United States\” as your search string.

Using Expressions in Structured Searches and Rules

An expression can contain a single event attribute, multiple attributes, or functions that contain an event attribute as their argument. You can also use parentheses and arithmetic operators to form complex expressions.

You can enter an expression manually, paste it in, or build it dynamically using the Expression Builder. If you use the Expression Builder, you will have to enter parentheses or arithmetic operators in the expression.

The Expression Builder

Creating Expressions

Adding a Function

Filter Condition Functions

Aggregation Condition Functions

The Expression Builder

You can access the Expression Builder by clicking the e icon next to the Attribute or Value field when creating a structured search or rule.

This screenshot shows the Expression Builder open for creating a rule.

Creating Expressions

Adding a Function

To add a function to the expression, select it from the Add Function menu, and then click the + icon. The available functions depend on whether you are are creating an expression to use as part of a filter condition for a search or rule, or as part of the aggregation conditions for a rule.

Selecting Function-Specific Attributes

When you select any type of function, the function and a set of parentheses will be added to the expression. If you place your cursor within the parentheses and then open the Event Attribute menu, you will see event attributes that are relevant for that function. For example, if you select COUNT as the function, (MATCHED ITEMS) will automatically appear between the parentheses, and will be selected in the Event Attribute menu. If you select a function like AVG for an aggregation condition, you will see options such as CPU UTIL and Apache Uptime. If you select a function like HourOfDay for a filter condition, you will see options like Access Time and Vul nerable Since. You can search through the options in either situation by beginning to type a keyword in the Event Attribute menu. Sele cting Attributes for Structured Searches, Display Fields, and Rules has more information about ways to search for and select event attributes.

Filter Condition Functions

If you select HourOfDay or DayOfWeek for the function, the Event Attributes menu will contain date and time-related event attributes, while if you select DeviceToCMDBAttr, it will contain device-related attributes.

Function	Description
HourOfDay	Specify an hour of the day in the condition
DayOfWeek	Specify a day of the week in the condition
DeviceToCMDBAttr	If you add the DeviceToCMDBAttr() function to the expression, the first argument must be an event attribute, and the second argument must be a CMDB attribute, which you can select using the CMDB Attribute menu. The DeviceToCMDBAttr function is used to create expressions for per-device thresholds.

This screenshot shows the beginning of creating an expression to use as the Attribute in a condition for an historical search. HourOfDay is selected as the Function, and Access Time is selected as the Event Attribute.

Aggregation Condition Functions

You use these functions to perform operations on numerical event attributes such as Sent Bytes, Received Bytes, CPU Utilization, or Memory Utilization.

Function	Description
Count	Count the number of items returned
Count Distinct	Count the number of distinct items returned
Sum	Add the numbers
Average	Average the numbers
Min	The lowest number
Max	The highest number
Last	The last number
First	The first number
Pctile95	The 95th percentile
PctChange	Percentage change
STAT_AVG	Statistical average. This function is used in conjunction with creating baseline reports.
STAT_STDDEV	Statistical standard deviation. This function is used in conjunction with creating baseline reports .

This screenshot shows the beginning of creating an expression to use as an aggregation condition in rule. Max is selected as the Function, and CPU Util is selected as the Event Attribute.

Selecting Attributes for Structured Searches, Display Fields, and Rules

For both Real Time and Historical structured searches you have the option to to select event attributes to use in both your search and Group By fi lters, and as display fields in your result lists. Since AccelOps recognizes over 130,000 event attributes, the documentation and user interface provides several ways to find the attributes you want to use. These instructions show how to access the Common Attributes menu and the CMDB attribute browser through the Attributes in search conditions, but you can access the same functionality in the Display Fields menu for searches, and when you create a new rule. They also contain information on how you can access the attributes associated with reported events through the Raw Event Logs column of results lists.

The Event Dictionary and Master Attribute List

Selecting Attributes in the Common Attributes Menu

Selecting Event Attributes from the CMDB

Selecting Attributes from the Raw Events Log Column of the Results Lists

The Event Dictionary and Master Attribute List

This documentation includes an Event Dictionary that describes events and their attributes, and an attribute master list, which lists the primary event attributes and their data type, along with a brief description of what values AccelOps expects to see when that attribute information is returned.

Selecting Attributes in the Common Attributes Menu

This screenshot shows the Common Attributes menu open in the Conditions Builder for an Historical search. Open the menu by clicking the downward arrow next to an Attribute text field. You can scroll through the list of event attributes to select the one you want, or begin typing an attribute name and the menu will sort based on your entry.

Selecting Event Attributes from the CMDB

You also have the option to browse all the attributes listed in the CMDB to find the one that you want. These two screenshots show the CMDB attribute browser, which you can access by clicking … next to the Attribute text field.

The first screenshot illustrates browsing the CMDB attributes based on Device Type and Feature Type: Availability, Change, Performance, Se curity, and All. In this example, Security has been selected for Feature Type, and Cisco IOS has been selected for Device Type. This loads all the security attributes associated with the Cisco IOS into the Attribute List.

The second screenshot illustrates browsing the CMDB Event Types to find an event attribute. In this example, Cisco ASA is selected for Device Type. Clicking in the Event Type window opens an Event Browser for the CMDB. Select any group in the browser, and you will see the event types within that group that are applicable to the Device Type you selected.

Selecting Attributes from the Raw Events Log Column of the Results Lists

All real time search results lists include a Raw Event Log column, and you can add a a Raw Event Log column to the list of results for historical searches. In addition to providing detailed information from the raw event logs, you can also use this column to view all the attributes associated with a reported event and add them to the display fields in your results list or to your filters for structured searches.

1. Cilck in the Raw Event Log column of your results list to collapse the view.

The raw event log text will collapse into an information icon with a blue +.

2. Click on the blue + icon to open the Event Details.

You will see the raw event log text and list of all the attributes associated with that event type.

3. Select Filter or Display to add an attribute to the search filters or display fields for that search.
4. Click X to close the Event Details window when you’re done making your selections.

 

 

 

Structured Search Operators

Operator	Meaning	Allowed on Event Attribute Types or CMDB Group	Example as seen in GUI
=, !=	Compares whether an attribute is exactly identical or not identical to a specified value	All except DATE types	Event Type = “PH_DEV_MON_SYS_CPU_UTIL” Source IP != 10.1.1.1
>, >=, <, <=	Compares whether an attribute is less or greater than a specified value	Numeric types: UINT16, UINT32, UINT64, DOUBLE	CPU Util > 10
IN, NOT IN	Determines whether an attribute belongs or does not belong to a set of values. For string valued attributes, the match is case insensitive.	All except DATE type Allows CMDB Groups	System Event Category IN (3,6) Event Type IN (“PH_DEV_MON_SYS_CPU_UTIL”,”PH_DEV_MON_SYS_MEM_UTIL”) Event Type IN (“PH_DEV_MON_SYS_CPU_UTIL”,Event Types:Login Failure) Source IP IN Devices:Windows, Devices:Unix Destination IP IN Networks:VPN Pool
BETWEEN, NOT BETWEEN	Determines whether an attribute is between a range of values	All except STRING types	Source IP BETWEEN (10.1.1.1, 10.1.1.255) CPU Util BETWEEN (20.0, 30.0) Event Receive Time BETWEEN (18:35 03/17/2014, 18:35 03/26/2014)
IS (NULL), IS NOT (NULL)	Determines whether an attribute is present or not	All types	Host Name IS NOT NULL
CONTAINS, NOT CONTAINS	Determines whether a string valued attribute contains a specified sub-string. For Raw Event Log – the sub-string has to contain the beginning of every word For all other string type attributes: the sub-string can be in any  position	STRING	Event Type CONTAINS “DEV_MON” matches “PH_DEV_MON_CPU” Event Type NOT CONTAINS “DEV_MON” does not matche “PH_DEV_MON_CPU” Reporting Model CONTAINS “dows” matches “Microsoft Windows” Reporting Model CONTAINS “soft win” matches “Microsoft Windows” Raw Event Log CONTAINS “dows” does not match “Microsoft Windows” Raw Event Log CONTAINS “microsoft win” matches “Microsoft Windows 2003” (For more general patterns use regular expressions)
REGEXP, NOT REGEXP	Determines whether a string valued attribute matches a specified pattern. Raw message needs to be UTF-8 encoded.	STRING	Raw Event Log REGEXP “\d+.\d+\d+.\d+” Event Type NOT REGEXP “PH_DEV_MON_.*” – match events with event types not beginning with PH_DEV_MON

Real Time Search

You can use Real Time search to view events as they are occurring in real time within your IT infrastructure. You can use both simple and structured search criteria, as you would with historical search, but instead of the results displayed in a report like you would see with an historical search, real time search results are displayed as a rolling graph and summary of events that you can drill down into.

Overview of the Real Time Search User Interface

Creating a Simple Real Time Search

Creating a Structured Real Time Search

Viewing and Refining Real Time Search Results

 

Overview of the Real Time Search User Interface

The real time search interface is very similar to the interface for historical search, with the exception that real time search doesn’t have an option to set a search time period. As with historical search, you can also run simple or structured search queries. The main difference between historical and real time search is that real time search displays your results as they are occurring in your IT infrastructure, with a scrolling chart and summary of the results.

Simple Real Time Search

Simple Real Time Search Interface Controls Structured Real Time Search

Simple Real Time Search

When you use simple real time search, you enter a keyword to search for in the logs collected by AccelOps, set any columns you want to display in the Raw Event Log Results Summary, and, for multi-tenant deployments, select any organizations you want to filter the results for. You can then select results in the real time chart to use for historical searches, or you can select results in the Raw Event Log Results Summary to learn more information about them or use them as filters in refining your search.

This screenshot shows the results for searching the raw event logs for occurrences of TCP.

Simple Real Time Search Interface Controls

Ui Control	Description
Filter Criteria	For simple real time search, use the search box to find keywords in raw event logs. You can also create a rule from your search results.
Set Summary Display Columns	Select which columns will be displayed in the Raw Event Log Results Summary
Organizations Filter	For multi-tenant deployments, select which organizations you would like to filter the results for
Real Time Chart	Displays results as they occur in real time. Use the Pause, Fast Forward, Stop, and Clear buttons to control the display.
Raw Event Log Results Summary	Displays a summary of the raw event logs for your search results in real time. Click Pause in the real time chart and then select an item in the summary results to view attributes such as Reporting and Destination IP, add an IP address to a watch list, add an attribute as a search filter, or get topological information about network devices. Selecting a result from the summary list also enables the Filter, Quick Info, and Locations buttons.

Structured Real Time Search

For structured real time search, you only enter the filter conditions that you want to use, instead of having to also specify aggregation and group by conditions as you would in a structured historical search.

This screenshot shows the Conditions dialog for structured real time search. You can select attributes and create expressions to use in structured real time search the same way you would in structured historical search.

This screenshot shows the Conditions dialog after having selected Structured in the search controls, with two search conditions set.

 

 

 

Creating a Simple Real Time Search

1. Log into your Supervisor node.
2. Go to Analytics > Real Time Search.
3. In Filter Criteria, select Simple.
4. Enter the keywords you want to search for in the raw event logs collected by AccelOps.

See Keywords and Operators for Simple Searches for more information about keyword searching.

5. Select the Display Fields for the results summary.

See Selecting Attributes for Structured Searches and Display Fields for more information about selecting attributes that can be displayed for reported events.

6. For multi-tenant deployments, select any Organizations that you want to filter the results for.
7. Click Search.

Related Links

Keywords and Operators for Simple Searches

Selecting Attributes for Structured Searches, Display Fields, and Rules

Creating a Structured Real Time Search

1. Log in to your Supervisor node.
2. Go to Analytics > Real Time Search.
3. For Filter Criteria, select Structured.

The Conditions search window will open.

4. Click the downward arrow in the search window to open the Conditions Alternatively you can click … to use a saved Filter Criteria Set.
5. Under Conditions, set the Attribute, Operator, and Value for your condition.

You can also use expressions as search conditions. See Using Expressions in Structured Searches and Rules for more information, and Selecting Attributes for Structured Searches, Display Fields, and Rules for more information about using attributes in conditions.

6. Click + under Row to add another condition, and set the Next Operator to use for that condition.

You can give precedence to conditions by setting parentheses around them with the + button under Paren.

7. Click OK.

You can also click Save as Filter Criteria Set, and these conditions will be available for future searches by clicking … next to the search window.

8. Under Display Fields, select the attributes you want to use as the columns in your results list.

See Selecting Attributes for Structured Searches, Display Fields, and Rules for more information about selecting attributes for devices and events to use as display fields.

9. For multi-tenant deployments, select the Organization you want to run the search against.
10. Click Search.

The results of your search will appear in the real time chart and results list.

Viewing and Refining Real Time Search Results

When your real time search runs, you will see the results represented as a scrolling chart across the top of the search results window, and as a scrolling list in the bottom of the window that include the raw event log information for events matching your search criteria. You can select items in the scrolling chart to use in historical search, view more information about individual items in the results list, and add attributes from your search results to your search filters or display fields.

Selecting Results for Historical Search

Viewing Information about Real Time Search Results

Adding Search Results to Search Filters. Watch Lists, or Display Fields

Selecting Results for Historical Search

1. When you see a time interval of events that you want to use for historical search appear in the scrolling chart, click Pause or Stop.
2. Hover your mouse cursor over the bar that represents the time interval until you see the time interval information appears, and then double-click on the bar.
3. The time interval and Event Type will be added to the criteria for an historical search.

Complete the other criteria you want to use for the search as described in Historical Search.

Viewing Information about Real Time Search Results

1. When you see an event appear in the search results list that you want more information about, click Pause or Stop.
2. Select the event row and click Quick Info to view the Reporting IP, Event Type, Source IP, and Destination IP for that event.
3. To view information about specific attributes of an event, click in the attribute display field and click Quick Info.

For attributes associated with devices, this will open the Quick Info view of the device as described Summary Dashboard User Interface Overview. For events types, it will show info such as the severity and device associated with the even type.

4. To view information about a device’s location in the network topology, select it in the display field and then select Topology.

Adding Search Results to Search Filters. Watch Lists, or Display Fields

With a search result selected in the results list, click Filter to select event attributes to add to the search filter.

In the expanded Raw Events Log, click on items in the text string to include or exclude them as search filter criteria.

To add a specific result to the search criteria, in the results list, click on an item in a display field to open the options menu, and then select Add to Filter.

To add an IP address to a watch list, click on it to open the options menu, and then select Add to Watch List.

See Watch Lists for more information.

See the section on Selecting Attributes from the Raw Event Log Column in the Results Lists in the topic Selecting Attributes for Structured Searches and Display Fields for information on how you can view and select the attributes associated with events to use as search filters or display fields from the real time search results list.