|Applies to Product:||USM Appliance™||AlienVault OSSIM®|
This topic describes how to define advanced search criteria when performing a search on Analysis > Security Events (SIEM).
When you click Advanced Search, the following window opens:
This new window allows for detailed search on Event Time, Priority, IP, Event Name (available since version 5.6), Payload, or Event Taxonomy. Click Query DB to start the search after you have specified the criteria.
This option allows for fine grain filtering for events that occurred at a specific date and time.
Use the "time" dropdown to select greater than (>), less than (<), or not equal (!=) operators. You can use a wildcard (*) when specifying the time of the event. Select the "AND" or "OR" operator if you need to limit the search within two time settings.
In the screenshot below, the selections made will search for events that occurred after (>=) 10:00:00 AND before (<=) 11:00:00 on the 12th of July 2018, reducing the time frame to one particular hour on one specific date.
This filter allows you to specify the Asset ValueSpecifies an asset’s importance or criticality relative to other managed assets. , Event ReliabilitySpecifies the likelihood that the event is accurate. It ranges from 0 to 10. and Event PriorityDefines how urgently the event should be investigated. It ranges from 0 to 5. individually.
In the screenshot below, the options specified will search for events with an Asset value of 2, a Reliability greater than 4, and a Priority of 3 or more.
Click IP Filter to display the options, which allow you to specify Layer 3 IP addresses and Layer 4 TCP or UDP protocols.
Click Add More to specify additional IP addresses. You can select "AND" or "OR" to combine them:
If you want to add a port number for TCP or UDF, click the corresponding button to display the options. For example
Click Add More to specify additional port numbers. You can select "AND" or "OR" to combine them.
Click Event Name to display the option, which allows you to specify one or more event names to search for. When you enter more than one event name, USM Appliance finds all events matching the criteria. In the example below, USM Appliance will look for both the "SSHd: Connection closed" events and the "AlienVault HIDS: Login session closed" events.
Note: This filter is only available in USM Appliance version 5.6 and later.
Click Payload Filter to display the options, which allow you to specify what you want to search in the payload of an event.
Using the encoding and Convert To dropdown, you can convert the search string from ASCII to HEX, for example, should it be required.
Click Add More to specify additional payload criteria. You can select "AND" or "OR" to combine them.
The example below specifies criteria to search for events that contain the string "testmyids.com" OR "google.com" in the payload:
Important: Do not include quotes when entering the search strings.
Event Taxonomy Filter
Event Taxonomy Filter allows you to search for events using event taxonomy.
For details on product type and event category, see Product Types and Categories.
AlienVault OSSIM Limitations: The USM Appliance SIEM engine has more diverse capabilities in handling events due to its built-in correlation abilities and graph-based analytics.