This section lists a few examples on how you can create filters.
Section 3.4.1, View Events of Severity 3 to 5 from a System in China
Section 3.4.2, Determine if User “Bob Smith” Tried to Log In after His Account was Disabled
Section 3.4.3, View Events from Two Subnets and Share the Filter with Network Administrators
Section 3.4.4, Find all Events that Include the Words “database” and “service,” and exclude “test”
In the
> , select .For more information on the Filter Builder, see Section 3.2.2, Filter Builder.
The name should match any string that contains the name “China.” For example, “ChinaBeijing.” Specify china* in the field.
The severity of the events must be 3 to 5:
In
, select .In the
field, specify 3 TO 5.NOTE:If you are familiar with the search query syntax, you can directly specify the query in the
field as follows:(rv29:china*) AND (sev:[3 TO 5])
For more information on the search query syntax, see Section A.0, Search Query Syntax.
Click
to view events that match the specified criteria.In the
> , select the following:
For more information, see Section 3.2.2, Filter Builder.
Select the
condition.Specify “Bob Smith” in the field.
To determine if the user has logged in, or tried to log in, select
inNOTE:You can also select the appropriate event fields if you are familiar with the values to be specified for the event fields. Taxonomy is a classification of events where events of similar type are grouped together. It helps you search events based on the taxonomy classification rather than you specifying the specific event names and their values.
In the
, select the following:From the
drop-down list, select .From the
drop-down list, select .For
, select , then select .NOTE:If you are familiar with the search query syntax, you can directly specify the query in the
field as follows:(xdasclass:2 AND xdasid:0 AND (xdasoutcome:0 OR xdasoutcome:1)) AND (iufname:"Bob Smith")
For more information on taxonomy, see Sentinel Taxonomy.
Click
to view the events that match the specified criteria.Select subnets:
In
> , select .In
> , specify the subnet, for example, 172.17.0.0/16.Repeat the above two steps to specify another subnet.
The events must be from either of the subnets. Therefore, select
as the condition.Click
to view events that match the specified criteria.The filter must be shared with network administrators:
In the search results panel, click , then click
.Specify an intuitive name and an optional description.
From the drop-down list, select
, then select .Click
.In the
> , select .You want to find events that include words “database” and “service,” and exclude “test.” Therefore, in
, specify the following:In the database service.
field, specifyIn the test.
field, specifyNOTE:If you are familiar with the search query syntax, you can directly specify the query in the
field as follows:_data:(database AND service) NOT _data:test
The _data field allows you to search for words that might appear in any event field. For more information, see The Default Search Field
in Section A.0, Search Query Syntax.
Click
to view the events that match the specified criteria.