Kaspersky Unified Monitoring and Analysis Platform
- About Kaspersky Unified Monitoring and Analysis Platform
- Program architecture
- Installing and removing KUMA
- Program licensing
- About the End User License Agreement
- About the license
- About the license certificate
- About the license key
- About the key file
- Adding a license key to the program web interface
- Viewing information about an added license key in the program web interface
- Removing a license key in the program web interface
- Integration with other solutions
- Integration with Kaspersky Security Center
- Integration with Kaspersky CyberTrace
- Integration with Kaspersky Threat Intelligence Portal
- Integration with R-Vision Incident Response Platform
- Integration with Active Directory
- Integration with RuCERT
- KUMA resources
- KUMA services
- Analytics
- Working with tenants
- Working with incidents
- About the incidents table
- Saving and selecting incident filter configuration
- Deleting incident filter configurations
- Viewing detailed incident data
- Incident creation
- Incident processing
- Changing incidents
- Automatic linking of alerts to incidents
- Categories and types of incidents
- Exporting incidents to RuCERT
- Working with alerts
- Working with events
- Retroscan
- Managing assets
- Managing KUMA
- Contacting Technical Support
- REST API
- REST API authorization
- Standard error
- Operations
- View list of active lists on the correlator
- Import entries to an active list
- Searching alerts
- Closing alerts
- Searching assets
- Import assets
- Deleting assets
- Searching events
- Viewing information about the cluster
- Resource search
- Loading resource file
- Viewing the contents of a resource file
- Import of resources
- Export resources
- Downloading the resource file
- Search for services
- Tenant search
- View token bearer information
- Appendices
- Commands for components manual starting and installing
- Normalized event data model
- Correlation event fields
- Audit event fields
- Event fields with general information
- User was successfully logged in or failed to log in
- User login successfully changed
- User role was successfully changed
- Other data of the user was successfully changed
- User successfully logged out
- User password was successfully changed
- User was successfully created
- User access token was successfully changed
- Service was successfully created
- Service was successfully deleted
- Service was successfully reloaded
- Service was successfully restarted
- Service was successfully started
- Service was successfully paired
- Service status was changed
- Storage index was deleted by user
- Storage partition was deleted automatically due to expiration
- Active list was successfully cleared or operation failed
- Active list item was successfully deleted or operation was unsuccessful
- Active list was successfully imported or operation failed
- Active list was exported successfully
- Resource was successfully added
- Resource was successfully deleted
- Resource was successfully updated
- Asset was successfully created
- Asset was deleted successfully
- Asset category was successfully added
- Asset category was deleted successfully
- Settings were successfully updated
- Information about third-party code
- Trademark notices
Filtering events
In KUMA, you can specify what events to display in the events table using the query builder or SQL queries. Both search methods are interchangeable and search conditions can be viewed or created using either of them.
You can also modify filters in the events table using these shortcuts:
- Changing the filter from the Statistics window
To change the filter from the Statistics window:
- Open Statistics details area:
- In the
drop-down list in the top right corner of the events table select Statistics. - In the events table click any value and in the opened context menu select Statistics.
The Statistics details area appears in the right part of the web interface window.
- In the
- Open the drop-down list of a needed parameter and hover the mouse over the needed value.
A plus and a minus icons appear near the value.
- Change the filter using plus or minus icons:
- To include into the events selection only events with the selected value, click
icon. - To exclude from the events selection all events with the selected value, click
icon.
- To include into the events selection only events with the selected value, click
As a result, the filter and the events table will be updated, and the new filter expression will be displayed in the top right corner of the Events window.
- Open Statistics details area:
- Changing the filter from the events table
To change filter from the events table,
In the Events section of the KUMA web interface, click any event parameter value and select one of the following options in the opened menu:
- To include into the events selection only events with the selected value, click Filter by this value.
- To exclude events with the selected value from the events selection, click Exclude from filter.
As a result, the filter and the events table will be updated, and the new filter expression will be displayed in the top right corner of the Events window.
- Changing the filter from the Event details area
To change the filter from the event details area:
- In the Events section of the KUMA web interface, click the relevant event.
The Event details area appears in the right part of the window.
- Change the filter using plus or minus icons near parameters you need:
- To include into the events selection only events with the selected value, click icon.
- To exclude from the events selection all events with the selected value, click icon.
- To include into the events selection only events with the selected value, click
As a result, the filter and the events table will be updated, and the new filter expression will be displayed in the top right corner of the Events window.
- In the Events section of the KUMA web interface, click the relevant event.
You can also filter events by time period. Filter configurations can be saved. Existing filter configurations can be deleted.
Query builder and SQL search queries can be used to specify the number of events that are loaded per page. If the specified filter returns more events than can be displayed on one page (according to settings), when you reach the end of the page, the Show more events button appears. The maximum number of events that can be displayed on the page is specified in the LIMIT section of the query builder or in the LIMIT parameter of an SQL query. This functionality can be used only when events are also filtered by the time period.
Filter functions are available for users regardless of their roles.
|
In this section Filtering events using the constructor Filtering events using SQL queries |