Offense Searches

Searching Offenses on the My Offenses and All Offenses Pages

On the My Offenses and All Offenses pages of the Offense tab, you can search for offenses that match your criteria.

The following table describes the search options that you can use to search offense data on the My Offenses and All Offenses pages.

For information about categories, see the Juniper Secure Analytics Administration Guide.

Table 1: My Offenses and All Offenses Page Search Options
Options	Description
Group	This list box allows you to select an offense Search Group to view in the Available Saved Searches list.
Type Saved Search or Select from List	This field allows you to type the name of a saved search or a keyword to filter the Available Saved Searches list.
Available Saved Searches	This list displays all available searches, unless you apply a filter to the list using the Group or Type Saved Search or Select from List options. You can select a saved search on this list to display or edit.
All Offenses	This option allows you to search all offenses regardless of time range.
Recent	This option allows you to select a pre-defined time range you want to filter for. After you select this option, you must select a time range option from the list box.
Specific Interval	This option allows you to configure a custom time range for your search. After you select this option, you must select one of the following options. Start Date between Select this check box to search offenses that started during a certain time period. After you select this check box, use the list boxes to select the dates you want to search. Last Event/Flow between Last Event between Select this check box to search offenses for which the last detected event occurred within a certain time period. After you select this check box, use the list boxes to select the dates you want to search.
Search	The Search icon is available in multiple panes on the search page. You can click Search when you are finished configuring the search and want to view the results.
Offense Id	In this field, you can type the Offense ID you want to search for.
Description	In this field, you can type the description that you want to search for.
Assigned to user	From this list box, you can select the user name that you want to search for.
Direction	From this list box, you can select the offense direction that you want to search for. Options include: Local to Local Local to Remote Remote to Local Remote to Remote Local to Remote or Local Remote to Remote or Local
Source IP	In this field, you can type the source IP address or CIDR range you want to search for.
Destination IP	In this field, you can type the destination IP address or CIDR range you want to search for.
Magnitude	From this list box, you can specify a magnitude and then select to display only offenses with a magnitude that is equal to, less than, or greater than the configured value. The range is 0 - 10.
Severity	From this list box, you can specify a severity and then select to display only offenses with a severity that is equal to, less than, or greater than the configured value. The range is 0 - 10.
Credibility	From this list box, you can specify a credibility and then select to display only offenses with a credibility that is equal to, less than, or greater than the configured value. The range is 0 - 10.
Relevance	From this list box, you can specify a relevance and then select to display only offenses with a relevance that is equal to, less than, or greater than the configured value. The range is 0 - 10.
Contains Username	In this field, you can type a regular expression (regex) statement to search for offenses containing a specific user name. When you define custom regex patterns, adhere to regex rules as defined by the Java programming language. For more information, you can refer to regex tutorials available on the web.
Source Network	From this list box, you can select the source network that you want to search for.
Destination Network	From this list box, you can select the destination network that you want to search for.
High Level Category	From this list box, you can select the high-level category that you want to search for.
Low Level Category	From this list box, you can select the low-level category that you want to search for.
Exclude	The options in this pane allow you to exclude offenses from the search results. The options include: Active Offenses Hidden Offenses Closed Offenses Inactive offenses Protected Offense
Close by User	This parameter is only displayed when the Closed Offenses check box is cleared in the Exclude pane. From this list box, you can select the user name that you want to search closed offenses for or select `Any` to display all closed offenses.
Reason For Closing	This parameter is only displayed when the Closed Offenses check box is cleared in the Exclude pane. From this list box, you can select a reason that you want to search closed offenses for or select Any to display all closed offenses.
Events	From this list box, you can specify an event count and then select to display only offenses with an event count that is equal to, less than, or greater than the configured value.
Flows	From this list box, you can specify a flow count and then select to display only offenses with a flow count that is equal to, less than, or greater than the configured value.
Total Events/Flows Total Events	From this list box, you can specify a total event and flow count and then select to display only offenses with a total event and flow count that is equal to, less than, or greater than the configured value.
Destinations	From this list box, you can specify a destination IP address count and then select to display only offenses with a destination IP address count that is equal to, less than, or greater than the configured value.
Log Source Group	From this list box, you can select a log source group that contains the log source you want to search for. The Log Source list box displays all log sources that are assigned to the selected log source group.
Log Source	From this list box, you can select the log source that you want to search for.
Rule Group	From this list box, you can select a rule group that contains the contributing rule that you want to search for. The Rule list box displays all rules that are assigned to the selected rule group.
Rule	From this list box, you can select the contributing rule that you want to search for.
Offense Type	From this list box, you can select an offense type that you want to search for. For more information about the options in the Offense Type list box, see Table 2.

The following table describes the options available in the Offense Type list box:

Table 2: Offense Type Options
Offense types	Description
Any	This option searches all offense sources.
Source IP	To search for offenses with a specific source IP address, you can select this option, and then type the source IP address that you want to search for.
Destination IP	To search for offenses with a specific destination IP address, you can select this option, and then type the destination IP address that you want to search for.
Event Name	To search for offenses with a specific event name, you can click the Browse icon to open the Event Browser and select the event name (QID) you want to search for. You can search for a particular QID using one of the following options: To search for a QID by category, select the Browse by Category check box and select the high- or low-level category from the list boxes. To search for a QID by log source type, select the Browse by Log Source Type check box and select a log source type from the Log Source Type list box. To search for a QID by log source type, select the Browse by Log Source Type check box and select a log source type from the Log Source Type list box. To search for a QID by name, select the QID Search check box and type a name in the QID/Name field.
Username	To search for offenses with a specific user name, you can select this option, and then type the user name that you want to search for.
Source MAC Address	To search for offenses with a specific source MAC address, you can select this option, and then type the source MAC address that you want to search for.
Destination MAC Address	To search for offenses with a specific destination MAC address, you can select this option, and then type the destination MAC address that you want to search for.
Log Source	From the Log Source Group list box, you can select the log source group that contains the log source you want to search for. The Log Source list box displays all log sources that are assigned to the selected log source group. From the Log Source list box, select the log source that you want to search for.
Host Name	To search for offenses with a specific host name, you can select this option, and then type the host name that you want to search for.
Source Port	To search for offenses with a specific source port, you can select this option, and then type the source port that you want to search for.
Destination Port	To search for offenses with a specific destination port, you can select this option, and then type the destination port that you want to search for.
Source IPv6	To search for offenses with a specific source IPv6 address, you can select this option, and then type the source IPv6 address that you want to search for.
Destination IPv6	To search for offenses with a specific destination IPv6 address, you can select this option, and then type the destination IPv6 address that you want to search for.
Source ASN	To search for offenses with a specific Source ASN, you can select the source ASN from the Source ASN list box.
Destination ASN	To search for offenses with a specific destination ASN, you can select the destination ASN from the Destination ASN list box.
Rule	To search for offenses that are associated with a specific rule, you can select the rule group that contains the rule you want to search from the Rule Group list box. The Rule Group list box displays all rules that are assigned to the selected rule group. From the Rule list box, you select the rule that you want to search for.
App ID	To search for offenses with an application ID, you can select the application ID from the App ID list box.

Click the Offenses tab.
From the Search list box, select New Search.
Choose one of the following options:
- To load a previously saved search, go to Step 4.
- To create a new search, go to Step 7.
Select a previously saved search using one of the following options:
- From the Available Saved Searches list, select the saved search that you want to load.
- In the Type Saved Search or Select from List field, type the name of the search you want to load.
Click Load.
Optional. Select the Set as Default check box in the Edit Search pane to set this search as your default search. If you set this search as your default search, the search automatically performs and displays results each time you access the Offenses tab.
On the Time Range pane, select an option for the time range you want to capture for this search. See Table 1.
On the Search Parameters pane, define your specific search criteria. See Table 1.
On the Offense Source pane, specify the offense type and offense source you want to search:
1. From the list box, select the offense type that you want to search for.
2. Type your search parameters. See Table 2.
In the Column Definition pane, define the order in which you want to sort the results:
1. From the first list box, select the column by which you want to sort the search results.
2. From the second list box, select the order that you want to display for the search results. Options include Descending and Ascending.
Click Search.

Saving Search Criteria on the Offenses Tab

Searching Offenses on the By Source IP Page

This topic provides the procedure for how to search offenses on the By Source IP page of the Offense tab.

The following table describes the search options that you can use to search offense data on the By Source IP page:

Table 3: By Source IP Page Search Options
Options	Description
All Offenses	You can select this option to search all source IP addresses regardless of time range.
Recent	You can select this option and, from this list box, select the time range that you want to search for.
Specific Interval	To specify an interval to search for, you can select the Specific Interval option and then select one of the following options: Start Date between Select this check box to search source IP addresses associated with offenses that started during a certain time period. After you select this check box, use the list boxes to select the dates you want to search for. Last Event/Flow between Last Event between Select this check box to search source IP addresses associated with offenses for which the last detected event occurred within a certain time period. After you select this check box, use the list boxes to select the dates you want to search for.
Search	The Search icon is available in multiple panes on the search page. You can click Search when you are finished configuring the search and want to view the results.
Source IP	In this field, you can type the source IP address or CIDR range you want to search for.
Magnitude	From this list box, you can specify a magnitude and then select display only offenses with a magnitude that is equal to, less than, or greater than the configured value. The range is 0 - 10.
VA Risk	From this list box, you can specify a VA risk and then select display only offenses with a VA risk that is equal to, less than, or greater than the configured value. The range is 0 - 10.
Events/Flows Events	From this list box, you can specify an event or flow count and then select display only offenses with a magnitude that is equal to, less than, or greater than the configured value.
Exclude	You can select the check boxes for the offenses you want to exclude from the search results. The options include: Active Offenses Hidden Offenses Closed Offenses Inactive offenses Protected Offense

Click the Offenses tab.
Click By Source IP.
From the Search list box, select New Search.
On the Time Range pane, select an option for the time range you want to capture for this search. See Table 1.
On the Search Parameters pane, define your specific search criteria. See Table 1.
On the Column Definition pane, define the order in which you want to sort the results:
1. From the first list box, select the column by which you want to sort the search results.
2. From the second list box, select the order that you want to display for the search results. Options include Descending and Ascending.
Click Search.

Saving Search Criteria on the Offenses Tab

Searching Offenses on the By Destination IP Page

On the By Destination IP page of the Offense tab, you can search offenses that are grouped by the destination IP address.

The following table describes the search options that you can use to search offenses on the By Destination IP page:

Table 4: By Destination IP Page Search Options
Options	Description
All Offenses	You can select this option to search all destination IP addresses regardless of time range.
Recent	You can select this option and, From this list box, select the time range that you want to search for.
Specific Interval	To specify a particular interval to search for, you can select the Specific Interval option, and then select one of the following options: To specify a particular interval to search for, you can select the Specific Interval option, and then select one of the following options: Last Event/Flow between Last Event between Select this check box to search destination IP addresses associated with offenses for which the last detected event occurred within a certain time period. After you select this check box, use the list boxes to select the dates you want to search
Search	The Search icon is available in multiple panes on the search page. You can click Search when you are finished configuring the search and want to view the results.
Destination IP	You can type the destination IP address or CIDR range you want to search for.
Magnitude	From this list box, you can specify a magnitude, and then select display only offenses with a magnitude that is equal to, less than, or greater than the configured value.
VA Risk	From this list box, you can specify a VA risk, and then select display only offenses with a VA risk that is equal to, less than, or greater than the configured value. The range is 0 - 10.
Events/Flows Events	From this list box, you can specify an event or flow count magnitude, and then select display only offenses with an event or flow count that is equal to, less than, or greater than the configured value.

Click the Offenses tab.
On the navigation menu, click By Destination IP.
From the Search list box, select New Search.
On the Time Range pane, select an option for the time range you want to capture for this search. See Table 1.
On the Search Parameters pane, define your specific search criteria. See Table 1.
On the Column Definition pane, define the order in which you want to sort the results:
1. From the first list box, select the column by which you want to sort the search results.
2. From the second list box, select the order in which you want to display the search results. Options include Descending and Ascending.
Click Search.

Saving search criteria on the Offense tabOn the Offenses tab, you can save configured search criteria so that you can reuse the criteria for future searches. Saved search criteria does not expire.

Searching Offenses on the By Networks Page

On the By Network page of the Offense tab, you can search offenses that are grouped by the associated networks.

The following table describes the search options that you can use to search offense data on the By Networks page:

Table 5: Search Options for Search Offense Data on the By Networks Page
Option	Description
Network	From this list box, you can select the network that you want to search for.
Magnitude	From this list box, you can specify a magnitude, and then select display only offenses with a magnitude that is equal to, less than, or greater than the configured value.
VA Risk	From this list box, you can specify a VA risk, and then select display only offenses with a VA risk that is equal to, less than, or greater than the configured value.
Event/Flows Event	From this list box, you can specify an event or flow count, and then select display only offenses with an event or flow count that is equal to, less than, or greater than the configured value.

Click the Offenses tab.
Click By Networks.
From the Search list box, select New Search.
On the Search Parameters pane, define your specific search criteria. See Table 1.
On the Column Definition pane, define the order in which you want to sort the results:
1. From the first list box, select the column by which you want to sort the search results.
2. From the second list box, select the order in which you want to display the search results. Options include Descending and Ascending.
Click Search.

Saving Search Criteria on the Offenses Tab

On the Offenses tab, you can save configured search criteria so that you can reuse the criteria for future searches. Saved search criteria does not expire.

Procedure
Perform a search. See Offense searches.
Click Save Criteria.

Enter values for the following parameters:

Option	Description
Parameter	Description
Search Name	Type a name you want to assign to this search criteria.
Manage Groups	Click Manage Groups to manage search groups. See Managing Search Groups.
Timespan options:	Choose one of the following options: All Offenses Select this option to search all offenses regardless of time range. Recent Select the option and, from this list box, select the time range that you want to search for. Specific Interval - To specify a particular interval to search for, select the Specific Interval option, and then select one of the following options: Start Date between - Select this check box to search offenses that started during a certain time period. After you select this check box, use the list boxes to select the dates you want to search for. Last Event/Flow between - Select this check box to search offenses for which the last detected event occurred within a certain time period. After you select this check box, use the list boxes to select the dates you want to search. Last Event between - Select this check box to search offenses for which the last detected event occurred within a certain time period. After you select this check box, use the list boxes to select the dates you want to search.
Set as Default	Select this check box to set this search as your default search.

Click OK.

Searching for Offenses That Are Indexed on a Custom Property

Define search criteria to filter the offense list and make it easier to see which offenses you need to investigate. You can use the offense type in your search criteria to find all offenses that are based on a custom property. You can filter the query results to show offenses that have a specific custom property capture result.

The custom property must be used as a rule index. For more information, see Offense Indexing.

Click the Offenses tab.
From the Search list, select New Search.
On the Offense Source pane, select the custom property in the Offense Type list.

The Offense Type list shows only normalized fields and custom properties that are used as rule indexes. You cannot use Offense Source to search DateTime properties.
To search for offenses that have a specific value in the custom property capture result, type the value that you want to search for in the filter box.
Configure other search parameters to satisfy your search requirements.
Click Search.

All offenses that meet the search criteria are shown in the offense list. When you view the offense summary, the custom property that you searched on is shown in the Offense Type field. The custom property capture result is shown in the Custom Property Value field in the Offense Source Summary pane.

ON THIS PAGE

Searching Offenses on the My Offenses and All Offenses Pages

Searching Offenses on the By Source IP Page

Searching Offenses on the By Destination IP Page

Searching Offenses on the By Networks Page

Saving Search Criteria on the Offenses Tab

Searching for Offenses That Are Indexed on a Custom Property

Related Documentation