Events

The Events page is a powerful search engine to investigate network activity. The DefenseStorm GRID displays any activity that generates a log as an event. This includes activity generated from your network, or our GRID. For example, when someone attempts to login to their account, you receive an event; and when a DefenseStorm trigger fires, you also receive an event. Your search queries can be as simple or complex as desired by using any one or a combination of the search methods explained in this article. 

Types of Events

There are three types of events that display in the UI: log, alert, and system events. 

  • Log events are generated through the DVM each time an activity providing log information is performed on your network. 
  • An alert event, or alert derivative, is generated each time an alert is triggered. 
  • System events are created each time an action is performed on the DefenseStorm GRID side.  


Log Events

The DVM takes all logs generated from network activity and creates a searchable event that is displayed through the console. These events can be used to create incidents, alerts, triggers, and charts. For a list of the most common and relevant event fields, see our FAQ, Event Fields.

Alert Derivatives (alert events)

The idea behind alert derivatives is to allow alerts to be searched for, alerted on, and monitored through the events page. This event type is a composite of all events that triggered the alert.

For example, if we had a query for geo_dest.country:china, and two users, Angela and Andrew had connected to a Chinese server in a given hour, the alert event that matched geo_dest.country:china would have both hostname:"John's PC" and hostname:"Angela's PC".   A search in the console for hostname:"Angela's PC" geo_dest.country:china would return both the event that caused the alert to fire and the event for the alert.

Using Alert Derivatives

The alert derivatives functionality creates a centralized and simple way to view alerts through the addition of the alert event. When searching events, alert events can easily be included or excluded by using defensestorm_type:alert. 


Excluding alert events from queries

To exclude Alert Events from your search query, include the following flag:  

-defensestorm_type:alert

Alert Event Fields

In addition to all log event fields, alert events also contain the following:

  • timestamp - the beginning of the interval that we alerted upon
  • defensestorm_type - always "alert"
  • email - the email addresses that were informed of this alert
  • trigger_name - the user-friendly name of the trigger
  • trigger_id - the internal GUID of the trigger
  • trigger_query - the query string for the trigger
  • trigger_interval - the number of seconds in each trigger interval
  • severity - high/medium/low, copied from the trigger
  • event_count - number of hits in the search that fired the trigger

The following Information (found in the original log events) will not be duplicated to the alert event:

  • message
  • timestamp
  • ingest_timestamp
  • event_count
  • unparsed_expanded_message
  • unparsed_message
  • raw_message
  • praesidio_parse_nanos
  • percolator_tag

System Events

In addition to collecting log data for activity on your network, we also have log data for activity performed by the DefenseStorm GRID.  For example, when a new asset is created, or when a new task schedule is created.  

USE CASE 1 : Joe wants an alert when a new Asset is updated by the system. For example, when a new IP address is assigned to a new asset.

 Query:  app_name:"DefenseStorm Audit" category:asset action:"assignedIp"
Trigger Threshold: 1

Searching Events

DefenseStorm provides several different methods for searching through events. These search methods can either be used on their own or combined together for the most specified results. The methods of searching are:

  • Query Syntax
  • Time frame
  • Event spike
  • Filter options
  • Aggregation

Query Syntax 

The DefenseStorm Events page follows the format of ElasticSearch  “Query String Queries”.  For details regarding Query Syntax, see the article, DefenseStorm Query Syntax.  For help, select the question mark icon to the right of the search bar.

Time Frame

The DefenseStorm Events page provides a calendar to narrow down events by time frame. If you want all events for a specific day, select During drop-down to update the calendar. The calendar also allows you to select a smaller time frame, such as Last Hour, or Last 3 Hours. 

 

Event Spike

Within the Events page, it displays a graph with all ingested log events. If you see suspicious activity through the graph, you can drag the bars to display only events associated with the activity spike. 

 

Filter Options

Within the DefenseStorm Events page,  search through events by filtering. To search by filtering, drill down through the filters and select the desired checkboxes to display only associated events.

 

Aggregation

The Aggregate feature allows you to group your events before searching to greatly reduce the number of events displayed; therefore increasing result speed and accuracy.

  1. Enter an Aggregate field.
  2. In the screenshot below, the events have been grouped by the primary aggregate field: account_domain.

    From here you can either select one of the displayed account domains, or add a secondary field to further narrow down the displayed domain events.


    The default view when both the primary and secondary fields are utilized, is the Spreadsheet View (as shown above). To simplify your view, select Compound from the View drop-down list. The Compound view allows you to better understand the relationship between the values of your two aggregate fields by displaying them side-by-side with their associated event count.
  3. Select the Desired result to view events
    Once you click on the desired compound result, in this example, account_domain:postilionoffice and user_domain:postilionoffice, a filter is applied to all events and the 56 events display. 

Saving a search

Saving your search allows you to reuse all methods of searching without having to fill in the fields. For example, if you used a combination of Aggregation and Query Syntax, saving the search allows you to select the search without having to reapply the primary/second aggregate fields and the search query. The option to save your search is in the top right of the event graph. 


To view all previously saved searches, select Saved Searches from the top navigation of the Events page. 

The Saved Searches page displays the name of your search, the date it was created, and gives you the option to edit your search. Selecting a search takes you to the Events page and applies the saved search parameters.

Create a new Incident

If the results of an event search are something you would like to further investigate, or send to TRAC, you can create a new incident directly from the Events page. Select Incident > New Incident. This displays the New Incident window where you fill-in the desired fields, and select Create to complete. 


Create a Trigger

To receive an alert the next time an event matching your search parameters comes through the console, create a Trigger. Select Trigger within the events page. This takes you to the Alert > Trigger page where you fill-in desired fields, and select Save to complete. 


Create a Classifier

If the results of your search parameters are something you would like to modify using metadata, create a classifier. Select Classifier from the Events page. This takes you to the Events > Classifier page where you fill-in desired fields, and select Save to complete. 


Download a CSV

If you select to export a CSV from the main Events page, it downloads the first 10,000 event results. To create a CSV export with a smaller number of events, you can export a CSV during any stage of searching or select checkboxes for an even more defined list. The CSV option exports all events matching your search parameters.