- Search Overview
- Search Home Page
- Performing Searches
- Basic Search
- Advanced Search
- Advanced Search Building Blocks
- Running an Advanced Search Query
- Query Syntax
- Query by Subject
- Query by Vendor and Product
- Query by Field and Value
- Query by Context Table
- Query Using Regex
- Query Using Wildcards
- Free Text Search
- Query Using Advanced Query Language Operators
- Query Using Aggregation Functions
- Query Using Structured Fields
- Dynamic Field Extraction
- Natural Language Search
- Anomaly Search
- Refine a Search
- Context Tables in Search
- Search Best Practices
- Search Results
- Histogram View of Search Results
- Search Results Navigation Bar
- Timeline View of Search Results
- List View of Search Results
- Table View of Search Results
- Aggregated Search Results
- Event Details
- Detection Details
- Entity Details
- Data Insights
- Export Search Results
- View and Download Exported Search Result Files
- Dashboard Visualizations
Detection Details
Detection Details information is available when you are viewing Search results that include detection events. A detection refers to an event that represents a possible security threat or anomalous behavior.
Important
Detection Details information is currently available for either Correlation Rule events or Exabeam Anomaly events.
Accessing Detection Details
To access Detection Details from different results views:
Timeline View – Click any detection box to open a Details panel with the Detection tab displayed.
List View – Find a detection event in the listed results (recognizable by the risk score in the top right corner of the event) and click Detection Details in the bottom left corner of the event row. A Details panel opens with a Detection tab displayed.
Table View – Find a detection event in the table of results (recognizable by the value
rulein the Subject column) and click on the event row. A Details panel opens with a Detection tab displayed.
If you open a Detection tab from an event row in either the List or Table views, the tab that opens can show details for only the selected detection event. However, if you're working in the Timeline view of search results and you open a Detection tab from an event row that is associated with multiple detection events, the tab displays details for each detection event in a set of numbered Detection tabs across the panel just below the overview event information.
You can click to view the detection information for each detection event without leaving the Details panel.
 |
When a Detection tab opens, it displays some overview event information. This information can include Source Endpoints, Destination Endpoints, Use Cases, or MITRE Tactics and Techniques that are covered by the detection event.
Below the overview event information, you can see information specific to the detection event, including the following:
Rules – This section lists the primary rules that triggered the detection. To view additional context-based rules that also contribute to the risk score, click the Show <n> Context Rules link under the primary rules.
To see more information about each rule, click the down arrow on a specific rule to view the parsed fields that support it. The fields are displayed with common information model fields at the top of each list and MITRE label fields at the bottom. You can further expand the MITRE labels section.
Raw Log – Shows the full raw message from the detection event.
Parsed Fields – Shows the entire list of parsed fields for the detection event.
Note
If an event does not specify a time zone, the time in the parsed fields is reported in the local time zone. In the raw log message, the time remains as is.
Interacting with Detection Details
You can interact with the Detection Details information in the ways described below:
Use the
icons at the top of the panel to navigate between events from the Search results.Click the
icon to close the Details panel and return to the Search results. Use the Search field at the top of the panel to search both the raw message and the list of parsed fields.
Use the numbered Detection tabs below the event overview information to view detection details for different detection events that are associated with the same event in the Timeline view.
Use the arrow (
) icon to the right of each rule in the Rules section to expand the rule and view the parsed fields. You can also click Copy (
) icon to copy the contents of a specific rule to your clipboard.Use the arrow (
) icon in the top right corner of the Raw Log section to collapse and expand the log line.Click the Copy Raw Log to Clipboard icon (
) in the Raw Log section to copy the log line. This icon is only displayed when you hover your cursor over the Raw Log section.Click the
icon on the right side of any field in the PARSED FIELDS list, to toggle the field visibility on or off in the search results. Toggling the visibility also changes whether or not the field is displayed in parsed fields on the Timeline or List views of results and in the columns on the Table view of results. When visibility for a field is on, the pin icon appears blue (). When visibility for a field is off, no pin appears until you hover your cursor to display the grey pin icon (
)Click the enrichment indicator icon (for example:
) next to any field that contains enriched data. A tooltip is displayed that explains the type and source of the enriched data.
To display additional options for each field in the list, click the drop-down menu icon (
) that appears when you hover your cursor over a field row. 
Depending on whether or not the field was included in the original query, the options below are available:
Click Copy to copy the value of the field to the clipboard.
Click Visualize Field to pivot immediately to the Dashboard application, where a visualized view of the information from your search query is preconfigured.
Use the Query Operators to add parsed fields to your query or to exclude them. Available operators include AND, AND NOT, or OR.
Click Remove to remove the field from your query. (Available only for field values that are already included in the query.)
