The right-click option
allows you to:Perform an event query for the last hour on a single event for:
Other events with the same target IP address
Other events with the same source (initiator) IP address
Other targets with the same event name
NOTE:You cannot perform a query on a null (empty) field.
Graphically display the mappings between any two fields in the selected events. This is particularly useful to view the relationship between the initiators (IP, port, event, sensor type, Collector) and the targets (IP, port, event, sensor type, Collector name) of the selected events, but any fields can be used
Figure 3-5 is an illustration of initiator IP addresses mapped to target IP addresses.
Figure 3-5 Graph Mapper
This function allows you to perform an event query within the last hour for events similar to the selected event.
In a Navigator or Snapshot window, right-click an event, click
, and select one of three options given below:
Option |
Function |
---|---|
|
Events with the same destination IP address |
|
Events with the same initiator IP address |
|
Events with the same event name as the selected event |
An event table opens, showing the chosen event information.
To create a graph map:
In a Real Time Event Table, right-click an event or events and select
.The following is a graphic depiction of Sensor Name to Event Name of severity 5 in an organic format. You can view a graphic mapping in the following formats:
Circular
Hierarchical
Organic
Orthogonal
You must specify the From and To fields and click
. The Graph Mapper window displays.You can query the database for the past events through a historical event query. The events can be queried according to the filter and severity criteria in required batch size. You can export the results in HTML or CSV file format.
To query events in the Historical Event Query window:
In the
tab, select . You can also open the Historical Event Query window by clicking the icon on the toolbar. The Historical Event Query window displays.Click
. In Filter Selection window, select a filter from the list of available filters.Click
icon. The Select Severity Values window displays.Select one or more values for Severity and click
.Select a From and To date and time.The time you select corresponds your system time.
Select a batch size. The events queried display in the batch size you specify.
If you select a batch size of 100, the first 100 events are displayed in the window. After the query is processed, the
icon changes to the icon. You can see next 100 events along with the previous events by clicking the icon.Click the
icon. The query is processed. You can cancel the search by clicking the icon.HINT:Select
or from the drop-down list to export query results.The Active Browser provides the ability to browse through a selected set of data to look for patterns and perform investigation. You can view the selected events in the Active Views in the Active Browser. When you open the Active Browser using
and click against a specific offline query, the events table is displayed only when the number of events is less than or equal to1000.The events are grouped according to the meta tags. In these meta tags, various sub categories are defined. The numbers in the parentheses against these sub categories displays the total number of event counts corresponding to the value of the meta tag.
To view events in Active Browser:
In the
tab, select the event or events you want to view in Active Browser.Right-click the event or events and select
in the Active Browser. The selected event/s displays in the Active Browser window.or
In the
tab, select . Historical Event Query window displays.In the Historical EventQuery window, run a query and click the Active Browser tab. The selected query displays in the Active Browser window.
NOTE:The
tab is enabled only if the query results in at least one event display.To view events in Active Browser in the Analysis tab:
In the
tab, select the query you want to view in the Active Browser.Click
. The selected query result displays in the Active Browser window.To search in the Active Browser:
Specify the value or text you want to search for in the
field.Press Enter or click the
icon next to the field to search.NOTE:You can move between the various searches by using the
and buttons above the field.To add attributes in Active Browser:
Click the
icon as shown below:Select an attribute in the Add an Attribute for categorization window that displays.
Click
.