2. Selection of Data
After defining the buckets, click "continue" to the next step "Selection Criteria".
Query and Filters
Once the "Match All" box is unchecked, click the "+ FILTER" button that appears to open this window. There are five filter types: "Field", "Entityinfo", "Regexp", "Exists", and "Feed". "Field" matches values to a key field selected. "Entityinfo" uses a defined entity list to match multiple values, and potentially translates them as well. "Regexp" allows you to use a regular expression. "Exists" determines if the field exists or not.
Example of a using Query
Let's say we have a search to find bidirectional communication on the Windows remote desktop port (3389). We can create a search in the event window to look for this activity.
dp:3389 AND NOT rxB:0 AND NOT txB:0
This can be done in the Event's table by fully listing the field name. The disadvantage is that event data is not normally parsed to normalize protocol fields. The following is the above example, but this time writing the selection in Event table.
@peplink.dpt:3389 AND NOT @peplink.bytes_recvd:0 AND NOT @peplink.bytes_sent:0
Query Tree
More complex selection logic is best done with a query tree.
Updated 8 months ago