8.6 Viewing Anomaly Events

When an anomaly is detected, Sentinel generates an anomaly event. Anomaly event fields contain detailed information about the anomaly.

To view the anomaly events:

  1. In the Sentinel Main interface, in the left pane, expand Filters > My filters, click Anomaly Events, click .

  2. To view the event field values for an anomaly event, in the search results, click All next to the anomaly event.

The following table describes the various event fields in an anomaly event:

Anomaly Event Field

ID

Sample Value

Description

BeginTime

bgnt

2014-01-06T07:13:00.000Z

The start of the time range when the anomaly was detected.

EndTime

endt

2014-01-06T07:17:00.000Z

The end of the time range when the anomaly was detected.

EventName

evt

FailedLogins:AbnormalFailedLogins

The name of the anomaly definition.

EventTime

dt

2014-01-06T07:18:54.285Z

The time when the anomaly event was generated.

Message

msg

abnormal failed login activity

The description in the anomaly definition.

ObserverCategory

rv32

SIEM

For an anomaly event, this event field is always set to SIEM.

ObserverServiceComponent

rv150

/Create a user session/Failure

The classifier path which contains the categories displayed in the dashboard.

ObserverTZ

estz

Asia/Kolkata

The time zone in which the anomaly engine is located.

ObserverType

st

Y

For an anomaly event, the event field is always set to Y.

SentinelProcessingComponent

rt2

AbnormalFailedLogins

The anomaly definition name.

SentinelProcessingComponentID

rv123

2F38BBCA-1A39-42A9-9873-D2C4CE732B0D

This is the UUID of the dashboard which is associated with the anomaly definition. The UUID remains the same even though the dashboard name changes.

SentinelServiceComponentID

rv124

B7E6B2A7-CDB1-40A8-AA33-8AE99284DE6B

This is the ID of the anomaly definition. The ID remains the same even though the anomaly definition name changes.

SentinelServiceComponentName

sres

FailedLogins

This is the dashboard name associated with the anomaly definition.

SentinelServiceName

res

SecurityIntelligence

For an anomaly event, this event field is always set to SecurityIntelligence.

Severity

sev

5

The severity in the anomaly definition.

XDASClass

xdasclass

11

For an anomaly event, this event field is always set to 11.

XDASDetail

xdasdetail

12

For an anomaly event, this event field is always set to 12.

XDASIdentifier

xdasid

13

For an anomaly event, this event field is always set to 13.

XDASOutcome

xdasoutcome

1

For an anomaly event, this event field is always set to 1.

XDASOutcomeName

xdasoutcomename

XDAS_OUT_THRESHOLD_EXCEEDED

For an anomaly event, this event field is always set to XDAS_OUT_THRESHOLD_EXCEEDED.

XDASProvider

xdasprov

0

For an anomaly event, this event field is always set to 0.

XDASRegistry

xdasreg

0

For an anomaly event, this event field is always set to 0.

XDASTaxonomyName

xdastaxname

XDAS_AE_ANOMALY

For an anomaly event, this event field is always set to XDAS_AE_ANOMALY.

For more information on anomaly event fields, click Tips in the Sentinel Main interface. For more information on the event taxonomy and event fields, see Sentinel Taxonomy.

You can use the event field IDs to create search queries to find specific anomaly events. For example, if you want to search for the anomaly events that were generated because of the anomaly definition AbnormalFailedLogins, specify the following query in the Search field:

st:y AND rt2:AbnormalFailedLogins 

For more information about searching for events, see Searching Events Indexed in Traditional Storage.