Viewing Historical Search Results

Historical Search results are displayed in two panes:

  • Bottom pane shows the results in tabular view following the definitions in the Display Fields.
  • Top pane shows the trends over time:
    •  For non-aggregated searches, the trend is for event occurrence and shown in a trending bar graph. Each bar captures the number of entries in the table during a particular time window.
    • For aggregated searches, the trend is for any of the (numerical) columns with aggregations. Trends are shown for Top 5 entries in the table. For integer values, such as COUNT (Matched Events), you see a trend bar graph while for continuous values such as AVG(CPU Utilization), you will see a line chart. 

Both the bar and line charts show trends in a stacked manner, one for each row in the table. To see the trend for a specific row, disable all the other entries by deselecting the check box in the first column. To view the trend for a set of entries, you can select the check box corresponding to those entries.

For continuous values, you can toggle between a stacked view and a non-stacked view.

  • To show the stacked view, click
  • To show the line chart view, click

If there are multiple aggregate columns:

  • You can select a specific column in the Chart for in top right to see the Chart for that column.
  • You can select one column for Chart for and another column for Lower Chart to see the two charts at the same time – one on +ve Y-axis and one on –ve Y-axis. This generally makes sense when the values are of the same order. For example, AVG(CPU Utilization) and AVG(Memory Utilization) or AVG(Sent Bytes) and AVG(Recv Bytes).

You can visualize the results in other charts:

  • Bar Chart: Displays the Chart for column. Click on top right
  • Donut Chart: Displays the COUNT(Matched Event) column if present. Click on top right. If COUNT(Matched Event) column is absent, then this chart is grayed out.
  • Scatter plot: Displays two numerical aggregate values in a Scatter plot. Select Scatter plot from the drop-down.
  • Tree Map: Displays three event attributes and a numerical aggregate value in a Tree Map. Select Tree Map from the drop-down.
  • Heat Map: Displays two event attributes and a numerical aggregate value in a Heat Map. Select Heat Map from the drop-down.
  • GEO Map: Displays the IP addresses in a GEO Map – requires public IP addresses or private IP addresses with location defined in ADMIN > General Settings > Discovery > Location. Select GEO Map from the drop-down.

Events in FortiSIEM have an Event Type (like an unique ID) and an Event Name, a short description. When you choose to display Event Type, Event Name is automatically displayed but Event type is hidden to make room to show other fields. To see the Event Types, click the Show Event Type check-box.

Raw events often take many lines to display in a search result. By default, Raw events are truncated and shown in one line so that user can see many search results in one page. To see the full raw event, click the Wrap Raw Event check-box.

Using search result tabs

A search result typically shows many rows. To drill down into a specific value for a specific column, hover over the specific cell and choose Add to Filter or Add to Tab. Add to Filter modifies the search on the current tab by including this constraint. Add to Tab on the other hand, gives you the option to keep the current tab intact and add the constraint to a new tab or to a tab of your choice. This enables you to see multiple search results side by side. Click Add to Tab and select the tab where the constraint needs to be added. The filter conditions and display columns are copied over to the new tab.

Zooming in on a specific time window

If you see an out of the ordinary pattern (for example, a spike) in the trend chart and want to drill down without typing in exact time range, there are two possibilities:

  • Click on the bar – a new search tab is created by duplicating the original search and adding the right time window as seen by hovering on the bar.
  • Press and hold Shift key and drag the mouse over a time window – this modifies the time window in the current tab. Click Save and Run to see the results.

Viewing parsed raw events

Hover over a Raw Event Log cell and click Show Details. The display shows how FortiSIEM parsed that event.

To add an attribute to the filter criteria in the search:

  1. Check the Filter column.
  2. Click OK.
    The Attribute gets added to the filter condition.
  3. Re-run the query to get the new results.

To add an attribute to the search display:

  1. Check the Display column.
  2. Click OK.
    The Attribute gets added to the display condition.
  3. Re-run the query to get the new results.