Event Watch

Page Layout

‚Äč

Test

This table lists every event bucket currently configured. Buckets can be searched and filtered using the facet on the left of the table.

The leftmost column of the table contains the "Status" toggles. Event buckets can be toggled on or off using these toggles.

The rightmost column of the table contains three "Action" buttons. The first button clones the rule, allowing the user to make changes and save it as a new rule. The second button, a pencil icon, allows the user to edit the bucket. The third button, a trash can icon, deletes the bucket.

The "EXPORT" button can be used to export all currently configured event buckets as a JSON file. Likewise, the "IMPORT" button in the top right corner of the table can be used to import a JSON file containing buckets that have already been configured. The "CREATE" button will open an "Event Watch Configuration" box to add a new event bucket. Additionally, Github integration allows downloading pre-configured rules directly from Fluency's public Github repository.

Adding an Event Bucket

As an example, we're going to create a rule to collect events where the FilePreviewed or FileDownloaded operations were performed. This rule will trigger when a user previews or downloads more than 20 files in an hour. First, give the event a name; in this case we'll call it O365_Files_Accessed. Optionally, give it a description as well.

NOTE: Bucket naming convention typically consists of underscores between each word.

Next, assign the bucket a category. In this case, the category is Office365. This allows buckets to be grouped more easily for usage and search purposes. Multiple tags can be attached to the bucket; these can also be used for searching.

Select an Event type from the dropdown menu. Event buckets can be applied to both metaflow data and event data. In this case, we want to apply this bucket to event data.

Once the Match All box is unchecked, clicked the "+ADD FILTER" button that appears to open this window. There are three filter types: field, entityinfo, and feed. Field usesT

Select a field from the dropdown menu to filter the query (typing into the dropdown bar will search the options available). Type in a match and press enter to add it to the list.

Once added, the match will look like this. More matches can continue to be added in this manner. Once done, press the "SAVE" button to attach this filter to the event bucket.

Next, indicate by which fields the resulting data should be grouped. We want the user field, which can be accessed by "@fields.UserId." This dropdown menu can also be used to search through available field names.

The last field is aggregations. There are four types of aggregations: count, sum, cardinality, and tail. The first aggregation we want is a count, called "eventcount." This will provide a graphic representation of the total number of events aggregated by this event bucket. Click "+ ADD" to attach this aggregation to the bucket.

Aggregations can also be correlated to fields. We want to add a cardinality aggregation to the field "@fields.Operation" called "uniqueCmd." This will keep track of all unique operations within this event bucket.

NEED PICTURE OF AGGREGATIONS WITH BOTH EVENTCOUNT AND UNIQUECMD

Once all the fields are filled out, click the purple "HISTOGRAM" button to test the event bucket.

This will generate the graphs being defined in order to determine whether the desired data has been selected. If the graphs look correct, click "SAVE" to add the bucket.

NOTE: A bucket does not start generating data until it's saved. This means that even though the histogram button can retroactively populate the graphs with data, actual data will not appear on the Event Buckets page immediately.

Adding an Event Bucket from the Events Page

Event buckets can also be configured through the events page. First, we will add an event bucket with no search filters or query. To start, navigate to the Events page from the menu.

Click the "SEARCH" button to load the event data.

Scroll down to view all the events.

Select an event that contains the desired field and click the chevron arrow to expand the event into JSON table view.

When highlighting a field, notice that there are three buttons to the right of the field and value. There is an eye, which when clicked will check that field's value within the facet. The next button, a crossed out eye, will exclude that field's value within the facet. Lastly, there is a histogram button, which is the button we will use. This button will redirect us to the Event Watch Configuration page, using the highlighted field in the "Group By Field" section on the creation form.

When redirected to this page, the "Match ALL" check box is filled in since we did not specify a query or filters. The Group By Field box is already populated. Fill out the rest of the form as shown above, and click "SAVE" to save this bucket.

For the next example, navigate back to the events page. This time, define a facet. In this case, we have just selected "fl_suricata" under the Tags field.

Scroll down to the table and select one of the events to expand. Like above, highlight the desired field and click the histogram button to redirect to the event bucket creation page.

Notice how the Search Filters and Group By Field fields are already populated with the information inputted on the Events page. Follow the steps from above to fill in the rest of the fields and click "SAVE" to add the event bucket.

For this last example, return to the Events page and clear the facet. This time, we will input a query into the search bar and press "SEARCH" to return events matching the query.

Scroll down to the events table and expand an event containing the desired field. Highlight the field and click the histogram button to redirect to the Event Watch Configuration page.

Notice how the Query and Group By Field fields are already populated with the information inputted on the Events page. Follow the steps from above to fill in the rest of the fields and click "SAVE" to add the event bucket.