SGBox Event Text Lookup search (ETL)

The ETL function allows user to search for a specific parameter in the events history. Using this functionality you can search in the past events any occurrence of the parameter you select. In this way it is possible, for example, to check if the source IP address of a potential attack was contacted by the internal network.

Requirements:

• SGBox version 5.0.4 is required.

Add a new widget to a new or existing dashboard. We use “Pattern Aanalysis” but you can use also “Multiclass Analysis”

Select a class and an event (in this example “[Snort] Standard message”, but any other event will fit the example)

Now select “Events detail Widget” and click “OK” to view the results.

If you see something strange or interesting you can start a new search. In our example the SourceIP of this possible attack would be a good starting point.

Right click on the value you want to search and you will see a popup “Search this value as…”.

Click on the popup, it will open a menu where you’ll be able to select up to 20 different parameters at the same time. The value you have clicked will be searched on ALL events as the selected parameters.

The dashboard will popup to show you all the events that has the selected value as one of the parameters you’ve selected.

You can now filter the events by clicking on an item in the dashboard and also save this view as a new dashboard. You will find this dashboard in your dashboard list.