5.2 Sample Filters

5.2.1 View Events of Severity 3 to 5 from a System in China

  • Click Build Criteria > Event fields, select SourceHostCountry.

  • The name should match any string that contains the name “China.” For example, “ChinaBeijing.” Specify china* in the Value field.

  • The severity of the events must be 3 to 5:

    • In Event fields, select Severity.

    • In the Values that range from field, specify 3 TO 5.

NOTE:If you are familiar with the search query syntax, you can directly specify the query in the Criteria field as follows:

(rv29:china*) AND (sev:[3 TO 5])

For more information on the search query syntax, see Section A.0, Search Query Syntax.

Click Search to view events that match the specified criteria.

5.2.2 Determine if User “Bob Smith” Tried to Log In after His Account was Disabled

  • Click Build Criteria > Event fields, select the following:

    • InitiatorUserName

    • TargetUserName

    • EffectiveUserName

  • Select the OR condition.

  • Specify "Bob Smith" in the Value field.

  • To determine if the user has logged in, or tried to log in, select Taxonomy in Criteria fields.

    NOTE:You can also select the appropriate event fields if you are familiar with the values to be specified for the event fields. Taxonomy is a classification of events where events of similar type are grouped together. It helps you search events based on the taxonomy classification rather than you specifying the specific event names and their values.

  • In the Field details, select the following:

    • From the Class drop-down list, select User Session Events.

    • From the Identifier drop-down list, select Create.

    • For Outcome, select Success, then select Failure.

NOTE:If you are familiar with the search query syntax, you can directly specify the query in the Criteria field as follows:

(xdasclass:2 AND xdasid:0 AND (xdasoutcome:0 OR xdasoutcome:1)) AND (iufname:"Bob Smith")

For more information on taxonomy, see Sentinel Taxonomy.

Click Search to view the events that match the specified criteria.

5.2.3 View Events from Two Subnets and Share the Filter with Network Administrators

  • Select subnets:

    • Click Build Criteria > Event fields, select SourceIP.

    • In Field details > Value, specify the subnet, for example, 172.17.0.0/16.

    • Repeat the above two steps to specify another subnet.

  • The events must be from either of the subnets. Therefore, select OR as the condition.

  • Click Search to view events that match the specified criteria.

  • The filter must be shared with network administrators:

    • In the search results panel, click , then click Save as new filter.

    • Specify an intuitive name and an optional description.

    • From the drop-down list, select Share with roles, then select Network Administrator.

  • Click Save.

5.2.4 Find all Events that Include the Words “database” and “service,” and exclude “test”

  • Click Build Criteria > Criteria fields, select All data.

  • You want to find events that include words “database” and “service,” and exclude “test.” Therefore, in Field details, specify the following:

    • In the All of these words field, specify database service.

    • In the Exclude these words field, specify test.

NOTE:If you are familiar with the search query syntax, you can directly specify the query in the Criteria field as follows:

_data:(database AND service) NOT _data:test

The _data field allows you to search for words that might appear in any event field. For more information, see The Default Search Field in Section A.0, Search Query Syntax.

Click Search to view the events that match the specified criteria.