Filtering and Sorting Events in App Review (Triage)
The RocketCyber console now supports sorting and filtering event data through the new triage view interface.
To begin, click Review from the RocketCyber Console.
The Event Triage page is displayed.
At the top of the page, you will notice a Search/Filter interface.
The default filter for each page filters events for the current account context.
The main area of the Events Triage page, the Event Grid, displays the associated data in rows and columns.
Each column in the Event Grid can be sorted by clicking the column header. In this example, you can sort by:
- Detection Date
- Organization Name
- Device
- Event ID
- Category
- Source
Filtering Data
Searching and filtering data has been significantly improved using the Search/Filter interface.
The Search/Filter interface provides quick ways to filter data based on the App that is being reviewed.
In this example for Endpoint Event Log Monitor App, the available default search fields are the following:
- Verdict
- Detection Date
- Account
- Device
- Event ID
- Category
- Source
- Details
You can choose Detection Date from the filter list to filter for events that occurred during a specific time frame.
The Search interface will display fields for choosing a date range. Once the date ranges are entered, click Add Filter.
Next, click Search to display the desired results.
Filtering for Multiple Criteria
The search interface allows for filtering on multiple criteria.
Building on the previous example of filtering by detection date, let's search for a specific event ID in that date range.
We can do this by choosing another search filter from the dropdown menu and clicking on Event ID.
Next, enter the number 4624 for the ID value, then click Add Filter.
You can add as many filters as necessary.
When finished, click Search to display the desired results.
NOTE All search filters are AND together to filter results.
In the example above, results will only be displayed if the Detection Date is between 07/11/2022 AND 07/14/2022 AND the event id is 4624.
Filtering for Details - Advanced
Events can be filtered by specific attributes found in the details of an event. The attributes for an event can be found by downloading the JSON from the console and reviewing the JSON structure.
For Endpoint Event Log details, there is a structure similar to this.
{
"type": "EventLogMonitor",
"attributes":
{
"xml": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Eventlog' Guid='{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}'/><EventID>104</EventID><Version>0</Version><Level>4</Level><Task>104</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2022-04-03T04:49:54.696269100Z'/><EventRecordID>1507515</EventRecordID><Correlation/><Execution ProcessID='980' ThreadID='992'/><Channel>System</Channel><Computer>Joe-User.rocketcyber.com</Computer><Security UserID='S-1-5-18'/></System><UserData><LogFileCleared xmlns='http://manifests.microsoft.com/win/2004/08/windows/eventlog'><SubjectUserName>SYSTEM</SubjectUserName><SubjectDomainName>NT AUTHORITY</SubjectDomainName><Channel>Windows PowerShell</Channel><BackupPath></BackupPath></LogFileCleared></UserData></Event>",
"opcode": "Info",
"message": "The Windows PowerShell log file was cleared.",
"version": 0,
"event_id": 104,
"log_name": "System",
"record_id": 1507515,
"telemetry":
{
"event_sent_to_cloud": 1648961394.733,
"event_sent_to_cloud_t": "2022-04-02 23:49:54",
"event_log_msg_recieved": 1648961394.732,
"event_log_msg_recieved_t": "2022-04-02 23:49:54",
"event_log_msg_passed_post_app_result": 1648961394.733,
"event_log_msg_passed_post_app_result_t": "2022-04-02 23:49:54"
},
"event_time": 1648961394,
"event_type": "Information",
"source_name": "Microsoft-Windows-Eventlog",
"computer_name": "Joe-User.rocketcyber.com",
"event_category": "Log Clear"
}
}
If we want to search details for an attribute such as event_category, we could choose Details from the search dropdown menu and then enter the following text in the search value field:
attributes.event_cateogry:Log Clear