- Search Overview
- Search Home Page
- Performing Searches
- Basic Search
- Advanced Search
- Advanced Search Building Blocks
- Running an Advanced Search Query
- Query Syntax
- Query by Subject
- Query by Vendor and Product
- Query by Field and Value
- Query by Context Table
- Query Using Regex
- Free Text Search
- Query Using Advanced Query Language Operators
- Query Using Aggregation Functions
- Query Using Structured Fields
- Dynamic Field Extraction
- Natural Language Search
- Anomaly Search
- Refine a Search
- Context Tables in Search
- Search Best Practices
- Search Results
- Dashboard Visualizations
Detection Details
Detection Details information is available when you are viewing Search results that include detection events. A detection refers to an event that represents a possible security threat or anomalous behavior.
Important
Detection Details information is currently available for either Correlation Rule events or Exabeam Anomaly events.
Accessing Detection Details
To access Detection Details from different results views:
Timeline View – Do one of the following to open a Details panel with the Detection tab displayed.
Click the options menu icon (
) on the right of an event row and select Detection Details.Expand an event and click the Event Details link. When the Details panel opens, click on the Detection tab.
Expand a detection event and click the Detection Details link.
List View – Find a detection event in the listed results (recognizable by the risk score in the top right corner of the event) and click Detection Details in the upper right corner of the event row. A Details panel opens with a Detection tab displayed.
Table View – Find a detection event in the table of results (recognizable by the value
rulein the Subject column) and click on the event row. A Details panel opens with a Detection tab displayed.
If you open a Detection tab from an event row in either the List or Table views, the tab that opens can show details for only the selected detection event. However, if you're working in the Timeline view of search results and you open a Detection tab from an event row that is associated with multiple detection events, the tab displays details for each detection event in a set of numbered Detection tabs across the panel just below the overview event information.
The number Detection tabs correspond to the numbered detection events in the Timeline view. You can click to view the detection information for each detection event without leaving the Details panel. If you open a Detection tab from the options menu of an event row, the panel opens with the first Detection tab displayed. If you open the tab from the link on one of the detection events, the panel opens with that specific Detection tab displayed.
 |
When a Detection tab opens, it displays some overview event information. This information can include Source Endpoints, Destination Endpoints, Use Cases, or MITRE Tactics and Techniques that are covered by the detection event.
Below the overview event information, you can see information specific to the detection event, including the following:
Rules – This section lists the rules that triggered the detection. Click the down arrow on each rule to view the parsed fields that support it. The fields are displayed with common information model fields at the top of each list and MITRE label fields at the bottom. You can further expand the MITRE labels section. You can also click Copy (
) icon to copy the contents of a specific rule to your clipboard.
Raw Log – Shows the full raw message from the detection event.
Parsed Fields – Shows the entire list of parsed fields for the detection event.
Note
If an event does not specify a time zone, the time in the parsed fields is reported in the local time zone. In the raw log message, the time remains as is.
Interacting with Detection Details
You can interact with the Detection Details information in the ways described below:
Use the
icons at the top of the panel to navigate between events from the Search results.Click the
icon to close the Details panel and return to the Search results. Use the Search field at the top of the panel to search both the raw message and the list of parsed fields.
Use the numbered Detection tabs below the event overview information to view detection details for different detection events that are associated with the same event in the Timeline view.
Use the arrow (
) icon to the right of each rule in the Rules section to expand the rule and view the parsed fields. You can also click Copy () icon to copy the contents of a specific rule to your clipboard.Use the arrow (
) icon in the top right corner of the Raw Log section to collapse and expand the log line.Click the Copy Raw Log to Clipboard icon (
) in the Raw Log section to copy the log line. This icon is only displayed when you hover your cursor over the Raw Log section.Click the
icon next to any field in the Parsed Fields list, to hide/show the field in the search results.Click the enrichment indicator icon (for example:
) next to any field that contains enriched data. A tooltip is displayed that explains the type and source of the enriched data.
To display additional options for each field in the list, click the drop-down menu icon (
) that appears when you hover your cursor over a field row. 
Depending on whether or not the field was included in the original query, the options below are available:
Use the AND, AND NOT, or OR operators to add the field to your query.
Click Remove to remove the field from your query. (Available only for fields that are already included in the query.)
Click Copy to copy the value of the field to the clipboard.
Click Visualize Field to pivot immediately to the Dashboard application, where a visualized view of the information from your search query is preconfigured.
