- Search Overview
- Search Home Page
- Performing Searches
- Basic Search
- Advanced Search
- Advanced Search Building Blocks
- Running an Advanced Search Query
- Query Syntax
- Query by Subject
- Query by Vendor and Product
- Query by Field and Value
- Query by Context Table
- Query Using Regex
- Free Text Search
- Query Using Advanced Query Language Operators
- Query Using Aggregation Functions
- Query Using Structured Fields
- Dynamic Field Extraction
- Natural Language Search
- Anomaly Search
- Refine a Search
- Context Tables in Search
- Search Best Practices
- Search Results
- Dashboard Visualizations
List View of Search Results
After you have run a search, a listing of the events matching your search criteria is shown at the bottom of the Search home page.
The default view of search results is the List view, however, you can switch to the Timeline or Table views by clicking their respective icons: 
(Timeline View), 
(Table View).
Each event has a natural language title that provides a simple description of the event. Each event title includes an icon that indicates the event type. In cases where no event title is available, or not enough fields were parsed, the event title defaults to the subject of the event.
 |
You can interact with results in the List view in a number of ways. The sections below provide more detail about each of the following portions of the List view page:
Toolbar Options
When search results first display in the List view, the toolbar above the results contains two rows. The top row contains the Summary button on the left and the view selector icons on the right. The second row of the toolbar displays page-specific options. To preserve viewing space as you scroll through the results, the toolbar collapses to one row. If you want to switch into a different view of the results, you'll need to return to the top of the page to redisplay the expanded version of the toolbar where the view selector icons are available.
 |
On the toolbar, the following options are available:
Summary – Click to open a new panel on the left showing a list of all parsed fields in the search results, and a count of unique values for each field. By default, these results are calculated for the first 500 results. When opened, the Summary panel is pinned to the left side of the search results page. To close it, click the Summary button again. For more information about the options available on the Summary panel, see Field Summary.
View Selector Icons – Click on a view selector icon to switch into a different view of the search results data. Options include (
) Timeline view, (
) List View, and () Table view.Aggregation View – Click the Aggregation View icon icon (
) to view a high level summary of the search results. For more information about adding aggregation to your search results, see Aggregated Search Results.Field Template – Click the drop down menu to select which field template should determine the selection of fields displayed for each event in the results. By default, the
Autotemplate is selected. For more information about selecting a different template, see Field Templates.Lines per Log – Click the drop down menu and select the number of log lines you want to display for each event in the results.
Rows per view – Click the drop-down menu to select the number of rows you want to view per page.
Pagination arrows – Click the pagination arrows to scroll backwards and forwards through the pages of event results.
Events in the List View
List view events are displayed chronologically, with the most recent events at the top. Each event has a natural language title that provides a simple description of the event. In cases where no event title is available, or not enough fields were parsed, the event title defaults to the subject of the event. Each event title also includes an icon that indicates the event type.
You can interact with each event in the following ways:
Click on any parsed field to display possible options for the field (options may vary depending on the query):
Use the AND, AND NOT, or OR operators to add the field to your query.
Click Copy to copy the value of the field to the clipboard.
Click Visualize Field to pivot immediately to the Dashboard application, which opens in the visualization editor view with the information from your search query preconfigured.
If the title of an event includes any dynamic fields, you can click on these dynamic fields for additional options, as with the parsed fields (such as adding it to the query, copying it, or visualizing it).
Click the Copy Link (
) icon to copy the link to that event.Click the Copy Raw Log (
) icon to copy the raw log data.View Event Details – To view detailed information about the event, click the View all fields link to open an Event Fields panel on the right. The panel opens with the Events tab displayed. It includes a full raw log message and the entire list of parsed fields from the event. For more information about working with this tab, see Event Details.
Note
If the event where you click the View all fields link is a detection event, a Rule Details panel opens with an Events tab displayed. It includes the raw log and the list of parsed fields, but also includes the rules that triggered the detection event.
View Associated Events – If an event in your Search results is a detection event, you can expand it to view any associated events it might be linked to. A detection event is an event that has been automatically triggered because it meets the criteria of one or more rules that are looking for possible security threats or anomalous behavior. You can recognize detection events by the risk score in the top right corner of the event row.
Click the Show associated events link to expand a list of events that are associated with a specific detection event in the Search results. This option is available for Correlation Rule events and Exabeam Anomaly events. There can be multiple events associated with a rule-trigger event and, when expanded, they are all displayed in an indented list under the rule-trigger event. In this way, the relationship between detections and their associated events is easily visible. To collapse the display of the associated events, click the Show associated events link again.
Note
In addition to one detection event being associated with multiple events, it can also be true that a single event can be associated with multiple detection events. However, this relationship is not viewable in the List view of Search results. To view all of the detections associated with a single event, switch to the Timeline view (
). The Timeline view is designed specifically with this type of investigation in mind. It makes the relationship between events and associated detections easily visible. For more information, see Timeline View of Search Results.