Define Advanced Search Criteria for Security Events (SIEM)

Applies to Product: USM Appliance™ AlienVault OSSIM®

This topic describes how to define advanced search criteria when performing a search on Analysis > Security Events (SIEM).

When you click Advanced Search, the following window opens:

Advanced Search Window

This new window allows for detailed search on Event Time, Priority, IP, Payload, or Event Taxonomy. Click Query DB to start the search after you have specified the criteria.

Sensor

This filter allows you to select a deployed USM Appliance Sensor from the list.

Event Time

This option allows for fine grain filtering for events that occurred at a specific date and time.

Use the "time" drop-down to select greater than (>), less than (<), or not equal (!=) operators. You can use a wildcard (*) when specifying the time of the event. Select the "AND" or "OR" operator if you need to limit the search within two time settings.

Example:

In the screenshot below, the selections made will search for events that occurred after (>=) 10:00:00 AND before (<=) 11:00:00 on the 12th of July 2018, reducing the time frame to one particular hour on one specific date.

Event Time Example

Priority

This filter allows you to specify the Asset Value Specifies an asset’s importance or criticality relative to other managed assets. , Event Reliability Specifies the likelihood that the event is accurate. It ranges from 0 to 10. and Event Priority Defines how urgently the event should be investigated. It ranges from 0 to 5. individually.

Example:

In the screenshot below, the options specified will search for events with an Asset value of 2, a Reliability greater than 4, and a Priority of 3 or more.

Priority Selection

IP Filter

Click IP Filter to display the options, which allow you to specify Layer 3 IP addresses and Layer 4 TCP or UDP protocols.

IP Filter

Click Add More to specify additional IP addresses. You can select "AND" or "OR" to combine them:

IP Filter with 2 IP addresses

If you want to add a port number for TCP or UDF, click the corresponding button to display the options. For example

IP Filter, TCP port

Click Add More to specify additional port numbers. You can select "AND" or "OR" to combine them.

Payload Filter

Click Payload Filter to display the options, which allow you to specify what you want to search in the payload of an event.

Payload filter

Using the encoding and Convert To drop-down, you can convert the search string from ASCII to HEX, for example, should it be required.

Click Add More to specify additional payload criteria. You can select "AND" or "OR" to combine them.

Example:

The example below specifies criteria to search for events that contain the string "testmyids.com" OR "google.com" in the payload:

Payload filter example

Important: Do not include quotes when entering the search strings.

Event Taxonomy Filter

Event Taxonomy Filter allows you to search for events using event taxonomy.

Event taxonomy filter

For details on product type and event category, see Product Types and Categories.

AlienVault OSSIM Limitations: The USM Appliance SIEM engine has more diverse capabilities in handling events due to its built-in correlation abilities and graph-based analytics.