Search Results Grid Inspector
After performing a search, you can select any cell within the search grid to inspect the full set of metadata available for that record. The inspector allows you to view the schema fields to better understand each log message. Additionally, when the log message contains User or Host information, drilling down on this information opens a further panel showing all logs that contain that user or host. With this functionality, you can drill into suspicious hosts or users and determine if there are repeated threats being detected coming from a single source.
For more information on schema fields, see the Axon Data Schema Guide.
View the Inspector Panel
To open the inspector for a search result, from the Dashboard:
- On the left-side menu, click the Search icon.
The Search page appears. - Select a saved search tab at the top of the page, or click the plus icon + in the top-right of the page to create a new search.
- (Optional, if creating a new search.) Enter the search query and perform a search as normal.
Click one of the fields in the search results grid. For example, click any cell in the Host IP column.
The Inspect pane opens on the right side of the screen.The inspector automatically opens to the field and value of the selected cell in the formatted metadata.
Selecting a cell in the Raw Message column opens the inspector's Raw Message tab, and shows the entire raw metadata.
Navigate the Inspector Panel
Once the inspector panel has been opened, the following tabs and options are available to navigate the window. Additional panels can be added on when drilling down on information such as a user or host.
| Option/Tab | Description |
|---|---|
| Summary | Displays the date and time the log was collected, along with the log source type and any common events that are present in the log. |
| User/Host | If the log message contains a user or host name, you can click on that information to open a new "entity" flyout panel containing additional information about this user or host. This panel displays additional log messages containing that user or host, allowing you to drill down into suspicious users or hosts to determine if repeated threats are being made from the same source without ever leaving your original search. Additional users and hosts can be drilled down on within the entity flyout to investigate deeper.
You can also click the Visualizations tab on the flyout panel to see a graph demonstrating the number of logs coming into Axon from that same user or host over the previous 24 hours. |
| Formatted Tab | This tab displays all of the metadata for the log message formatted into the appropriate schema fields. All data in the Formatted tab can be copy/pasted as needed. |
| Raw Tab | This tab displays all of the metadata for the log message in its original, raw format. All data in the Raw tab can be copy/pasted as needed. |
| Show empty fields | By default, fields that do not contain information are hidden on the Formatted tab. Check the Show empty fields box to display those empty fields. |
| Expand All | The populated fields are expanded by default when viewing the Formatted tab. If the fields have been collapsed, click Expand All to re-open them. |
| Collapse All | Click Collapse All to collapse all of the populated fields and only show the top-level schema field headers. To open a single schema field header at a time, click the drop-arrow icon next to the field header name. |
Inspector Actions
Each line item in the inspector has an expandable context menu with multiple actions. To open the context menu for a line item in the inspector, click the three-dot menu to the right of the item in question.
The following options are available in each item's context menu. Some of the options enhance your existing search using operators. For more information on operators, see Build a Search Query.
| Option | Description |
|---|---|
| Copy Value | Click to add the highlighted line item to the clipboard. The information can then be pasted elsewhere. |
| Drill Down | Adds the selected value to your existing search criteria using the AND operator. For example, selecting Drill Down on a Host IP address narrows the search to only include results that have that Host IP address. |
| Remove Value | Removes the selected value from your existing search criteria using the AND NOT operator. This produces the opposite function of the Drill Down option. For example, selecting Remove Value on a Host IP address narrows the search to exclude results that include that Host IP address. |
| Add Value | Adds the selected value to your existing search criteria using the OR operator. For example, selecting Add Value on a Host IP address expands the search to include all results with that Host IP address. |
| Pivot | Opens a new browser tab with updated search results that include the selected value during the previous search's time criteria. For example, selecting Pivot on a Host IP address opens a new browser window of a search for that Host IP address during the same timeframe as the original search. |