Viewing Historical Search Results

Historical search enables you to search events that are already stored in event database.

The following topics are available:

Understanding Default Result Display

Historical search results are displayed in two panes:

  • Bottom pane displays the results in tabular view following the definitions in the Display Fields. For ClickHouse based deployments, there is an additional Result Filter pane on the left, that shows the distribution of the result columns (other than Date fields and Raw Event Log).

  • Top pane displays how the results in the bottom pane trend over time:

    • For non-aggregated searches, the trend is for event occurrence and is displayed in a trending bar graph. Each bar captures the number of entries in the table during a particular time window.

    • For aggregated searches, the trend is for any of the (numerical) columns with aggregations. Trends are displayed for the Top 5 entries in the table. For integer values, such as COUNT (Matched Events), you will see a trend Stacked Bar Chart, while for continuous values such as AVG(CPU Utilization), you will see a Stacked Line Chart.

The Result Filter display enables you to see the distinct values in each column in the search result and their frequencies. Top 100 results are shown and by default, they are shown in Descending order. You can change the order by clicking the icon.

  1. If you select one or more values for a field, then
    1. Other columns on the left changes to reflect the selection
    2. Trend and the Result table on the right pane changes to reflect the change
  2. You can click the button to minimize the Result Filter display, then the trend chart and the result table takes over the whole horizontal width. This may be useful for analyzing unaggregated raw message queries. Subsequent searches will not show the result Filter by default. You can restore the Result Filter by clicking on the button
  3. You can add the Result Filter choices to the Query condition by clicking the icon.

    Note: Some event attributes, functions and queries are not supported:
    • Date Fields (Examples:  Event Receive time, Event Receive Hour, Event Receive Date… )
    • Raw event log, Binary Raw event log
    • Some functions:
      • Aggregate functions – COUNT, MEDIAN, MODE, STDDEV, VARIANCE, SUMSQ, PCTILE, COUNT DISTINCT, MAX, MIN, AVG, SUM, FIRST, LAST, Pctile95
      • Time window functions – SMA, EMA
    • Some queries
      • Baseline reports
      • Incidents reports
      • Real-time query

For displaying trends in aggregated searches, you can change the default chart choice and opt for one of the following charts:

  1. Stacked Bar Chart
  2. Stacked Line Chart
  3. Line Chart

To show the trend for only one row in an aggregated search, uncheck all the checkboxes under Chart column other than the oneyou want to keep. To add the trend chart for a new row, check the checkbox under Chart column for that row. The trend will show automatically.

When an aggregated search has multiple aggregated fields:

  • To display trend for another aggregated field, choose that field in the drop down in right hand side. The chart will automatically refresh.
  • To show trends of both aggregated fields on two sides of the same graph, choose the other field in the Lower chart drop down. The chart will automatically refresh.

A few shortcuts are available to run the search for different relative time windows: 15 mins, 1 hour, 1 days, 7 days, 30 days. You can select these values from the top right ( ) and the search will automatically re-run.

To hide the trend chart, click the icon on the top right. To bring back the trend chart, click the icon on the top right.

Choosing other Chart Displays

FortiSIEM provides a variety of charts and maps to better help you understand and analyze your incident data. You can access these charts and views from the widget dashboard settings (see Modifying widget information display) or by clicking the TABLE or drop-down icon in the Analytics page (see Viewing Historical Search Results).

Chart/View

Description

Display Settings

Requirements

Table

Displays data in a tabular format.

You can choose to display the bar chart (Show Bar), the event type (Show Event Type), and the count (Count). Set the colors for the bar chart or reverse the color map.

None
Link Graph

Displays source, event, and destination relationships. Source nodes appear in light blue, Event nodes are color coded by their severity if event attribute "Event Severity Category" exists in the Display Fields on Table view. A node can be clicked and dragged to be repositioned. If a node can be represented by a recognizable device type from FortiSIEM, the appropriate icon will be displayed, otherwise a default monitor icon will appear.

The Rows and Total number represent the number of data items in the table view, not the number of nodes. For example, one representation will consist of 3 nodes (source, event, destination), but if all the data items share the same source, event, and destination, only three nodes will appear.

 

Click on any node and the following options appear:

  • Quick Info - Select to show more information about the selected node.

  • Add <object> to Filter - Adds the data from the selected node to a filter.

Select the Source, Event, and Destination from the drop -down lists.

Auto Layout attempts to show all nodes in an optimal manner. To disable, deselect the Auto Layout checkbox.

 A source and destination are required.

Bar Chart

Displays data similar to a bar chart.

Select the Aggregate Field (Column) to display and their colors. You can also reverse the color map.

At least one numeric column is required.

Chord Chart

A graphical method of displaying the inter-relationships between data in a matrix. The data is arranged radially around a circle with the relationships between the data points typically drawn as arcs connecting the data.

Select the incident Source, Target, and Value from the drop-down lists.

At least two key columns and one numeric column are required.

Choropleth Chart

A thematic map in which areas are shaded or patterned in proportion to the measurement of the statistical variable being displayed on the map.

Select the Location and Value from the drop-down lists.

At least one numeric column is required. Configure Google Maps API Key in ADMIN > Settings > System > UI See UI Settings.

Cluster Bubble Chart

You can use a bubble chart instead of a scatter chart if your data has three data series that each contain a set of values. The sizes of the bubbles are determined by the values in the third data series.

Select the Column from the drop-down list.

At least one numeric column is required.
Donut Chart

Displays data similar to a pie chart.

Select the Aggregate Field (Column) to display since the report may have multiple Aggregate Fields.

At least one numeric column is required.

GEO Map Chart

Displays the IP addresses in a geographic map.

Public or private IP addresses with location defined in ADMIN > Settings > Discovery > Location. See Setting Location.

At least one numeric column is required.

Heat Map Chart

Displays two event attributes and a numerical aggregate value.

Select the Heat map coordinates X and Y, and an associated Value.

At least two key columns and one numeric column are required.

Sankey Chart

A specific type of flow diagram, in which the width of the arrows is shown proportionally to the flow quantity.

Select the Source, Target, and Value from the drop-down lists.

At least two key columns and one numeric column are required.

Scatter Plot Chart

Plots two aggregate fields.

Select two aggregate fields, X and Y. Select the Size of the sample.

At least two numeric columns are required.

Sunburst Chart

Visualizes hierarchical data, depicted by concentric circles. The circle in the center represents the root node, with the hierarchy moving outward from the center.

Select the Rank1, Rank2, Rank3 and Count from the drop-down lists.

Only one column can be used in one rank.

Tree Map Chart

Displays columns in a Tree Map.

Select the Tree Map Ranks and the Count attributes from the drop-down lists.

Only one column can be used in one rank.
Trend Line Chart A "trend" line is superimposed on a chart that reveals the overall direction of the data.    
Trend Area Chart A graph that shows trend changes over time, by displaying a series of data as different colored lines.    
Trend Bar Chart Uses bars to track trends over time.    

Viewing Parsed Raw Events

If Raw Event Log is displayed as a column, then hover over a Raw Event Log cell, click ‚, and click Show Details. The display shows how FortiSIEM parses the event. Note that from this view, you can choose a new parsed event attribute to be displayed or added to the Filter condition.

Modifying Search Filter Criteria

This can be done in three ways:

  1. You can edit using Edit Filters and Time Range... and then click Apply and Run.
  2. You can select a column in the bottom pane and choose Add to Filter and the operator. Then Stop the query and click Run.
  3. If Raw Event Log is displayed, then hover over a Raw Event Log cell, click ‚, click Show Details, and then select Filter next to the Item that you want to Filter on. Then Stop the query and click Run.

Modifying Search Display Fields

This can be done in two ways:

  1. You can edit Group By and Display Fields and then click Apply and Run.
  2. If Raw Event Log is displayed, then hover over a Raw Event Log cell, click ‚, click Show Details, and then select Display next to the Item that you want to Filter on. Then Stop the query and click Run.

Zooming in on a Specific Time Window

If you see an unusual pattern (for example, a spike) in the Trend Chart and want to drill down without providing an exact time range, do one of the following:

  • Click the bar – a new search tab is created by duplicating the original search and adding the right time window as seen by hovering on the bar.
  • Press and hold the Shift key and drag the mouse over a time window. This modifies the time window in the current tab. Click Apply & Run to see the results.

Copying the Search to a Separate tab

At some point, you may want to copy the search results to a new tab for further modifications. To do this, click Actions and select Copy to New Tab.