Versions Compared

Old Version 11

changes.mady.by.user Gary Leicht

Saved on

compared with

New Version 12

changes.mady.by.user Gary Leicht

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The search feature supports using queries to perform searches using the integrated search query language.  Using the search query language, you can search all records in the Security Events report with customized queries. The default limit for search queries is 10. The exceptions to the 10 query search query limit are for feeds and sources, where the limit is 100. Using the search query options available in the Security Events report, you can:
 
Run a search on any of the available fields listed in the drop-down list next to the Search button. 

  • ACTION
  • CLASS
  • DEVICE IP
  • DEVICE NAME
  • DHCP FINGERPRINT
  • DNS VIEW
  • FEED (limited to a maximum of 100 returned records) 
  • MAC ADDRESS
  • OS VERSION
  • POLICY
  • PROPERTY
  • QUERY
  • QUERY TYPE
  • RESPONSE
  • SOURCE (limited to a maximum of 100 returned records)
  • THREAT CONFIDENCE
  • THREAT LEVEL
  • USER

  • The = and the NOT (!=) operators
  • Use AND and OR operators.
  • Use single and double quoted to enter values with spaces.
  • Use parentheses to group search parts. 
  • Use the wildcard symbol (*) as the last character of the search value for a partial match.
  • Use the ENTER key to apply search.
  • Use the TAB key to autocomplete search with the first available suggestion.

...

To filter Security Events by specific criteria, select the applicable objects from the following drop-down menus located below the top action menu. The default search query limit for searches is 10, with the exceptions of 100 search queries for Feeds and Source:

  • Action: The configured action for the security rule. This can be Allow, Redirect, Block, or Log.(limited to a maximum of 10 returned records)
  • Confidence: The threat confidence score assigned to an indicator. The confidence level can be High, Medium, or Low..(limited to a maximum of 10 returned records)
  • Feed: The list of threat feeds against which the malicious hit was triggered. Limited  (limited to a maximum of 100 returned records.)
  • Class: The threat intelligence feeds, such as Phishing, MalwareC2DGA, and others..(limited to a maximum of 10 returned records) 
  • Level: The threat level for the malicious hit. This can be High, MediumLow, or InfoNote: In some cases, a record may not contain all fields which will be represented as N/A on the user interface and NULL in the API results..(limited to a maximum of 10 returned records) 
  • Policy: Active security policies..(limited to a maximum of 10 returned records)
  • Source: The location of the device within the network infrastructure. For example, the device can be an on-prem appliance or an endpoint device. You can select which records to view by selecting or deselecting from among the options available. Limited (limited to a maximum of 100 returned records).

  • Show: Security and activity events can be filtered by choosing an option from the Show drop-down menu..(limited to a maximum of 10 returned records) 

    Note
    titleNote

    Depending on the availability of data records, not all filter options may be displayed.


...