Searching Events

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere includes the option of searching items of interest on the page. There are several filters displayed by default. You can either filter your search or enter what you are looking for in the search field.

You can configure more filters and change which filters to display by clicking the Configure Filters link located in the upper-left side of the page. The management of filters is similar to that for assets. See Managing Filters for more information.

Filters Displayed by Default in the Main Events Page
Filter Name Meaning
Last 24 Hours Filter events Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall. triggered in the last hour, last 24 hours, last 7 days, last 30 days, or last 90 days. You can also configure your own period of time by clicking the Custom Range option. This option enables you to customize a range. When you click Custom Range, a calendar opens. You can choose the first and last day to delimit your search by clicking the days on the calendar or entering the days directly. Then select the hours, minutes, and seconds by clicking the specific box. Finally, select AM or PM.
Suppressed

Filter suppressed events. The suppressed events are hidden by default. See Creating Suppression Rules from the Events Page for more information.

Account Name Filter events by the account that has generated the event.
Data Source Filter events by the data source used to normalize the event.
Event Name Filter events by the short, user-readable description of the event.
Source Asset Filter events by the name of the asset that produced the event.
Source User Filter events by the name of the user that produced the event.
Sensor Filter events by the name of the USM Anywhere Sensor Sensors are deployed into an on-premises, cloud, or multi-cloud environment to collect logs and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. that received the event.
Asset Groups When the host Reference to a computer on a network. for the event source or destination is an asset An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. belonging to one or more of your asset groups Asset groups are administratively created objects that group similar assets for specific purposes., this field filters the asset group name or names.
Username Filter events by the username associated with the asset that generated the event.

Note: Filtering large asset groups will only return data from the most recent 1024 assets. See Creating an Asset Group for more information about this limitation.

The number between brackets displayed by each filter indicates the number of items that matches the filter. You can also use the filter controls to provide a method of organizing your search and filtered results.

The following table shows the icons displayed with each filter box.

Icons Next to the Filter Title
Icon Meaning
Sort the filters alphabetically.
Sort the filters by number of items that matches them.

In the upper-left side of the page, you can see any filters you have applied. Remove filters by clicking theicon next to the filter. Or clear all filters by clicking Reset.

Selected Filters on the Events Main Page

Note: When applying filters, the search uses the logical AND operator if the used filters are different. However, when the filter is of the same type, the search uses the logical OR operator.

Those filters that have more than 10 options include a Filter Values search field for writing text and making the search easier. If there are more than 50 search results, a icon appears to the right of the Filter Values search field. Click this icon to download a CSV containing up to 1024 results.

About the Was Fuzzied Filter

When USM Anywhere receives raw log data on the USM Anywhere Sensor, it tries to match them with integrations based on hints and manual associations. Sometimes that process fails and events are processed by the LevelBlue Generic Data Source, which attempts to find some common information using "fuzzy" matching.  These events can be found by filtering by the data source integration or the "Was Fuzzied" fields.

Important: An event having the "Was Fuzzied" field with the value "true" has its data source property as "[empty]".

See The LevelBlue Generic Data Source for more information about how this attempts to normalize an unmatched log message.

To search events that are not matched with a specific data source

  1. Go to Activity > Events.

  2. In the upper-left side of the page, click the Configure Filters link.

  3. Search the filter Was Fuzzied.
  4. Click the icon to select the filter.
  5. Click Apply.
  6. In the left pane, search the Was Fuzzied integration.
  7. Click true. The number between parentheses indicates the number of events that were created with the LevelBlue Generic Data Source.

Note: The false value displays the events that have an assigned data source. The number between parentheses indicates the number of events.

Filtering Events by Row Fields

USM Anywhere includes a column with the icon in the list view in the events page. Use this icon to add filters to your search. When you click this icon, a dialog box opens with the specific fields of that row.

To filter events by row fields

  1. Click the icon of the row to which you want to add the filters.

    The Add Filters dialog box opens.

    Add filters to your search of events by row fields

  2. Select the fields that you want to filter during your search and click Equals or Not to limit your search.
  3. Click Apply.

    4. The result of your search displays with the filters applied.