Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Log Activity Tab Overview

 

An event is a record from a log source, such as a firewall or router device, that describes an action on a network or host.

The Log Activity tab specifies which events are associated with offenses.

You must have permission to view the Log Activity tab.

Log Activity Tab Toolbar

You can access several options from the Log Activity toolbar

Using the toolbar, you can access the following options:

Table 1: Log Activity Toolbar Options

Option

Description

Search

Click Search to perform advanced searches on events. Options include:

  • New Search Select this option to create a new event search.

  • Edit Search Select this option to select and edit an event search.

  • Manage Search Results Select this option to view and manage search results.

Quick Searches

From this list box, you can run previously saved searches. Options are displayed in the Quick Searches list box only when you have saved search criteria that specifies the Include in my Quick Searches option.

Add Filter

Click Add Filter to add a filter to the current search results.

Save Criteria

Click Save Criteria to save the current search criteria.

Save Results

Click Save Results to save the current search results. This option is only displayed after a search is complete. This option is disabled in streaming mode.

Cancel

Click Cancel to cancel a search in progress. This option is disabled in streaming mode.

False Positive

Click False Positive to open the False Positive Tuning window, which will allow you to tune out events that are known to be false positives from creating offenses.

This option is disabled in streaming mode. For more information about tuning false positives, see Tuning False Positives.

Rules

The Rules option is only visible if you have permission to view rules.

Click Rules to configure custom event rules. Options include:

  • Rules Select this option to view or create a rule. If you only have the permission to view rules, the summary page of the Rules wizard is displayed. If you have the permission to maintain custom rules, the Rules wizard is displayed and you can edit the rule.

  • Add Threshold Rule Select this option to create a threshold rule. A threshold rule tests event traffic for activity that exceeds a configured threshold. Thresholds can be based on any data that is collected JSA. For example, if you create a threshold rule indicating that no more than 220 clients can log in to the server between 8 am and 5 pm, the rules generate an alert when the 221st client attempts to log in.

    When you select the Add Threshold Rule option, the Rules wizard is displayed, prepopulated with the appropriate options for creating a threshold rule.

Rules (continued)

  • Add Behavioral Rule Select this option to create a behavioral rule. A behavioral rule tests event traffic for abnormal activity, such as the existence of new or unknown traffic, which is traffic that suddenly ceases or a percentage change in the amount of time an object is active. For example, you can create a behavioral rule to compare the average volume of traffic for the last 5 minutes with the average volume of traffic over the last hour. If there is more than a 40% change, the rule generates a response.

    When you select the Add Behavioral Rule option, the Rules wizard is displayed, prepopulated with the appropriate options for creating a behavioral rule.

Actions

Click Actions to perform the following actions:

  • Show All Select this option to remove all filters on search criteria and display all unfiltered events.

  • Print Select this option to print the events that are displayed on the page.

  • Export to XML > Visible Columns Select this option to export only the columns that are visible on the Log Activity tab. This is the recommended option. See Exporting events.

  • Export to XML > Full Export (All Columns) - Select this option to export all event parameters. A full export can take an extended period of time to complete. See Exporting Events.

  • Export to CSV >Visible Columns Select this option to export only the columns that are visible on the Log Activity tab. This is the recommended option. See Exporting Events.

  • Export to CSV >Full Export (All Columns) - Select this option to export all event parameters. A full export can take an extended period of time to complete. See Exporting Events.

  • Delete Select this option to delete a search result. See Managing Search Results

  • Notify Select this option to specify that you want a notification emailed to you on completion of the selected searches. This option is only enabled for searches in progress.

Note: The Print, Export to XML, and Export to CSV options are disabled in streaming mode and when viewing partial search results.

Search toolbar

  • Advanced Search--Select Advanced Search from the list box to enter an Ariel Query Language (AQL) search string to specify the fields that you want returned.

  • Quick Filter--Select Quick Filter from the list box to search payloads by using simple words or phrases.

View

The default view on the Log Activity tab is a stream of real-time events. The View list contains options to also view events from specified time periods. After you choose a specified time period from the View list, you can then modify the displayed time period by changing the date and time values in the Start Time and End Time fields.

Right-click Menu Options

On the Log Activity tab, you can right-click an event to access more event filter information.

The right-click menu options are:

Table 2: Right-click Menu Options

Option

Description

Filter on

Select this option to filter on the selected event, depending on the selected parameter in the event.

False Positive

Select this option to open the False Positive window, which will allow you to tune out events that are known to be false positives from creating offenses. This option is disabled in streaming mode. See Tuning False Positives.

More options:

Select this option to investigate an IP address or a user name. For more information about investigating an IP address, see Investigating IP addresses.

Note: This option is not displayed in streaming mode.

Quick Filter

Filter items that match, or do not match the selection.

Status Bar

When streaming events, the status bar displays the average number of results that are received per second.

This is the number of results the Console successfully received from the Event processors. If this number is greater than 40 results per second, only 40 results are displayed. The remainder is accumulated in the result buffer. To view more status information, move your mouse pointer over the status bar.

When events are not being streamed, the status bar displays the number of search results that are currently displayed on the tab and the amount of time that is required to process the search results.