Analytics Search

The Analytics search tab displays a list of all log events from the connected sensors and UserGate SIEM log events. To search for events of interest, use the search field to create an SQL-like search query. To formulate a query, use field names, field values, keywords, and operators. For the query syntax, refer to the section Data Search and Filtering. The query can also be written using the Google/RE2 syntax in a MATCH operator.

By clicking Add rule, you can add a new analytics rule that will use the search query you have entered as the filter query. For more details on analytics rules, see the Analytics section.

In addition, by clicking Add condition, you can create a condition from the entered search query and add it to the analytics rule created earlier. When adding a condition, specify the analytics rule and a name for the condition.

The selected event can be added to an incident by clicking Add to incident. For more details about incidents, see the chapter Incident Settings

Two event data views can be used: table and plain text. To switch to the desired view, click Switch to plain text view or Switch to table view.

The Analytics search tab displays the following event information.

Name in database

Name in search query

Description

Node

node

The node name of the NGFW or SIEM device.

Time

date

The time when the event occurred or the analytics rule was triggered. Displayed in the timezone set in UserGate SIEM.

First event time

triggeredAlertFirstEventDate

For the triggered alert log: the time of the first event included in the triggered alert for the analytics rule.

Last event time

triggeredAlertLastEventDate

For the triggered alert log: the time of the last event included in the triggered alert for the analytics rule.

Source

source

The log where the event was recorded: SIEM, NGFW, endpoint, or triggered alert logs.

Severity

severity

The event category for NGFW and SIEM event logs:

  • Info: events that normally do not require administrator attention

  • Warning: events that indicate possible problems

  • Error: events that indicate errors

  • Critical: events that indicate critical errors that can affect functionality.

Component

component

The component where the event occurred (e.g., updates, settings, console authorization, analytics, etc.). Applicable to NGFW and SIEM event log records.

Event type

event

The event type from an NGFW or SIEM event log (e.g., check, download, update installation, successful/failed authorization, parameter search, etc.).

User

user

The name of the user whose account was used to log in to the NGFW, SIEM, or endpoint device. Applicable to NGFW, SIEM, and endpoint event log records as well as web access, traffic, IDPS, and triggered alert log records.

Module

module

he module where the event occurred (e.g., Web console, Core, VPN server, etc.). Applicable to NGFW and SIEM event log records.

Change tracker

changeTracker

The type of the change (SIEM or NGFW event log). The possible change types can be specified by the user.

Data

data

Detailed information about the event. Applicable to endpoint event log and Syslog records.

Information

details

Detailed information about the event from SIEM and NGFW event logs.

Rule

rule

The name of the analytics, firewall, content filtering, SCADA, or IDPS rule.

Action

action

The action configured in the firewall, content filtering, SCADA, or IDPS rules:

  • Allow (allow/pass/allow_webaccess): for firewall, IDPS, or content filtering rules

  • Safe browsing ('safe browsing')

  • Captive portal ('captive portal')

  • Warning (warning): for content filtering rules

  • Alert (alert): applicable to DoS protection in a zone

  • NAT (nat)

  • DNAT (dnat)

  • Port forwarding ('port forwarding')

  • Policy-based routing ('policy based routing')

  • Network mapping ('network mapping')

  • Deny (deny/drop/deny_webaccess): for firewall, IDPS, or content filtering rules

  • Decrypt (decrypt): for inspection rules

  • Log (log): for IDPS rules

  • Pass (pass): for SCADA rules

  • Drop (drop): for SCADA rules.

Application

application

Application name. Applicable to traffic, IDPS, Syslog, and endpoint rule and application log records.

Application threat

applicationThreat

Application threat level. Applicable to web access, traffic and IDPS log records.

Network protocol

networkProtocol

The transport connection protocol used to access the resource. Applicable to traffic, IDPS, and endpoint rule log records.

Application layer protocol

httpProtocol

The HTTP protocol version. Applicable to web access log records.

URL categories

urlCategory

Categories to which the website belongs. Applicable to web access and endpoint rule log records.

URL category threat

urlCategoryThreat

Threat level for the URL category. Applicable to web access log records.

Reasons

The reasons (e.g., for blocking) from the web access log.

HTTP method

httpMethod

The HTTP method (the main operation on the resource).

  • OPTIONS: used to determine the web server capabilities or connection parameters for a specific resource

  • GET: used to request the content of the specified resource

  • HEAD: similar to GET, except that the body is omitted from the server response

  • POST: used to send user data to the specified resource

  • PUT: used to upload the request content to the URI specified in the request

  • PATCH: similar to PUT but applied only to a part of the resource

  • DELETE: deletes the specified resource

  • TRACE: returns the received request so that the client can see what information is added or modified in the request by intermediate servers

  • CONNECT: transforms the request connection into a transparent TCP/IP tunnel.

Applicable to web access log records.

HTTP status code

statusCode

The status code from the first line of the HTTP server response. Applicable to web access log records.

Content type

mime

The type of the content. Applicable to web access and endpoint rule logs.

URL

url

The URL of the resource that was accessed. Applicable to web access log records.

Referer

referer

The URL of the previous page (if any). Applicable to web access log records.

Operating system

operatingSystem

The operating system type on the user device. Applicable to web access and IDPS log records.

Useragent

userAgent

Browser useragent. Applicable to web access log records.

Signatures

signature

The name of the triggered IPS signature. Applicable to IDPS log records.

Signature threat

signatureThreat

Signature threat level. Applicable to IDPS log records.

Source zone

zoneSource

The source zone. Applicable to web access, traffic, SCADA, and IDPS log records.

Source IP

ipSource

The source IP address for the traffic. Applicable to web access, traffic, SCADA, IDPS, and endpoint rule log records.

Source port

portSource

The source port number used for connection. Applicable to web access, traffic, IDPS, and endpoint rule log records.

Source MAC address

macSource

Source MAC address. Applicable to traffic and IDPS log records.

Destination zone

zoneDest

The destination zone. Applicable to web access, traffic, IDPS, and endpoint rule log records.

IP dest

ipDest

The destination IP address for the traffic. Applicable to web access, traffic, SCADA, IDPS, and endpoint rule log records.

Destination port

portDest

The destination port number used by the transport protocol. Applicable to web access, traffic, SCADA, IDPS, and endpoint rule log records.

Destination MAC address

macDest

Destination MAC address. Applicable to traffic and IDPS log records.

NAT source IP

natIpSource

The NAT source IP address (if NAT rules are configured). Applicable to traffic log records.

NAT source port

natPortSource

The NAT source port (if NAT rules are configured). Applicable to traffic log records.

NAT destination IP

natIpDest

The NAT destination IP address (if NAT rules are configured). Applicable to traffic log records.

NAT destination port

natPortDest

The NAT destination port (if NAT rules are configured). Applicable to traffic log records.

Bytes sent/received

bytesSent/bytesRecv

The amount of data sent and received. Applicable to traffic and web access log records.

Packets sent/received

packetSent/packetRecv

The number of packets sent and received. Applicable to traffic and web access log records.

Endpoint/sensor

sensor

The name of the endpoint device/sensor. Applicable to endpoint event log records.

Counter

counter

The name of the counter added to the WMI and SNMP sensor. Applicable to endpoint event log records.

SNMP object

snmpObject

The SNMP object ID (SNMP OID). Applicable to endpoint event log records.

SNMP object type

snmpObjectType

The SNMP object type. Applicable to endpoint event log records.

Status

status

The result of the WMI or SNMP query (OK or Error). Applicable to endpoint event log records.

Error

error

The WMI or SNMP error that occurred as a result of the query. Applicable to endpoint event log records.

SCADA protocol

scadaProtocol

The SCADA (Supervisory Control And Data Acquisition) protocol.

  • IEC 104

  • Modbus.

  • DNP3 (Distributed Network Protocol).

  • MMS (Manufacturing Message Specification).

  • OPC UA (Open Platform Communications Unified Architecture).

Applicable to SCADA log records.

Log level

logLevel

The type of the event:

  • Audit Success: a security log event that occurs on successful access to the audited resources

  • Audit Failure: a security log event that occurs on failed access to the audited resources

  • Error: points to significant problems that can cause loss of functionality or data

  • Information: an informational event that usually does not require administrator attention

  • Warning: points to problems that do not need urgent fixing but can cause errors in the future.

Applicable to endpoint event log records.

Log event source

logEventSource

The name of the software that logged the event. Applicable to endpoint event log records.

Log category

logCategory

The log category that is needed to classify the events. The data is taken from Windows EventLog. Each source can define its own category IDs. Applicable to endpoint event log records.

Task category

taskCategory

The category of the task. Applicable to endpoint event log records.

Computer name

computerName

The full name of the endpoint device. Applicable to endpoint event log and Syslog records.

Log event code

logEventCode

The log event code corresponding to a specific event. Applicable to endpoint event log records.

Log event ID

logEventId

The log event ID that determines the primary ID of the event. Applicable to endpoint event log records.

Log event type

logEventType

The type of the log event. This is a numeric parameter that represents the log level:

  • 1: error log level

  • 2: warning log level

  • 3: information log level

  • 4: audit success log level

  • 5: audit failure log level

Applicable to endpoint event log records.

Insertion string

insertionString

Contains the EventData block of the Windows event. Applicable to endpoint event log records.

Log file

logFile

Shows information from the endpoint event log, i.e. important software and hardware events. The following log file types exist:

  • Application (application log file): for application and service events.

  • Security (security log file): for audit system events.

  • System (system log file): for device driver events.

  • CustomLog: contains events logged by applications that create a custom log. The use of a custom log allows an application to control the log size or attach access control lists for security purposes without affecting other applications.

Applicable to endpoint event log records.

Command

scadaCommand

The SCADA control command (e.g., read or write). Applicable to SCADA log records.

Registry address

scadaAddress

The address of the register on which the operation (read or write) should be performed. Applicable to SCADA log records.

ASDU number

scadaAsdu

The ASDU address (COA, or Common Object Address). Refers to the IEC-104 protocol. Applicable to SCADA log records.

Device ID

scadaDevice

The unique device number from the OPC server database. Used with the OPC UA protocol. Applicable to SCADA log records.

Variable name

scadaVarname

The name of the variable. Parameter is mainly used for real-time data exchange. Refers to the MMS protocol. Applicable to SCADA log records.

Hash

hash

The application's hash. This is a parameter in the endpoint application log.

Object

facility

The event type. Applicable to Syslog records. Available values:

  • Kernel messages

  • User-level messages

  • Mail system

  • System daemon

  • Security/authorization

  • Syslog messages

  • Line printer subsystem

  • Network news subsystem

  • UUCP subsystem

  • Clock daemon

  • Security/authentication

  • FTP Daemon

  • NTP subsystem

  • Log audit

  • Log alert

  • Clock daemon 2

  • Local 0-Local7.

Severity

syslogSeverity

The event severity for Syslog.

  • Emergency: a critical state that affects system health

  • Alert: a state that requires immediate intervention.

  • Critical: a state that requires immediate intervention or signals a fault in the system.

  • Error: non-critical system faults

  • Warnings: warnings on potential errors that can occur if no action is taken.

  • Notice: events that relate to unusual system behavior but are not errors.

  • Info: informational alerts

  • Debug: information useful to developers for debugging applications

Process ID

processId

The process identifier. Applicable to Syslog records.

The administrator can select to display only the columns they need. To do that, point the mouse cursor at the name of any column, click the arrow that will appear to the right of the column name, choose Columns, and select the desired parameters in the context menu.