Filtering and Sorting Events in App Review (Triage)

 

The RocketCyber console now supports sorting and filtering of event data through the new triage view interface.

 

Screen_Shot_2022-07-26_at_4.28.28_PM.png 

To begin, from the RocketCyber Console, click Review

 

Screen_Shot_2022-07-26_at_4.29.53_PM.png

 

The Event Triage page  is displayed.

At the top of the page you will notice a Search/Filter interface.

The default filter for each page filters events for the current account context.

The main area of the Events Triage page, the Event Grid displays the associated data as rows and columns. 

Each column in the Event Grid is sortable by clicking the column header. In this example you can sort by:

  • Detection Date
  • Customer Name
  • Device
  • Event ID
  • Category
  • Source

Filtering Data

Searching and filtering data has been significantly improved using the Search/Filter interface.

Screen_Shot_2022-07-26_at_4.38.17_PM.png

The Search / Filter interface provides quick ways to filter data based on the App that is being reviewed.

In this example for Endpoint Event Log Monitor App, the available default search fields are:

  • Verdict
  • Detection Date
  • Account
  • Device
  • Event ID
  • Category
  • Source
  • Details

To filter for events that occurred during a specific time frame you can choose Detection Date from the filter list.

Screen_Shot_2022-07-26_at_4.42.05_PM.png

The Search interface will display fields that can be used to choose a date range. Once the date ranges are entered click Add Filter.

Next click Search to display the desired results.

Filtering for Multiple Criteria

The search interface allows for filtering on multiple criteria.

Screen_Shot_2022-07-26_at_4.45.47_PM.png 

Building on the previous example of filtering by detection date, lets search for a specific event ID in that date range. 

We can do this by choosing another search filter from the dropdown and click on Event ID.

Next, enter the number 4624 for the ID value, then click Add Filter.

You can add as many filters as necessary.

When finished, click Search to display the desired results.

NOTE: All search filters are AND together to filter results.

In the example above, results will only be displayed if the Detection Date is between 07/11/2022 AND 07/14/2022 AND the event id is 4624.

Filtering for Details - Advanced

Events can be filtered by specific attributes found in the details of an event. The attributes for an event can be found by downloading the JSON from the console and reviewing the JSON structure. 

For Endpoint Event Log details there is a structure similar to this.

{
"type": "EventLogMonitor",
"attributes":
{
"xml": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Eventlog' Guid='{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}'/><EventID>104</EventID><Version>0</Version><Level>4</Level><Task>104</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2022-04-03T04:49:54.696269100Z'/><EventRecordID>1507515</EventRecordID><Correlation/><Execution ProcessID='980' ThreadID='992'/><Channel>System</Channel><Computer>Joe-User.rocketcyber.com</Computer><Security UserID='S-1-5-18'/></System><UserData><LogFileCleared xmlns='http://manifests.microsoft.com/win/2004/08/windows/eventlog'><SubjectUserName>SYSTEM</SubjectUserName><SubjectDomainName>NT AUTHORITY</SubjectDomainName><Channel>Windows PowerShell</Channel><BackupPath></BackupPath></LogFileCleared></UserData></Event>",
"opcode": "Info",
"message": "The Windows PowerShell log file was cleared.",
"version": 0,
"event_id": 104,
"log_name": "System",
"record_id": 1507515,
"telemetry":
{
"event_sent_to_cloud": 1648961394.733,
"event_sent_to_cloud_t": "2022-04-02 23:49:54",
"event_log_msg_recieved": 1648961394.732,
"event_log_msg_recieved_t": "2022-04-02 23:49:54",
"event_log_msg_passed_post_app_result": 1648961394.733,
"event_log_msg_passed_post_app_result_t": "2022-04-02 23:49:54"
},
"event_time": 1648961394,
"event_type": "Information",
"source_name": "Microsoft-Windows-Eventlog",
"computer_name": "Joe-User.rocketcyber.com",
"event_category": "Log Clear"
}
}

If we want to search details for an attribute such as event_category we could choose Details from the search dropdown, then enter the following text in the search value field:

attributes.event_cateogry:Log Clear

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us
Provide feedback for the Documentation team!