Findings
The Findings widget is a table that displays each finding with information that can help you see more detailed information. Only 5000 of the total results can be displayed in the table. You can use the column filtering and the Search bar to see more targeted results.
• Add to Casebook: Click to add the selected findings to a new or existing casebook.
• Tags: Click to assign or unassign tags to the selected findings.
• Timestamp: The date and time of the finding.
• Type: The type of threat.
• Message: The name of the threat.
• Hostname: The hostname from where the finding originated.
• Source Address: The source IP address of the finding.
• Dest Address: The destination IP address of the finding.
• Category: The category of the finding which tells the analyst the type of attack.
• Disposition: The outcome of the research set by analyst.
• Domain: The domain of the finding.
• Flow Count: The number of flows that include the finding.
• Tags: The tags that help the analyst search on the type of finding.
• Magnifying Glass (icon): Click the magnifying glass icon to view the details of the finding. (Details, Flows, Finding JSON, PassiveDNS, Intelligence, Comments).
• Findings workflow: All findings start in the ‘Not Reviewed’ state. When an analyst changes the state to ‘Investigating,’ ‘Escalate,’ or ‘Closed,’ the assigned user is changed to the person who made the change in status. To mark a finding as ‘Closed,’ you must set a disposition (either True Positive or False Positive), as well as set the Context before you are allowed to apply the change.
• PassiveDNS information is available for a finding. You can search by IP or domain.
• Threat Intelligence lookup is available for the destination IP or Domain in a finding.
NOTE: You can use the column filtering box below each of the column headings to filter for more targeted results. Simply enter a text string in the desired text box to display values matching the text string. Observe the ‘total results’ count at the bottom of the widget change as you filter for more targeted results.
Using the Search Bar
You can use the Search bar to also filter for more targeted results in your findings.
To use the search bar, you will need to:
1. Select or enter a type of key (click the Search drop-down to see and/or select valid keys)
2. Enter a valid operator: Valid operators are "=", "!=", ">", ">=", "<", "<=", "in", "contains", "starts with", "ends with"
3. Enter a valid value that is appropriate for the type of key selected.
For example, to search for all findings that have a source address of 192.168.1.4, enter saddr=192.168.1.4 in the search bar and click . All findings that have that source address are displayed in the Findings widget.