- Search Overview
- Search Home Page
- Performing Searches
- Basic Search
- Advanced Search
- Advanced Search Building Blocks
- Running an Advanced Search Query
- Query Syntax
- Query by Subject
- Query by Vendor and Product
- Query by Field and Value
- Query by Context Table
- Query Using Regex
- Free Text Search
- Query Using Advanced Query Language Operators
- Query Using Aggregation Functions
- Query Using Structured Fields
- Dynamic Field Extraction
- Natural Language Search
- Anomaly Search
- Refine a Search
- Context Tables in Search
- Search Best Practices
- Search Results
- Dashboard Visualizations
Data Insights
Note
License Requirement for Data Insights
Currently, the Data Insights panel can only be accessed if you have one of the New-Scale licenses. For more information see New-Scale Security Operations Portfolio Licenses
A set of data Insights can be displayed in the Event Details panel for any events in your search results that include parsed user or device information. The Insights tab visualizes additional data for any parsed user or device included in the selected event. These data insights provide a quick, easy way to drill into information related to the event so that you can get a picture of what else is going on around it, within a specific period of time.
For example, suppose you see an alert event triggered by a correlation rule in your search results and you want to quickly analyze this event in relation to surrounding behaviors. Using the Insights tab, you can investigate questions like:
Which assets has this user accessed in the past 15, 30, or 45 days?
Which countries has the user logged in from, in the specific number of days?
What destination devices has the user accessed?
What files has the user accessed?
On the Insights tab, you also can easily move between the parsed users and devices in a selected event to tailor the specific insights displayed. You can expand the time range for the visualized information and select additional types of data insights from a list of available, commonly-asked questions you might want to investigate.
Accessing Data Insights
To access Event Details from different results views:
Timeline View – Do one of the following:
Click the options menu icon (
) on the right of the event row and select Data Insights.Expand the event row and click the Event Details link. When the panel opens, click on the Insights tab.
List View – Click View all fields in the upper right corner of an event row. When the panel opens, click on the Insights tab.
Table View – Click on the event row. When the panel opens, click on the Insights tab.
 |
Interacting with Data Insights
You can interact with the Insights tab in the ways described below:
Use the drop down menu in the top left of the tab to select which of the parsed users or devices you want to view insights for. The list will include values for any of the following fields that are parsed in the selected event:
user,src_ip,dest_ip,host,src_host,dest_host. You can easily switch between these entities to view data insights for different aspects of the event.
Use the time range selector in the top right of the tab to select a different number of days to view insights for. Options include the last 15, 30, or 45 days.
Click More Insights at the bottom of the tab to open a list of additional insight questions that are commonly investigated for a given type of event. Select any of the insights you want to investigate and click Add. The additional visualizations are added to the Insights tab. You can select up to three insights to display at once.
To display different insights on the tab, simply click Insights again and change your selection.
Use the arrow icons
at the very top of the panel to navigate through the Insight tabs for different events in your search results.