Search for Events

Most organizations receive thousands of events per day. You can search for events to quickly focus on the most important or relevant information you receive.

There are two ways to search for events in the Threat Stack CSP:

  • Keyword and operator search – Use specific keywords and operators to find events that match your search criteria.
  • Date and Time picker – Select specific dates and times within which to find events. By default, the Threat Stack CSP displays events that occurred during the previous six hours.
Keyword and Operator Search

You can search for specific events using keywords in the event metadata, such as user, timestamp, or session identification (ID). You can then use an operator to specify the specific keyword match, such as a username, a specific date and time, or a specific session ID number.

You can use keywords two ways:

  • Add metadata from an event to your search query
  • Type keywords into your search query
Add Event Metadata to Your Search Query

The Threat Stack CSP helps you quickly add event metadata to a search query. This allows you to find other events that occurred on the same server IP address or at the same date and time or by the same user, among other options.

Note

The Threat Stack CSP translates some metadata field names to other information in the search query. This is a result of the event normalization that occurs when events are ingested by the Threat Stack CSP. The following event metadata field names change in the search query:

  • server changes to agent_id (Audit, FIM, Linux Host, Login, ThreatIntel) or profile_id (CloudTrail)
  • PID changes to pid
  • PPID changes to ppid
  1. Log into the Threat Stack CSP.
  2. Click the Events tab. The Events screen displays.
  3. Find the event you want to use as the basis for your search.


    AddToSearchMenu.png

  4. Next to the field you want to add to your search query, click the Expand button. The + Add to search menu displays.
  5. Click + Add to search. The Threat Stack CSP adds the metadata to the search query field.


    AddToSearchMenuSuccess.png

  6. Repeat steps four and five for any other metadata you want to add to the search query. For more information on creating a usable search query, see Supported Keys and Operators.
Type Keywords into Your Search Query

The Threat Stack CSP matches search criteria to the following keys:

event_type ip type cwd pid domain
arguments port timestamp level ppid file_size
src_ip dst_ip protocol user command exe
src_port dst_port agent groud sigid filename

The Threat Stack CSP uses the following comparison operators:

= != like >
< >= <=  

The Threat Stack CSP also uses the following logical operators:

and or && ||

For more information, see Supported Keys and Operators.

Tip

If you need examples of keywords and operators, then click the Search icon to open the Search Language Tutorial dialog.

SearchIcon.png

SearchLanguageTutorial.png

Date and Time Picker

The Date and Time picker allows you to select the start and end calendar dates, hours, and minutes within which to display events. By default, the previous six hours of events display. You cannot select a date and time later than the current date and time.

Tip

The Threat Stack CSP retains events for three calendar days.

  1. Log into the Threat Stack CSP.
  2. Click the Events tab. The Events screen displays.
  3. Click the Date and Time picker.


    DateAndTimePicker.png

    The Date and Time picker dialog displays.

    DateAndTimePickerDialog.png

  4. On the calendar, click the date by which to start filtering. Available dates display in black font.
  5. Click the date by which to stop filtering. If you only want to display events for one day, then click the same day twice.
  6. To select the time, do one of the following:
    • To select a predetermined time window:
      1. Click the Quick Jump link.


        QuickJumpLink.png

        Several specific time frames display.

        QuickJumpSelection.png

      2. Click a time frame button.
      3. Click the Apply button. The start and end times change to match the selection.
    • To use the Hour and Minute slider bars:
      1. On the left calendar (start), click and drag the HR slider bar until the correct hour displays.


        HourAndMinuteSliders.png

      2. Click and drag the MIN slider bar until the correct minute displays.
      3. On the right calendar (end), click and drag the HR slider bar until the correct hour displays.
      4. Click and drag the MIN slider bar until the correct minute displays.
      5. Click the Apply button. The start and end times change to match the selection.
Search Results

Search results display below your search criteria. By default, the Threat Stack CSP displays all events that occurred during the previous six hours.

There are four key components to search results:

SearchResults.png

    1. Results Found – The Results Found field displays the total number of events that match your search criteria.
    2. Sort - The Sort field allows you to organize your search results from the newest to the oldest or vice versa. From the drop-down menu, select Ascending (Oldest to Newest) or Descending (Newest to Oldest)
    3. Pages – Pages display when more than 50 events match your search criteria. Click a page number button / First button / Previous button / Next button to go to a different page of search results.
    4. Event Details – Detailed metadata displays for each event that matches your search criteria. For more information, see All Raw Events Tab > Event Details.

Exceptions for FIM Create, Delete, and Move Events

The Threat Stack Agent depends on inotify to populate FIM events. Due to inotify limitations, Threat Stack cannot provide information information about the user that triggers a FIM Create, Delete, or Move event. Additionally, inotify cannot distinguish between events that inotify triggers and events that other processes trigger. As a result, the Threat Stack Linux Host 1.x and 2.x series Agents will not provide the following information for FIM Create, Delete, or Move events:

  • containerID
  • containerImage
  • containerLabel
  • gid
  • group
  • pid
  • ppid
  • session
  • uid

Related Articles

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request