Browser

Browser Mode

Browser mode was introduced to Web Interface in order to assist operators needing a clear view of events collected. It can be accessed from Browser module interface by pressing button at any time in top-left section of Web Interface.

Working with Browser module

The module operation area is divided in two sections:

• Search and Filter section allows you to granularly control what information is displayed in dashboards.

• Results section contains the actionable data listed function of searches and filters.

• Geolocation section is a graphical display which will assist you marking events on a world map, function of the originating or destination IP address.

Browser Search and Filter section

This section allows you to control what information is displayed in Browser, and to define additional filters and combination methods for searched data in specified date and time interval.

1) Search field provides the ability to filter displayed information by using free text capabilities. If nothing is entered in field box, all events are displayed.

You will find a similar search field available for Dashboards module. A complete guide to using free text capabilities is included in this manual: Using Searches.

Unlike in Dashboards module, there is an extra drop-down list available next to Search field.

By pressing button you will be able to instruct the interface on how many items are displayed per page. Default option is 10 items, but you can increase to 50 or 100 items.

2) You can specify additional filters using Filtering options. By default, nothing is selected. When you access Additional filters drop-down list, you are presented with a large collection of pre-defined filters sorted by technology. You can select one, or multiple filters.

You will also need to select the logical method for combining selected filters in Combining method drop-down list. Available options are AND and OR logical operators. Please note the operator you choose applies to all selected filters.

When finished, press button to apply your selections.

Other options available in Search and Filter section:

• Send to investigations option will direct your selection to Investigations module. The option opens a new web browser tab to Investigations interface. You are presented with Filter data window that is now populated with filtering information you already entered. Press button to command data extraction based on your filters and display in Investigations interface.

• Send to dashboards option will direct your selection to Dashboards module. The option opens a new web browser tab to Dashboards interface listing filtered results.

• Send to alerts option will direct your selection to Alerts module. The option opens a new web browser tab to Alerts interface listing filtered results.

• Export all events option allows you to create a CSV export file containing all events listed in Results section. Because the number of events can be very high, which may result in a lengthy operation, pressing this button opens a status window informing on the export percentage. When the export reaches 100%, you will have the possibility to save file by accessing Download report CSV link.

You can also choose to save your current filters selection at any time. By pressing button you are presented with three options of making your filters selection permanent:

• Save as New Dashboard option opens Save as New Dashboard window which allows you to create a new dashboard. The following must be specified:

  • A convention-based name for the new dashboard. This name will show in dashboard lists

  • A descriptive friendly name for the new dashboard. This name will be displayed in Dashboards interface

  • A descriptive text detailing the information will be presented in the new dashboard

  • The field by which graph will be built

  • Graphic type (Barchart, BrushBarChart, Pie, TwoLevelPieChart, LineChart, RadarChart, AreaChart, Gauge, WorldMap, WorldCitiesMap)

• Save as New Report option opens Save as New Report window which allows you to create a new report. You will need to add a report name and description before saving.

• Save as New Filter option opens Save as New Filter window which allows you to create a new filter. You will need to add a filter name and description before saving.

• Search and Filter section includes options for setting the date and time interval for which you need information. This feature is very helpful when you need to have a quick look on compliance over a certain period of time.

The interface allows you to set a specific start date and end date, and also provides you with quick options for date (last hour, last day, last 3 days, last 10 days, last 30 days, last 90 days). By default, Browser interface lists all events. Buttons below Start Date and End Date fields allow you to quickly increase or decrease time interval, and specify time reference to be considered (GMT, LocalTime, ReceivedTime, Now, AutoRefresh, TimeInterval)

• GMT - is the time reference which converts your search time into GMT(Greenwich Mean Time Zone).

• LocalTime - is the time reference when an event occurred.

• ReceivedTime - is the time reference when the events arrived in CYBERQUEST machine.

• Now - self-update end data with current time.

• AutoRefresh - refreshes the page every 10 seconds.

• Time Interval - the search is made from Start Time to End Time interval

• Not in this time interval - the search outputs the events that are NOT between Start Time and End Time

Results section

This is the main display area for browsing activities. All events are listed in chronological order, the number of items on a page being the one set in Search and Filter options.

Not all event fields are displayed. The default ones are LocalTime, Computer and Description since these are the main correlation fields and should be included with all events. You have the option to add or remove fields from being displayed by clicking in field selection bar. This action opens a drop-down list of all available fields. You are adding fields to list by selecting them. You can remove fields at any time by clicking on the x checkmark present with selected fields. The following fields can be added:

• Category -- Category to which the event belongs;

• DestIP -- Destination IP address;

• SrcIP -- Source IP address;

• DestMAC -- Destination MAC address;

• SrcMAC -- Source MAC address;

• EventID -- Identification number of the event;

• EventLog -- Event log to which the event pertains;

• EventType -- Type of event to which the event pertains;

• GMT -- Universal coordinated time;

• PlatformID -- Identification number from computer where the event occurred;

• SessionID -- Session identification number;

• Source -- Source to which the event pertains;

• UserDomain -- Domain containing the user that produced the event;

• VersionMajor -- Major version number of the software that produced the event;

• VersionMinor -- Minor version number of the software that produced the event;

• S1-S150 -- Additional information fields.

To see more information about the Log Record Fields, please follow the link: Log Records structure.

Browser interface enables you to action on listed events. For each event, pressing on the left opens a drop-down menu with following options:

• View Event -- Opens an informational window with all event details

• Export Event as JSON -- Exports the event as a JSON file

• Create Investigation case -- opens Add evidence to new case window which allows an investigator to create a case based on a suspicious event. Case management is described in detail in CQ 2.20 User Guide, Case Management Module

• Add to Existing investigation -- opens a selection window allowing you to add the event to an existing investigation case

• Add to Event Actions (Map) -- If the event contains a public IP matching a geolocation reference, the event will be added to the world map in Geolocation section.

All fields except Description allow you focus on a selected event, either by quickly filtering listed events in Browser mode or by narrowing navigation focus in other modules. By clicking on any of the fields for a specific event, a drop-down menu will open presenting the following options:

• Remove globally: creates a search that removes all events containing the selected field value from events list. The search is written in Search box

• Show only this item globally: instructs Browser to filter listed events by selected field value. The search is written in Search box

• Send to Investigations: directs your selection to Investigations module. The option opens a new web browser tab toInvestigations interface. You are presented with Filter data window that is now populated with search information you already entered. Press button to command data extraction based on your filters and display in Investigations interface.

• Send to Dashboards: this option directs your selection to Dashboards module. The option opens a new web browser tab to Dashboards interface listing search results.

• Send to Browser as <value> or <field>: this option directs your selection to a new Browser tab listing search results.

• Send to Alerts: this option directs your selection to Alerts module. The option opens a new web browser tab to Alerts interface listing search results.

All quick actions described above operate by creating searches. The search automatically populates in Search box. If multiple actions are selected before deleting the previous ones, Browser automatically inserts an AND logical operator in Search box, separating actions. That means, for example, two Remove globally instructions will cumulate resulting in a search similar to:

NOT DestIP:"IP_Address_1" AND NOT Computer:"IP_Address_2"

For more information, please read CQ 2.20 User's Guide, Using Searches.

Geolocation section

When you instruct Browser to add an event to map, if that event contains a public IP address with geolocation reference, the event will be marked on world map. This allows users to see exactly from where an event originates or what is its destination.