Events


Overview

The Events page is a powerful search engine to investigate network activity. The DefenseStorm GRID displays any activity that generates a log as an event. This includes activity generated from your network, or our GRID. For example, when someone attempts to login to their account, you receive an event; and when a DefenseStorm trigger fires, you also receive an event. Your search queries can be as simple or complex as desired by using any one or a combination of the search methods explained in this article. 

Types

Types of Events

There are three types of events that display in the UI: log, alert, and system events. 

  • Log events are generated through the DVM each time an activity providing log information is performed on your network. 
  • An alert event, or alert derivative, is generated each time an alert is triggered. 
  • System events are created each time an action is performed on the DefenseStorm GRID side.  


Log Events

The DVM takes all logs generated from network activity and creates a searchable event that is displayed through the console. These events can be used to create incidents, alerts, triggers, and charts. For a list of the most common and relevant event fields, see our FAQ, Event Fields.

Alert Derivatives (alert events)

The idea behind alert derivatives is to allow alerts to be searched for, alerted on, and monitored through the events page. This event type is a composite of all events that triggered the alert.

For example, if we had a query for geo_dest.country:china, and two users, Angela and Andrew had connected to a Chinese server in a given hour, the alert event that matched geo_dest.country:china would have both hostname:"John's PC" and hostname:"Angela's PC".   A search in the console for hostname:"Angela's PC" geo_dest.country:china would return both the event that caused the alert to fire and the event for the alert.

Using Alert Derivatives

The alert derivatives functionality creates a centralized and simple way to view alerts through the addition of the alert event. When searching events, alert events can easily be included or excluded by using defensestorm_type:alert. 


Excluding alert events from queries

To exclude Alert Events from your search query, include the following flag:  

-defensestorm_type:alert

Alert Event Fields

In addition to all log event fields, alert events also contain the following:

  • timestamp - the beginning of the interval that we alerted upon
  • defensestorm_type - always "alert"
  • email - the email addresses that were informed of this alert
  • trigger_name - the user-friendly name of the trigger
  • trigger_id - the internal GUID of the trigger
  • trigger_query - the query string for the trigger
  • trigger_interval - the number of seconds in each trigger interval
  • severity - high/medium/low, copied from the trigger
  • event_count - number of hits in the search that fired the trigger

The following Information (found in the original log events) will not be duplicated to the alert event:

  • message
  • timestamp
  • ingest_timestamp
  • event_count
  • unparsed_expanded_message
  • unparsed_message
  • raw_message
  • praesidio_parse_nanos
  • percolator_tag
System Events

In addition to collecting log data for activity on your network, we also have log data for activity performed by the DefenseStorm GRID.  For example, when a new asset is created, or when a new task schedule is created.  

USE CASE 1 : Joe wants an alert when a new Asset is updated by the system. For example, when a new IP address is assigned to a new asset.

 Query:  app_name:"DefenseStorm Audit" category:asset action:"assignedIp"
Trigger Threshold: 1

Searching

Searching Events

When searching Events, the default setting is 'Last Hour' which grabs the most up-to-date information each time the page refreshes. Note: This could result in different event data and overall count when search parameters are altered.  In order to freeze your data timeline, utilize the bars in the event graph.  DefenseStorm provides several different methods for searching through events. These search methods can either be used on their own or combined together for the most specified results. 

Freezing Search Timeframe 

Freezing the timeframe works when utilizing any of the search methods, and allows you to keep the same data while altering search parameters, filters, aggregation, etc. 

  1. Enter desired search
  2. (optional) Use the 'During' field to get a close match to your desired data timeframe
  3. Move the bars in the graph to the exact timeframe

The data timeframe is now frozen and any changes made to the search parameters do not default to the most recent data, but adhere to the event graph selection. 

Ways to Search Events

  • Query Syntax
  • Duration Calendar
  • Event Spike
  • Filter Options
  • Aggregation

Query Syntax 

The DefenseStorm Events page follows the format of ElasticSearch  “Query String Queries”.  For details regarding Query Syntax, see the article, DefenseStorm Query Syntax.  For help, select the question mark icon to the right of the search bar.

Duration Calendar

The DefenseStorm Events page provides a calendar to narrow down events by time frame. If you want all events for a specific day, select During drop-down to update the calendar. The calendar also allows you to select a smaller time frame, such as Last Hour, or Last 3 Hours. 

Event Spike

Within the Events page, it displays a graph with all ingested log events. If you see suspicious activity through the graph, you can drag the bars to display only events associated with the activity spike. 

Filter Options

Within the DefenseStorm Events page,  search through events by filtering. To search by filtering, drill down through the filters and select the desired checkboxes to display only associated events.

Aggregation

The Aggregate feature allows you to group your events before searching to greatly reduce the number of events displayed; therefore increasing result speed and accuracy.

  1. Enter an Aggregate field.
  2. In the screenshot below, the events have been grouped by the primary aggregate field: account_domain.

    From here you can either select one of the displayed account domains, or add a secondary field to further narrow down the displayed domain events.


    The default view when both the primary and secondary fields are utilized, is the Spreadsheet View (as shown above). To simplify your view, select Compound from the View drop-down list. The Compound view allows you to better understand the relationship between the values of your two aggregate fields by displaying them side-by-side with their associated event count.
  3. Select the Desired result to view events
    Once you click on the desired compound result, in this example, account_domain:postilionoffice and user_domain:postilionoffice, a filter is applied to all events and the 56 events display. 

Saving a search

Saving your search allows you to reuse all methods of searching without having to fill in the fields. For example, if you used a combination of Aggregation and Query Syntax, saving the search allows you to select the search without having to reapply the primary/second aggregate fields and the search query. The option to save your search is in the top right of the event graph.

To view all previously saved searches, select Saved Searches from the top navigation of the Events page.

The Saved Searches page displays all previously saved searches. To edit the search, click the name of the search, and the Edit window displays. To view all associated events, select the magnifying glass on the far right of the saved search name. If the saved search includes a query, it cannot be copied and pasted into the Events search bar and have the aggregate be included. You must click the magnifying glass to view the entire event list with aggregate included.

Saving an Aggregate Search

The following table lists out the rules for saving searches when aggregation has been utilized. 


Event FieldEvent TypeNotes
Aggregation*messageTextYou can't aggregate on `*message` fields. They're stored as type `text` in elasticsearch, rather than `keyword`, which makes it easy to do fuzzy matches, but difficult to aggregate.
unparsedText
subjectText
*_locationText



Additional Functionality

Create a new Incident

If the results of an event search are something you would like to further investigate, or send to TRAC, you can create a new incident directly from the Events page. Select Incident > New Incident. This displays the New Incident window where you fill-in the desired fields, and select Create to complete. 

Create a Trigger

To receive an alert the next time an event matching your search parameters comes through the console, create a Trigger. Select Trigger within the events page. This takes you to the Alert > Trigger page where you fill-in desired fields, and select Save to complete. 

Create a Classifier

If the results of your search parameters are something you would like to modify using metadata, create a classifier. Select Classifier from the Events page. This takes you to the Events > Classifier page where you fill-in desired fields, and select Save to complete. 

Download a CSV

If you select to export a CSV from the main Events page, it downloads the first 10,000 event results. To create a CSV export with a smaller number of events, you can export a CSV during any stage of searching or select checkboxes for an even more defined list. The CSV option exports all events matching your search parameters.