Search
The Search feature includes a wide range of filter and group selections along with Boolean logic for targeting specific data sets. Search results are displayed on the Analyze page, where you can view the queried information in charts and graphs.
The tail option in search allows you to set up real-time queries that show whether logs or events matching a query are actively being generated and entering the system.
When searching by keyword, the term you enter needs to be an exact match with the item you are searching for. For example, if you wanted to search for "Global Admin" users, you would need to type Global Admin into the Search field. To run searches for all items containing a particular term, you need to include the prefix sql: and insert wildcard symbols (%) as appropriate. For example, if you wanted to run a keyword search for all users with "admin" somewhere in their titles, you would type sql:%admin% into the Search field.
When searching the Log Message field, sql: and % are not required.
The only required parameter for running a search is a time frame for your results.
Note that in deployments utilizing multiple Web Consoles, users can only access search or drill down results on the Web Console server from which the search or drill down originated. For example, if you perform a search on Web Console A and then log in to Web Console B, the search initiated on server A will not be available to you.
Search Filters
The following table describes the search filters available from the Search lists.
Search Filter | Description |
|---|---|
Account by Active Directory Group | The accounts with an Active Directory Group that are the recipients of the action. |
Address | The email address involved in the activity, either the sender or recipient. In the Search Term field, type a full email address (for example, name@company.com). |
Command | The name of an executed command within the metadata (for example: login, get, or put). |
Common Event | A short, plain-language description of the log that determines its classification. When you select Common Event, the Search Term field becomes a typeahead field. For example, if you type "audit," a list opens with all Common Events that match "audit." You can then select an item from the list. |
Domain | Windows or DNS domain either referenced by a log or impacted by log activity. |
Group | User group or role referenced or impacted by the log activity. This group is typically an Active Directory group name or other type of logical container. |
Host List (Impacted) Host List (Origin or Impacted) Host List (Origin) | The host involved in the log activity, which may include the IP address, host name, or Ethernet address:
With Host filters, you can attain results for a Host List, IP Address List, or IP Range List as follows:
To run a Host List search, you need to select from the host lists that have already been created in the Client Console. You cannot create new host lists on the Web Console, and you cannot type free text or non-lists as search criteria for the Host List filter. |
Hostname (Impacted) Hostname (Origin or Hostname (Origin) | The name of the host involved in the log activity (for example, a DNS name or a Netbios name):
|
Interface (Impacted) Interface (Origin or Impacted) Interface (Origin) | The interface number of a device or physical port number of a switch:
|
IP Address (Impacted) IP Address (Origin or Impacted) IP Address (Origin) | The IP addresses for the log activity:
|
Known Application | Known application or service, such as HTTP, POP3, or Telnet. An application is "known" if LogRhythm SIEM can match the protocol number from the log to a service name in the Events Database. |
Known Host (Impacted) Known Host (Origin or Impacted) Known Host (Origin) | The host record associated with a specific Entity:
When you select one of the Known Host fields, the Search Term field becomes a typeahead field. |
Location (Impacted) Location (Origin or Impacted) Location (Origin) | The geographic area involved in the log activity:
When you select one of the Location fields, the Search Term field becomes a typeahead field. The Location values are derived from the LogRhythm SIEM's GeoLocation feature. |
Log Source Entity | A logical collection of unique networks, devices, and systems. When you select Log Source Entity, the Search Term field becomes a typeahead field. |
Log Source Root Entity | The parent for a logical collection (Log Source Entity). |
Log Source Type | Type of facility or source where the log originated. |
MAC Address (Impacted) MAC Address (Origin or Impacted) MAC Address (Origin) | The MAC address involved in the log message:
When searching for MAC addresses, you must separate character strings using a colon (:) or a hyphen (-). For example: |
MPE Rule Name | Message Processing Engine (MPE) rule, which identifies and normalizes log messages and then assigns them to a Log Type (Common Event). When you select MPE Rule, the Search Term field becomes a typeahead field. |
NAT IP Address (Impacted) NAT IP Address (Origin or Impacted) NAT IP Address (Origin) | The IP address that was translated via NAT device logs:
|
NAT TCP/UDP Port (Impacted) NAT TCP/UDP Port (Origin or Impacted) NAT TCP/UDP Port (Origin) | The TCP/UDP port that was translated via NAT device logs:
|
Network (Impacted) Network (Impacted or Origin) Network (Origin) | Network involved in the log activity:
When you select one of the Network fields, the Search Term field becomes a typeahead field. |
Object Object Name | Resource that is referenced or impacted by the log activity. An "object" can include a file, file path, registry key, etc. The Object field contains the full path and name, but ObjectName only stores the object name. |
Origin Login by Active Directory Group | The users within an Active Directory group that are the source of the log activity. When you select Origin Login by Active Directory Group, the Term field to the left becomes a typeahead field. |
Port | The port involved in the activity. |
Process ID | The ID associated with a process. |
Process Name | Name or value that identifies a process (for example, "inetd" or "sshd"). |
Protocol | Network protocol applicable to the log message. When you select Protocol, the Search Term field becomes a typeahead field. |
Recipient | Email address or VOIP caller number. For non-email logs, this field could represent the user who received a form of information. |
Sender | Email originator or VOIP caller number. For non-email logs, this field could represent the user who received a form of information. |
Session | The user, system, or application session. |
Severity | A value indicating the severity of the log. |
Subject | Email subject line. For non-email logs, this field could represent the subject in some form of communicated information. |
TCP/UDP Port (Impacted) TCP/UDP Port (Origin or Impacted) TCP/UDP Port (Origin) | The TCP or UDP port number:
|
URL | URL referenced or impacted by the log activity. |
User (Impacted) | The user account that is the recipient of the action (for example, a password reset on a user account). When you select the Account filter, you can get results for either an Active Directory Group or a user name string, as follows:
|
User (Login or Account) | The user login or account that is the source of the log activity. When you select the User (Login or Account) filter, you can get results for either an Active Directory Group or a user name string, as follows:
|
User (Origin) | The user login that is the source of the log activity. When you select the User (Origin) filter, you can get results for either an Active Directory Group or a user name string, as follows:
|
User by Active Directory Group | The user login within an Active Directory group that is the source of the log activity. When you select User Active Directory Group, the Search Term field becomes a typeahead field. |
Vendor Message ID | Unique vendor-assigned value that identifies the log message. |
Version | A value that represents a version (OS version, patch version, doc version, etc.). |
Event Classifications
Event classifications are log messages that are grouped into logical containers, which helps organize vast amounts of log data. You can view classifications in the Web Console data charts and also select them from the Search tool.
The following table describes the Event classifications.
| Classification | Description |
|---|---|
Access Failure | Failed read, write, or execute access on files, programs, and other relevant objects. |
Access Granted | Activity related to granting of access rights and privileges. |
Access Revoked | Activity related to revocation of access rights and privileges. |
Access Success | Successful read, write, or execute access on files, programs, and other relevant objects. |
Account Created | Activity related to user or system/computer account creation. |
Account Deleted | Activity related to user or system/computer account deletion. |
Account Modified | The modification of a user or group outside granting/revoking access. No group level or access level changes. |
Activity | General system or network activity. |
Attack | Activity that indicates a system or network attack, where it is either assumed to have been successful or cannot be assumed to have failed. |
Authentication Failure | Failed user and system authentication activity, due to bad credentials or unauthorized attempt (user not allowed to log in). |
Authentication Success | Successful user and system authentication activity, including a user or system gaining access through any method of authentication. |
Compromise | Successful system or network compromise. These types of logs are seen more on Host Intrusion Detection Systems (HIDS) than on network-based detection mechanisms. |
Configuration | Activity pertaining to the state or configuration of a system where it is not related to a Policy. |
Critical | Logs reporting critical conditions. |
Denial of Service | Activity that indicates a Denial of Service attack, where it is assumed to have succeeded or cannot be assumed to have failed. |
Error | Logs reporting error conditions. |
Failed Activity | General system or network activity that was not successful, possibly due to preventative measures. |
Failed Attack | Attack activity that was not successful, possibly due to preventative measures. |
Failed Denial of Service | Denial of Service activity that was not successful, possibly due to preventative measures. |
Failed Malware | Malware activity that was not successful, possibly due to preventative measures. |
Failed Misuse | Activity that indicates a system or network misuse that was not successful, possibly due to preventative measures. |
Failed Suspicious | Suspicious activity that was not successful, possibly due to preventative measures. |
Information | Logs reporting general information. |
Malware | Activity that indicates malware installation, propagation, or use. |
Misuse | Activity that indicates system or network misuse. |
Network Allow | Network activity that was allowed per a device policy. |
Network Deny | Network activity that was not allowed per a device policy. |
Network Traffic | Network traffic activity such as flows, connections, and usage statistics. |
Other | Operations activity not otherwise classifiable. |
Other Audit | Audited activity not otherwise classifiable. |
Other Audit Failure | Failed audited activity not otherwise classifiable. |
Other Audit Success | Successful audited activity not otherwise classifiable. |
Other Security | Security activity not otherwise classifiable. |
Policy | Activity pertaining to the policy of a network, system, device, or other relevant object. Includes configuration changes related to a Policy. |
Reconnaissance | Activity that indicates system or network reconnaissance. |
Startup and Shutdown | Activity pertaining to the starting and stopping of a system, device, application, or other relevant object. |
Suspicious | Activity that is suspicious, but not known to be an attack or unauthorized. |
Vulnerability | Logs reporting vulnerabilities. |
Warning | Logs reporting warnings. |