Kaspersky Next XDR Expert
1.1.9

Contents

[Topic 264183]

Viewing the events table

The events table provides you with an overview of all events received by KUMA Core from the data sources. The table displays the list of events filtered according to the executed SQL query.

To view the events table:

  1. In the main menu, go to Monitoring & reporting Threat hunting.
  2. If necessary, apply the tenant filter. By default, the tenant filter is disabled and the events table displays the events related to all of the tenants to which you have the Read access right. To apply the tenant filter:
    1. Click the link next to the Tenant filter setting.

      The tenant filter opens.

    2. Select the check boxes next to the required tenants.

      The events table displays only the events related to the selected tenants.

The events table is displayed. For details about the table columns, relate to the normalized event data model.

See also:

About alerts

Viewing alert details

Assigning alerts to analysts

Changing an alert status

Linking alerts to incidents

Unlinking alerts from incidents
Page top
[Topic 267834]

Searching and filtering events

To search and filter events, modify an SQL query in the search field, and then click the Run Query button. You can enter the SQL query manually or generate it by using the query builder.

Data aggregation and grouping is supported in SQL queries.

You can add filter conditions to an already generated SQL query in the window for viewing statistics, the events table, and the event details area.

To change the filtering settings in the Statistics window

  1. Follow the steps to open the events table.
  2. Open Statistics details area by using one of the following methods:
    • Click the ellipsis button in the top right corner of the events table, and then select Statistics.
    • In the events table, click any value, and then select Statistics in the context menu that opens.

    The Statistics details area appears in the right part of the web interface window.

  3. Open the drop-down list of the relevant parameter and hover your mouse cursor over the necessary value.
  4. Change the filter settings by doing one of the following:
    • To include only events with the selected value, click the plus sign button.
    • To exclude all events with the selected value, click the minus sign button.

To change the filtering settings in the events table

  1. Follow the steps to open the events table.
  2. Click an event parameter value in the events table.
  3. In the opened menu, select one of the following options:
    • To show only events with the selected value, select Filter by this value.
    • To exclude all events with the selected value from the table, select Exclude from filter.

To change the filter settings in the event details area

  1. Follow the steps to open the events table.
  2. Click a relevant event to invoke the event details panel.
  3. Change the filter settings by doing one of the following:
    • To include only events with the selected value, click the plus sign button.
    • To exclude all events with the selected value, click the minus sign button.

As a result, the filter settings and the events table are updated, and the new search query is displayed in the upper part of the screen.

When you switch to the query builder, the parameters of a query entered manually in the search field are not transferred to the builder, so you will need to create your query again. The query created in the builder does not overwrite the query that was entered into the search string until you click the Apply button in the builder window.

Click the save button to save the current filter.

Page top
[Topic 264184]

Manually creating SQL queries

You can use the search string to manually create SQL queries of any complexity to filter events.

Executing an SQL query affects the displayed table columns.

If the SQL query contains the * value, columns specified in the query are added to the table if they were absent. Removing a displayed column from the subsequent queries does not hide the corresponding column.

If the SQL query does not contain the * value, the table only displays columns for the specified fields that conform the normalized event data model. Columns are displayed even if there is no data for them.

To manually generate an SQL query:

  1. Follow the steps to open the events table.
  2. Enter your SQL query into the input field.
  3. Click the Apply query button.

    The table displays events that satisfy the criteria of your query. If necessary, you can filter events by period.

To display non-printable characters in the SQL query field, press either of the following key combinations:

  • Ctrl+*/Command+*
  • Ctrl+Shift+8/Command+Shift+8

If you enable the display of non-printable characters in the XDR component, other components (such as KUMA) do not automatically display non-printable characters until you reload the components' browser tabs.

Supported functions and operators

SELECT

Event fields that should be returned.

For SELECT fields, the program supports the following functions and operators:

Aggregation functions: count, avg, max, min, sum.

Arithmetic operators: +, -, *, /, <, >, =, !=, >=, <=.

You can combine these functions and operators.

If you are using aggregation functions in a query, you cannot customize the events table display, sort events in ascending or descending order, or receive statistics.

FROM

Data source.

WHERE

Conditions for filtering events.

  • AND, OR, NOT, =, !=, >, >=, <, <=
  • IN
  • BETWEEN
  • LIKE
  • ILIKE
  • inSubnet
  • match (the re2 syntax of regular expressions is used in queries; special characters must be shielded with "\")

GROUP BY

Event fields or aliases to be used for grouping the returned data.

If you are using data grouping in a query, you cannot customize the events table display, sort events in ascending or descending order, receive statistics, or perform a retrospective scan.

ORDER BY

Columns used as the basis for sorting the returned data.

Possible values:

  • DESC — descending order.
  • ASC — ascending order.

OFFSET

Skip the indicated number of lines before printing the query results output.

LIMIT

Number of strings displayed in the table.

The default value is 250.

When switching to the query builder, the query parameters that were manually entered into the search string are not transferred to the builder, so you will need to create your query again. Also, the query created in the builder does not overwrite the query that was entered into the search string until you click the Apply button in the builder window.

Aliases must not contain spaces.

Example queries

  • SELECT * FROM `events` WHERE Type IN ('Base', 'Audit') ORDER BY Timestamp DESC LIMIT 250

    In the events table, all events with the Base and Audit type are sorted by the Timestamp column in descending order. The number of strings that can be displayed in the table is 250.

  • SELECT * FROM `events` WHERE BytesIn BETWEEN 1000 AND 2000 ORDER BY Timestamp ASC LIMIT 250

    All events of the events table for which the BytesIn field contains a value of received traffic in the range from 1,000 to 2,000 bytes are sorted by the Timestamp column in ascending order. The number of strings that can be displayed in the table is 250.

  • SELECT * FROM `events` WHERE Message LIKE '%ssh:%' ORDER BY Timestamp DESC LIMIT 250

    In the events table, all events whose Message field contains data corresponding to the defined %ssh:% template in lowercase are sorted by the Timestamp column in descending order. The number of strings that can be displayed in the table is 250.

  • SELECT * FROM `events` WHERE inSubnet(DeviceAddress, '00.0.0.0/00') ORDER BY Timestamp DESC LIMIT 250

    In the events table, all events for the hosts that are in the 00.0.0.0/00 subnet are sorted by the Timestamp column in descending order. The number of strings that can be displayed in the table is 250.

  • SELECT * FROM `events` WHERE match(Message, 'ssh.*') ORDER BY Timestamp DESC LIMIT 250

    In the events table, all events whose Message field contains text corresponding to the ssh.* template are sorted by the Timestamp column in descending order. The number of strings that can be displayed in the table is 250.

  • SELECT max(BytesOut) / 1024 FROM `events`

    Maximum amount of outbound traffic (KB) for the selected time period.

  • SELECT count(ID) AS "Count", SourcePort AS "Port" FROM `events` GROUP BY SourcePort ORDER BY Port ASC LIMIT 250

    Number of events and port number. Events are grouped by port number and sorted by the Port column in ascending order. The number of strings that can be displayed in the table is 250.

    The ID column in the events table is named Count, and the SourcePort column is named Port.

  • SELECT * FROM `events` WHERE match(Message, 'ssh:\'connection.*') ORDER BY Timestamp DESC LIMIT 250

    If you want to use a special character in a query, you need to escape this character by placing a backslash (\) character in front of it.

    In the events table, all events whose Message field contains text corresponding to the ssh: 'connection' template are sorted by the Timestamp column in descending order. The number of strings that can be displayed in the table is 250.

Page top
[Topic 264300]

Generating an SQL query using a builder

You can use the query builder to generate an SQL query for filtering events.

Executing an SQL query affects the displayed table columns.

If the SQL query contains the * value, columns specified in the query are added to the table if they were absent. Removing a displayed column from the subsequent queries does not hide the corresponding column.

If the SQL query does not contain the * value, the table only displays columns for the specified fields that conform the normalized event data model. Columns are displayed even if there is no data for them.

To generate an SQL query using the builder:

  1. Follow the steps to open the events table.
  2. Click the query builder button to open the query builder.

    Generate a search query by providing data in the following parameter blocks:

    • SELECT

      Event fields that should be returned. The * value is selected by default, which means that all available event fields must be returned. To adjust the displayed fields, select the desired fields in the drop-down list. Note that Select * increases the duration of the request execution, but eliminates the need to specify the fields in the request.

      When selecting an event field, you can use the field on the right of the drop-down list to specify an alias for the column of displayed data, and you can use the right-most drop-down list to select the operation to perform on the data: count, max, min, avg, sum.

    • FROM

      Data source. Select the events value.

    • WHERE

      Conditions for filtering events.

      To add conditions and groups, click the Add condition and Add group buttons. The AND operator value is selected by default in a group of conditions. Click the operator value to change it. Available values: AND, OR, NOT.

      To change the structure of conditions and condition groups, use the drag-drop icon icon to drag and drop expressions.

      To add filter conditions:

      1. In the drop-down list on the left, select the event field that you want to use for filtering.
      2. Select the necessary operator from the middle drop-down list. The available operators depend on the type of value of the selected event field.
      3. Enter the value of the condition. Depending on the selected type of field, you may have to manually enter the value, select it from the drop-down list, or select it on the calendar.

      To delete filter conditions, click the X button. To delete group conditions, click the Delete group button.

    • GROUP BY

      Event fields or aliases to be used for grouping the returned data.

      If you are using data grouping in a query, you cannot customize the events table display, sort events in ascending or descending order, receive statistics, or perform a retrospective scan.

    • ORDER BY

      Columns used as the basis for sorting the returned data. In the drop-down list on the right, you can select the necessary order: DESC — descending, ASC — ascending.

    • LIMIT

      Number of strings displayed in the table.

      The default value is 250.

      If you are filtering events by a user-defined period and the number of strings in the search results exceeds the defined value, you can click the Show next records button to display additional strings in the table. This button is not displayed when filtering events by the standard period.

  3. Click the Apply button.

    The current SQL query will be overwritten. The generated SQL query is displayed in the search field.

    To reset the builder settings, click the Default query button.

    To close the builder without overwriting the existing query, click the query builder button.

  4. Click the Apply query button to display the data in the table.

    The table will display the search results based on the generated SQL query.

When switching to another section of the web interface, the query generated in the builder is not preserved. If you return to the Events section from another section, the builder will display the default query.

Page top
[Topic 264286]

Viewing event details

To open the event details panel, select an event in the events table in the Threat hunting section or in an alert details page.

The Event details panel appears in the right part of the web interface window and contains a list of the event parameters with values. In this area you can:

  • Include the selected field in the search or exclude it from the search by clicking plus sign or minus sign next to a parameter's value.
  • Find similar events and add or delete a prevention rule by clicking the FileHash and DeviceCustomString values.
  • When integrated with Kaspersky CyberTrace and Kaspersky Threat Intelligence Portal, you can add to Internal TI of CyberTrace and show info from Threat Lookup by clicking the FileHash and DeviceCustomString values.
  • View the settings of the service that registered the event by clicking the Service value.

In the Event details panel, the name of the described object is shown instead of its ID in the values of the following settings. If you change the filter settings from the Event details panel, the object's ID, and not its name, is added to the SQL query:

  • TenantID
  • SeriviceID
  • DeviceAssetID
  • SourceAssetID
  • DestinationAssetID
  • SourceAccountID
  • DestinationAccountID
Page top
[Topic 265046]

Saving and selecting events filter configuration

You can save the current filter configuration, including the time-based filter, query builder, and the events table settings, for future use. Saved filter configurations are available to you and other users that have corresponding access rights.

To save the current settings of the filter, query, and period

  1. Follow the steps to open the events table.
  2. Click the save icon next to the search query and select Save current filter.
  3. In the New filter window that opens, enter the name of the filter configuration in the Name field. The name must contain 128 Unicode characters or less.
  4. In the Tenant drop-down list, select the tenant for which to save the created filter.
  5. Click Save.

    The filter configuration is now saved.

To select a previously saved filter configuration

  1. Follow the steps to open the events table.
  2. Click the save icon next to the search query and select the desired filter.

To save the current settings of the filter, query, and the events table settings

  1. Follow the steps to open the events table.
  2. Click the gear icon in the panel above the events table.
  3. Click Save current preset.
  4. In the New preset window that opens, enter the name of the preset in the Name field. The name must contain 128 Unicode characters or less.
  5. In the Tenant drop-down list, select the tenant for which to save the created preset.
  6. Click Save.

    The preset configuration is now saved.

To select a previously saved preset

  1. Follow the steps to open the events table.
  2. Click the gear icon in the panel above the events table. Select the Presets tab.
  3. Select the desired preset.

To delete a previously saved filter configuration for all users

  1. Follow the steps to open the events table.
  2. Click the save icon next to the search query.
  3. Click the delete button icon next to the configuration that you need to delete.
  4. Click OK.

Page top
[Topic 264652]

Filtering events by time range

You can specify the period to display events from.

To filter events by time range:

  1. Follow the steps to open the events table.
  2. Open the second drop-down list in the upper part of the window.
  3. Specify the time range. You can select predefined ranges relative to the current date and time or specify a custom range by using the Range start and Range end fields or by selecting dates in the calendar.
  4. Click the Apply button.

Page top
[Topic 264596]

Exporting events

You can export information about events to a TSV file. The selection of events that will be exported to a TSV file depends on filter settings. The information is exported from the columns that are displayed in the events table. The columns in the exported file are populated with the available data even if they did not display in the events table in the Threat hunting section due to the special features of the SQL query.

To export information about events:

  1. Follow the steps to open the events table.
  2. Click the ellipsis button in the top right corner of the events table and select Export TSV.

    The new export TSV file task is created in the KUMA Task Manager section.

  3. Log in to the KUMA Console and find the task you created in the Task Manager section.
  4. Click the task type name and select Upload from the drop-down list.

    The TSV file will be downloaded using your browser's settings. By default, the file name is event-export-<date>_<time>.tsv.

The file is saved based on your web browser's settings.

Page top
[Topic 264876]