ON THIS PAGE
Offense Searches
You can search offenses by using specific criteria to display offenses that match the search criteria in a results list.
You can create a new search or load a previously saved set of search criteria.
Searching Offenses on the My Offenses and All Offenses Pages
On the My Offenses and All Offenses pages of the Offense tab, you can search for offenses that match your criteria.
The following table describes the search options that you can use to search offense data on the My Offenses and All Offenses pages.
For information about categories, see the Juniper Secure Analytics Administration Guide.
Options |
Description |
---|---|
Group |
This list box allows you to select an offense Search Group to view in the Available Saved Searches list. |
Type Saved Search or Select from List |
This field allows you to type the name of a saved search or a keyword to filter the Available Saved Searches list. |
Available Saved Searches |
This list displays all available searches, unless you apply a filter to the list using the Group or Type Saved Search or Select from List options. You can select a saved search on this list to display or edit. |
All Offenses |
This option allows you to search all offenses regardless of time range. |
Recent |
This option allows you to select a pre-defined time range you want to filter for. After you select this option, you must select a time range option from the list box. |
Specific Interval |
This option allows you to configure a custom time range for your search. After you select this option, you must select one of the following options.
|
Search |
The Search icon is available in multiple panes on the search page. You can click Search when you are finished configuring the search and want to view the results. |
Offense Id |
In this field, you can type the Offense ID you want to search for. |
Description |
In this field, you can type the description that you want to search for. |
Assigned to user |
From this list box, you can select the user name that you want to search for. |
Direction |
From this list box, you can select the offense direction that you want to search for. Options include:
|
Source IP |
In this field, you can type the source IP address or CIDR range you want to search for. |
Destination IP |
In this field, you can type the destination IP address or CIDR range you want to search for. |
Magnitude |
From this list box, you can specify a magnitude and then select to display only offenses with a magnitude that is equal to, less than, or greater than the configured value. The range is 0 - 10. |
Severity |
From this list box, you can specify a severity and then select to display only offenses with a severity that is equal to, less than, or greater than the configured value. The range is 0 - 10. |
Credibility |
From this list box, you can specify a credibility and then select to display only offenses with a credibility that is equal to, less than, or greater than the configured value. The range is 0 - 10. |
Relevance |
From this list box, you can specify a relevance and then select to display only offenses with a relevance that is equal to, less than, or greater than the configured value. The range is 0 - 10. |
Contains Username |
In this field, you can type a regular expression (regex) statement to search for offenses containing a specific user name. When you define custom regex patterns, adhere to regex rules as defined by the Java programming language. For more information, you can refer to regex tutorials available on the web. |
Source Network |
From this list box, you can select the source network that you want to search for. |
Destination Network |
From this list box, you can select the destination network that you want to search for. |
High Level Category |
From this list box, you can select the high-level category that you want to search for. |
Low Level Category |
From this list box, you can select the low-level category that you want to search for. |
Exclude |
The options in this pane allow you to exclude offenses from the search results. The options include:
|
Close by User |
This parameter is only displayed when the Closed Offenses check box is cleared in the Exclude pane. From this list box, you can select the user name that you want to search closed offenses for or select Any to display all closed offenses. |
Reason For Closing |
This parameter is only displayed when the Closed Offenses check box is cleared in the Exclude pane. From this list box, you can select a reason that you want to search closed offenses for or select Any to display all closed offenses. |
Events |
From this list box, you can specify an event count and then select to display only offenses with an event count that is equal to, less than, or greater than the configured value. |
Flows |
From this list box, you can specify a flow count and then select to display only offenses with a flow count that is equal to, less than, or greater than the configured value. |
Total Events/Flows Total Events |
From this list box, you can specify a total event and flow count and then select to display only offenses with a total event and flow count that is equal to, less than, or greater than the configured value. |
Destinations |
From this list box, you can specify a destination IP address count and then select to display only offenses with a destination IP address count that is equal to, less than, or greater than the configured value. |
Log Source Group |
From this list box, you can select a log source group that contains the log source you want to search for. The Log Source list box displays all log sources that are assigned to the selected log source group. |
Log Source |
From this list box, you can select the log source that you want to search for. |
Rule Group |
From this list box, you can select a rule group that contains the contributing rule that you want to search for. The Rule list box displays all rules that are assigned to the selected rule group. |
Rule |
From this list box, you can select the contributing rule that you want to search for. |
Offense Type |
From this list box, you can select an offense type that you want to search for. For more information about the options in the Offense Type list box, see Table 2. |
The following table describes the options available in the Offense Type list box:
Offense types |
Description |
---|---|
Any |
This option searches all offense sources. |
Source IP |
To search for offenses with a specific source IP address, you can select this option, and then type the source IP address that you want to search for. |
Destination IP |
To search for offenses with a specific destination IP address, you can select this option, and then type the destination IP address that you want to search for. |
Event Name |
To search for offenses with a specific event name, you can click the Browse icon to open the Event Browser and select the event name (QID) you want to search for. You can search for a particular QID using one of the following options:
|
Username |
To search for offenses with a specific user name, you can select this option, and then type the user name that you want to search for. |
Source MAC Address |
To search for offenses with a specific source MAC address, you can select this option, and then type the source MAC address that you want to search for. |
Destination MAC Address |
To search for offenses with a specific destination MAC address, you can select this option, and then type the destination MAC address that you want to search for. |
Log Source |
From the Log Source Group list box, you can select the log source group that contains the log source you want to search for. The Log Source list box displays all log sources that are assigned to the selected log source group. From the Log Source list box, select the log source that you want to search for. |
Host Name |
To search for offenses with a specific host name, you can select this option, and then type the host name that you want to search for. |
Source Port |
To search for offenses with a specific source port, you can select this option, and then type the source port that you want to search for. |
Destination Port |
To search for offenses with a specific destination port, you can select this option, and then type the destination port that you want to search for. |
Source IPv6 |
To search for offenses with a specific source IPv6 address, you can select this option, and then type the source IPv6 address that you want to search for. |
Destination IPv6 |
To search for offenses with a specific destination IPv6 address, you can select this option, and then type the destination IPv6 address that you want to search for. |
Source ASN |
To search for offenses with a specific Source ASN, you can select the source ASN from the Source ASN list box. |
Destination ASN |
To search for offenses with a specific destination ASN, you can select the destination ASN from the Destination ASN list box. |
Rule |
To search for offenses that are associated with a specific rule, you can select the rule group that contains the rule you want to search from the Rule Group list box. The Rule Group list box displays all rules that are assigned to the selected rule group. From the Rule list box, you select the rule that you want to search for. |
App ID |
To search for offenses with an application ID, you can select the application ID from the App ID list box. |
Click the Offenses tab.
From the Search list box, select New Search.
Choose one of the following options:
Select a previously saved search using one of the following options:
From the Available Saved Searches list, select the saved search that you want to load.
In the Type Saved Search or Select from List field, type the name of the search you want to load.
Click Load.
Optional. Select the Set as Default check box in the Edit Search pane to set this search as your default search. If you set this search as your default search, the search automatically performs and displays results each time you access the Offenses tab.
On the Time Range pane, select an option for the time range you want to capture for this search. See Table 1.
On the Search Parameters pane, define your specific search criteria. See Table 1.
On the Offense Source pane, specify the offense type and offense source you want to search:
From the list box, select the offense type that you want to search for.
Type your search parameters. See Table 2.
In the Column Definition pane, define the order in which you want to sort the results:
From the first list box, select the column by which you want to sort the search results.
From the second list box, select the order that you want to display for the search results. Options include Descending and Ascending.
Click Search.
Searching Offenses on the By Source IP Page
This topic provides the procedure for how to search offenses on the By Source IP page of the Offense tab.
The following table describes the search options that you can use to search offense data on the By Source IP page:
Options |
Description |
---|---|
All Offenses |
You can select this option to search all source IP addresses regardless of time range. |
Recent |
You can select this option and, from this list box, select the time range that you want to search for. |
Specific Interval |
To specify an interval to search for, you can select the Specific Interval option and then select one of the following options:
|
Search |
The Search icon is available in multiple panes on the search page. You can click Search when you are finished configuring the search and want to view the results. |
Source IP |
In this field, you can type the source IP address or CIDR range you want to search for. |
Magnitude |
From this list box, you can specify a magnitude and then select display only offenses with a magnitude that is equal to, less than, or greater than the configured value. The range is 0 - 10. |
VA Risk |
From this list box, you can specify a VA risk and then select display only offenses with a VA risk that is equal to, less than, or greater than the configured value. The range is 0 - 10. |
Events/Flows Events |
From this list box, you can specify an event or flow count and then select display only offenses with a magnitude that is equal to, less than, or greater than the configured value. |
Exclude |
You can select the check boxes for the offenses you want to exclude from the search results. The options include:
|
Click the Offenses tab.
Click By Source IP.
From the Search list box, select New Search.
On the Time Range pane, select an option for the time range you want to capture for this search. See Table 1.
On the Search Parameters pane, define your specific search criteria. See Table 1.
On the Column Definition pane, define the order in which you want to sort the results:
From the first list box, select the column by which you want to sort the search results.
From the second list box, select the order that you want to display for the search results. Options include Descending and Ascending.
Click Search.
Searching Offenses on the By Destination IP Page
On the By Destination IP page of the Offense tab, you can search offenses that are grouped by the destination IP address.
The following table describes the search options that you can use to search offenses on the By Destination IP page:
Options |
Description |
---|---|
All Offenses |
You can select this option to search all destination IP addresses regardless of time range. |
Recent |
You can select this option and, From this list box, select the time range that you want to search for. |
Specific Interval |
To specify a particular interval to search for, you can select the Specific Interval option, and then select one of the following options:
|
Search |
The Search icon is available in multiple panes on the search page. You can click Search when you are finished configuring the search and want to view the results. |
Destination IP |
You can type the destination IP address or CIDR range you want to search for. |
Magnitude |
From this list box, you can specify a magnitude, and then select display only offenses with a magnitude that is equal to, less than, or greater than the configured value. |
VA Risk |
From this list box, you can specify a VA risk, and then select display only offenses with a VA risk that is equal to, less than, or greater than the configured value. The range is 0 - 10. |
Events/Flows Events |
From this list box, you can specify an event or flow count magnitude, and then select display only offenses with an event or flow count that is equal to, less than, or greater than the configured value. |
Click the Offenses tab.
On the navigation menu, click By Destination IP.
From the Search list box, select New Search.
On the Time Range pane, select an option for the time range you want to capture for this search. See Table 1.
On the Search Parameters pane, define your specific search criteria. See Table 1.
On the Column Definition pane, define the order in which you want to sort the results:
From the first list box, select the column by which you want to sort the search results.
From the second list box, select the order in which you want to display the search results. Options include Descending and Ascending.
Click Search.
Saving search criteria on the Offense tabOn the Offenses tab, you can save configured search criteria so that you can reuse the criteria for future searches. Saved search criteria does not expire.
Searching Offenses on the By Networks Page
On the By Network page of the Offense tab, you can search offenses that are grouped by the associated networks.
The following table describes the search options that you can use to search offense data on the By Networks page:
Option |
Description |
---|---|
Network |
From this list box, you can select the network that you want to search for. |
Magnitude |
From this list box, you can specify a magnitude, and then select display only offenses with a magnitude that is equal to, less than, or greater than the configured value. |
VA Risk |
From this list box, you can specify a VA risk, and then select display only offenses with a VA risk that is equal to, less than, or greater than the configured value. |
Event/Flows Event |
From this list box, you can specify an event or flow count, and then select display only offenses with an event or flow count that is equal to, less than, or greater than the configured value. |
Click the Offenses tab.
Click By Networks.
From the Search list box, select New Search.
On the Search Parameters pane, define your specific search criteria. See Table 1.
On the Column Definition pane, define the order in which you want to sort the results:
From the first list box, select the column by which you want to sort the search results.
From the second list box, select the order in which you want to display the search results. Options include Descending and Ascending.
Click Search.
Saving Search Criteria on the Offenses Tab
On the Offenses tab, you can save configured search criteria so that you can reuse the criteria for future searches. Saved search criteria does not expire.
Procedure
Perform a search. See Offense searches.
Click Save Criteria.
Enter values for the following parameters:
Option
Description
Parameter
Description
Search Name
Type a name you want to assign to this search criteria.
Manage Groups
Click Manage Groups to manage search groups. See Managing Search Groups.
Timespan options:
Choose one of the following options:
All Offenses Select this option to search all offenses regardless of time range.
Recent Select the option and, from this list box, select the time range that you want to search for.
Specific Interval - To specify a particular interval to search for, select the Specific Interval option, and then select one of the following options:
Start Date between - Select this check box to search offenses that started during a certain time period. After you select this check box, use the list boxes to select the dates you want to search for. Last Event/Flow between - Select this check box to search offenses for which the last detected event occurred within a certain time period. After you select this check box, use the list boxes to select the dates you want to search. Last Event between - Select this check box to search offenses for which the last detected event occurred within a certain time period. After you select this check box, use the list boxes to select the dates you want to search.
Set as Default
Select this check box to set this search as your default search.
Click OK.
Searching for Offenses That Are Indexed on a Custom Property
Define search criteria to filter the offense list and make it easier to see which offenses you need to investigate. You can use the offense type in your search criteria to find all offenses that are based on a custom property. You can filter the query results to show offenses that have a specific custom property capture result.
The custom property must be used as a rule index. For more information, see Offense Indexing.
Click the Offenses tab.
From the Search list, select New Search.
On the Offense Source pane, select the custom property in the Offense Type list.
The Offense Type list shows only normalized fields and custom properties that are used as rule indexes. You cannot use Offense Source to search
DateTime
properties.To search for offenses that have a specific value in the custom property capture result, type the value that you want to search for in the filter box.
Configure other search parameters to satisfy your search requirements.
Click Search.
All offenses that meet the search criteria are shown in the offense list. When you view the offense summary, the custom property that you searched on is shown in the Offense Type field. The custom property capture result is shown in the Custom Property Value field in the Offense Source Summary pane.