6.4 Security Analyst Guide For Multi-Tenant

SNYPR 6.
4
Security Analyst Guide for Multi-
Tenant
Date Published: 2/14/2023

Securonix Proprietary Statement
This material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed to any third
party, nor used by the recipient except under the terms and conditions prescribed by Securonix.
The trademarks, service marks, and logos of Securonix and others used herein are the property of Securonix or their
respective owners.
Securonix Copyright Statement
This material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form, using any
medium, without the prior written authorization of Securonix.
However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training and reference.
Information in this document is subject to change without notice. The software described in this document is furnished
under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with
the terms of those agreements. Nothing herein should be construed as constituting an additional warranty. Securonix
shall not be liable for technical or editorial errors or omissions contained herein. No part of this publication may be
reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including
photocopying and recording for any purpose other than the purchaser's internal use without the written permission of
Securonix.
Copyright © 2022 Securonix. All rights reserved.
Contact Information
Securonix
5080 Spectrum Drive, Suite 950W
Addison, TX 75001
(855) 732-6649
SNYPR Security Analytics Guide 2

Table of Contents
Introduction 7
SNYPR Overview 7
Additional Resources 8
Security Command Center 10
Widget Actions 19
Security Command Center Widgets 25
Violation Summary 32
Run Playbook from SNYPR 61
Get Started with Response Bot 64
Chat with an Analyst 68
On-Demand Incident 70
The Incidents Panel 70
Create an On-Demand Incident 71
Unmasking 73
Data Insights 78
Explore the Dashboard Icons 79
Manage Dashboards 85
Manage Dashboard Widgets 88
Use Data Insights Dashboards 113
Appendix A: Compliance Dashboards 114
Spotter 126
Spotter User Interface 126
View Spotter Search Examples 139
Run Reports from Spotter 142
Working with Live Channel 145
Pausing Logs 146
Resuming Live Channel 147
Saving Searches 148
Searching on Live Events 150
Filtering to Search 150
Appendix B: Spotter Search Help 152
indexedat 156
Policy 156
Data Sources 157
Text 157
* 157
? 157
Lookup 157

Activity 158
Violation 158
Riskscore 158
Archive 159
Whitelist 159
TPI 159
Asset 159
Watchlist 160
Users 160
Riskscorehistory 160
Geolocation 161
Activelist 161
CONTAINS 161
NOT CONTAINS 162
AND 162
OR 162
BEFORE 162
AFTER 162
BETWEEN 163
NOT BETWEEN 163
STARTS WITH 163
NOT STARTS WITH 163
NULL 164
NOT NULL 164
IN 164
NOT IN 164
ENDS WITH 164
NOT ENDS WITH 165
= (Equals) 165
!= (Not Equals) 165
> (Greater Than) 165
< (Less Than) 165
<= (Less than or Equal to) 166
>= (Greater than or Equal to) 166
+/-Time_Offset_IntegerTime_Unit_String 166
@Time_Unit_String 167
+/-Time_Offset_IntegerTime_Unit_String@Time_Unit_String 167
FILTER 169
DEC 169
EQUALS 170
ISDIGIT 170

MATCH 171
ADD 171
SUBTRACT (DIFFERENCE) 171
MULTIPLY 171
DIVIDE 172
FROM_UNIXTIME 172
to_unixtime 173
BASE64 173
UNBASE64 174
CONCAT 174
ISINT 174
ISNOTNULL 174
ISBOOLEAN 175
LEN 175
ISNUM 176
UPPERCASE 176
ISSTRING 177
ISNULL 177
ISEMPTY 178
HEX 178
LOWERCASE 179
REPLACE 179
SUBSTR 180
SUBSTRBYINDEX 180
VISUALCOMPARATOR 181
Nested Queries 181
RENAME 182
FIELDS 182
DELETE 182
GEOLOOKUP 183
REX 183
AVG DISTINCT 184
SUM DISTINCT 184
GEOMAP 184
BUBBLECHART 185
BARCHART 185
TIMECHART 185
SPAN 186
RARE 186
TOP 186
STATS 187

LINK 187
TABLE 187
GEOLINK 188
HEATMAP 188
INDEXEDVOLUME 189
Incident Management 204
Manage Cases 205
Chat with an Analyst 212
View Case Details 213
Take Action on Cases 221
Create a Case from the Security Command Center 231
Reports 235
Categorized Reports 235
Run Reports from Spotter 257
Auditing 263
Log Tampering Report 273
Schedule Report Jobs 273
Views 275
User Views 275
Peer Views 283
Resource Views 287
Watch List Views 300
White List 305
Lookup Table Views 319

Introduction
Introduction
The Security Analyst guide is designed to help you understand how SNYPR can be used
to assess, monitor, and analyze suspicious activities on your network. It provides step-by-
step instructions on how to navigate the user interface (UI) so you know where to go to
properly support your team, users, and company needs.
SNYPR Overview
SNYPR is a big data security analytics platform built on Hadoop that utilizes Securonix
machine-learning-based anomaly detection techniques and threat models to detect soph-
isticated cyber and insider attacks. SNYPR uses Hadoop both as its distributed security
analytics engine and long-term data retention engine. Hadoop nodes can be added as
needed, allowing the solution to scale horizontally to support hundreds of thousands of
events per second (EPS).
SNYPR features:
l Supports a rich variety of security data, including security event logs, user identity data, access
privileges, threat intelligence asset metadata, and netflow data.
l Normalizes, indexes, and correlates security event logs, network flows, and application trans-
actions.
l Utilizes machine learning-based anomaly detection techniques, including behavior profiling, peer
group analytics, pattern analysis, and event rarity to detect advanced threats.
l Provides out-of-the-box threat and risk models for detection and prioritization of insider threat,
cyber threat, and fraud.
l Risk-ranks entities involved in threats to enable an entity-centric (user or devices) approach to

mitigating threats.
l Provides Spotter, a blazing-fast search feature with normalized search syntax that enables invest-
igators to investigate today’s threats and track advanced persistent threats over long periods of
time, with all data available at all times.
Documentation Conventions
There are different font styles used throughout the SNYPR documentation to indicate spe-
cific information. The table below describes the common formatting conventions used in

Introduction
the documentation:
Convention Description
Words in bold can indicate the following:

l Buttons that you need to click
Bold font l Fields in the user interface (UI)
l Menu options in the UI
l Information you need to type or select
Monospace font Indicates commands or code.
The navigation path to reach a specific screen in the UI is separated by a

Menu navigation
greater than symbol (>). For example, Menu > Administration.
UPPERCASE FONT All uppercase words are acronyms.
Folders and folder Quotation marks are used around a folder name or folder path. For
paths example, “C:\Documents\UserGuide”.
Additional Resources
If you require additional information, the following guides are available:
Document Name Audience
On-boarding team and deployment engineers who need to install the

RIN Installation Guide
RIN to connect to the SNYPR application to ingest data.
Data Integration Data integrators who need to import activity and enrichment
Guide datasources to support existing and custom use cases.
l Data Integrators and deployment engineers who need to use

existing connectors to import data and deploy available content.
Content Guide
l Content developers who need to use the out-of-the-box content to
detect the threats to your organization.

Introduction
Document Name Audience
Content developers who need to use the existing content and custom
Analytics Guide analytics available in the SNYPR platform to develop use cases to
detect the threats to your organization.
l System administrators and service providers who need information

about how to monitor and administer the platform at a systems
level.
Administrator Guide l Business managers and other users in a supervisory role who need
information about how to use SNYPR to grant employees and
partners access to applications, check for policy violations, and
manage cases.
Developers who need to communicate to SNYPR using the REST

Web Services Guide
APIs.

Security Command Center

The Security Command Center (SCC) is the screen you see when you log in to SNYPR.
It provides a real-time view of threats and violations detected by the SNYPR platform.
SCC allows you to drill down into each user, violation, and threat to investigate, and take
action on threats. From this screen, you can:
l View violators, violations, and threats
l Create cases
l Manage violations and threats
l Search Spotter for more information about a threat
SCC Components
The SCC screen has the following main sections:
a. SNYPR Top Header
b. Available Tenants

c. Dashboard widgets
By default, the widgets display records for the available tenants. You can filter record
based on the tenant using Available Tenants.
SNYPR Top Header

All screens in SNYPR have a top header with menu options and commonly used fea-
tures.
The previous image includes the following screen elements:

a. SNYPR Logo
The logo directs you to the SCC from any screen in the UI.
b. Navigation Menu
The navigation menu is separated by categories and provides a variety of sub-

sections that link to different applications and settings in SNYPR. The navigation
menu can consist of the following categories:
l Security Center
l Views
l Analytics

l Add Data
l Operations Center
l Reports
l Administration
The previous image is for reference purposes only. The categories and sub-
sections within each category are dependent on your role-based and granular
access control, meaning the items you see in your navigation menu may vary
from the previous image.
c. SNYPR Location
Lists the section and sub section that you have selected from the main navigation
menu. For this example, the Security Command Center subsection is selected
from the Security Center section.
d. Search
You can search for the following types of records:

l Users
l Activity Account
l Resource Group Account
l Resources
l Network Address
l Events
You can enter your search criteria after you select the type.
e. On-Demand Incident
The On-Demand Incidents icon allows analysts to create new incidents and add
new events to existing incidents from any screen in the UI. For more information
about the On-Demand Incidents feature, click here.

Note: When you create an On-Demand Incident, risk scores are not associated with
the incident.

f. Connection Status
The connection status of your Hadoop components and Remote Ingestion Nodes
(RIN).
g. Notifications
The notification icon displays system notifications and allows you to downloaded
reports. The notification components include:

1. Search bar: Allows you to quickly locate your notifications. You can type search criteria
in the search bar and press Enter to view notifications that match your search criteria.
2. Time range filter: Allows you to filter notifications by time range. You can click the drop-
down and select hours, days, years, or create a custom time range.
3. Module filter: Allows you to select modules based on your access permissions. You can
only receive notifications for the modules that you have selected.
4. Refresh icon: Allows you to refresh your notification results.
5. Status icon: Allows you to set the status as read. Unread notifications are indicated with
a blue icon; read notifications are indicated with a gray icon.
6. Clear All: Allows you to clear your notifications.
7. More: Allows you to view more notifications.

h. Available Tenants
Allows you to filter on data viewed by one or multiple tenants.
i. More Options
This icon provides access to additional global tools within SNYPR, such as:
l Geolocation: A new tab will open and display a global map with GEO-correlated logs.
l Ops Logs: A new tab will open and display a view of the ops logs.
l Debug: Launches a screen where you can view data with specific tables.
l Outbox: Launches a screen where you can see a list of emails that are going to be sent.
j. User Details
This displays your username and allows you to change your password, ask for
help, or log out. The following image includes the following screen elements:

l Date Range
l Text Filter
l Refresh Icon
l Expand/Collapse
Available Tenants
The Available Tenants section displays the tenants that you can monitor from SNYPR.
1. Date Range: Specify a date range for which the widget details are displayed in . The date range
pop-up lets you specify the date by hours, days, or years.
2. Type text to filter: Type the tenant name to search for a tenant.
3. Refresh: Click the refresh icon to refresh the tenant data.
4. Expand/Collapse: Click the icon to collapse the tenant names in the list.

5. Tenant Filter: Select a tenant to view that tenant's records in the SCC widgets. You can select
one or any number of tenants. In this screen, Tenant2 is selected.
6. Display/Hide: Click the button to hide and display the Available Tenant pane.
7. Expand/Collapse Available Tenants: Click the icon to collapse the Available Tenants section.
Dashboard Widgets
Widgets are the basic components that make up the Security Command Center (SCC)
dashboard. Widgets enable you to quickly view top violators, violations, and threats, and
allow you to filter dashboard results and visualize your data using charts. This section
covers the following topics:
l Widget Actions
l Security Command Center Widgets
Widget Actions
All the widgets on the SCC follow the same widget framework and offer similar action
options.

Use the following table to see what actions you can take from the SCC widgets:

Actions Description
Towards the top of the widget, you can specify a date range for
which the widget details are displayed. Date range lets you
specify the date by hours, days, or years.
a: Choose a date
range
You can also create a your own date range by clicking Custom Range at
the bottom of the pop-up. To select a date range, click the From or To
text, select a date from the pop-up calendar, then click Apply. Your
widget will then display results for the date range you selected.
b: Search for
Type a string of text to search for specific results.
widget results
c: Move a widget Click and hold the button while moving the dashboard.

Actions Description
Click to filter your widget results. The filters that display are
dependent on the widget you select; you may or may not see the
filters listed below:
l Entities/Violator: The following options display:

o Users: A user on the network. Includes HR data and all
correlated activity accounts belonging to the user.
o Resources: An asset on the network.
o Activity Account: An account performing activity on a
datasource.
o Network Address: An IP address on the network.
o Resource Group Account: An account performing activity
across all datasources in a resource group. Resource Group
d: Filter widget
refers to all the data sources imported for a Device Type.
results
l Status: The following options display:
o New Violations: When you select this status, the widget will
show new and updated violations. There will also be a blue dot to
the left of the violator name.
o In Progress: When you select this status, the widget will show
violations that are marked as in progress. You will also see a
yellow dot to the left of the violator name.
o Reviewed: When you select this status, the widget will show
violations that have been reviewed and actions that have been
taken. A green dot will appear to the left of the violator name.
l Policies: A list of policies display.
l Threats: A list of threats display.
l Criticality: The following options display:

Actions Description
o High
o Medium
o Low
o None
o Custom
l Threat Models: A list of threat models display.
l Resource Group: A list of Resource Groups display.
l Category: This filter allows you to select by category.
l Functionality: A list of functionalities display.
l Tenants: Displays a list of tenants
Click to sort the list by risk score or generation time.
e: Sort widget
results

Actions Description
View a graphical summary on the right side of the Top Violators

screen:
f: View a
graphical
analysis
On the graphical analysis screen, you can click any data point
on a graph to filter results. Click X to remove the filter and view
all results.
g: Refresh widget
Click the refresh icon to refresh the list in the widget.
results
h: Click an entity, threat, violation or name to view a Violation

Entity/Threat/Viol Summary where you can drill down into violations and take
ation Name actions on the entity, violation, or threat.

Actions Description
Point the cursor to the widgets right edge to resize a widget.

i: Resize a
When you see a diagonal line and an arrow (as shown in the
widget
previous image), hold and then move the cursor.
Security Command Center Widgets

The following widgets are available on the SCC:
l Top Violators
l Threats
l Observables
l Sandbox
l Kill Chain Analysis
l Violation Timeline
l Watchlisted Entities
Top Violators
The Top Violators widget displays the top attackers by risk score for the selected time
range. Violators can include entities such as users or device types (activity accounts,
resources, network addresses, and resource group accounts).
Note: To accommodate performance and scalability, the Total Violations value is not always
exact when processing large amounts of data. It can vary by up to 5% of the actual value for high
valuations.

C ust om D at e R ange Filt er
The custom date range filter in the Top Violators widget allows users to view violator
details for a custom date range outside of the available preset values. When you select a
custom date range:
l All entities that display are sorted by risk score.
l There are multiple records for each entity to show risk score progression over the
course of the date range selected.
When an entity is selected from the Top Violators widget:

l The risk score that displays in the top left will reflect the latest risk score for that entity
within the defined custom date range.
l A list of violations will show all the policies for the selected custom time range from
the previous screen.
l The violations present a distinct list of policies in the first 1,000 instances from the risk
history.
Note: It is not recommended to have a custom date range that spans multiple months or
years.
l The incident ID will display the most recent incident for that policy. This incident can
be outside of the selected time range.
Note:
l Risk scores are a cumulative risk score, which is the sum of individual policy and
threat model risk scores. When a custom date range is selected, there are no on-
demand risk score calculations that occur and the Security Command Center
gathers the risk scores from the risk score history collection.
l The risk scores reflect the progression of the entity’s total risk score over the
defined range of time. They do not reflect the current risk score, as investigations
happened over time and risk scores may be reduced as part of incident closure.
Threats
The Top Threats widget displays the top threat model violations for the selected time
range. For more information about configuring Threat Models, see the Threat Modeler sec-
tion in the SNYPR Analytics Guide.
Note: To accommodate performance and scalability, the Threats value is not always exact when
processing large amounts of data. It can vary by up to 5% of the actual value for high valuations.

Observables
The Observables widget displays the policy violations with the highest risk ranking.

Sandbox
The Sandbox widget contains policy violations used in your testing environment. The
policy violations in the Sandbox widget are completely isolated from the policy violations
in your Observables widget (live environment). Any action performed to policy violations
in your Sandbox widget does not affect your live policy violations or contribute to risk
scores.
When your testing is complete and you're satisfied with the policy violation, move the
policy violation to the Observables widget.
Note: To accommodate performance and scalability, the Policies value is not always exact when
processing large amounts of data. It can vary by up to 5% of the actual value for high valuations.

Note: Sandbox violations and threats will not show up under the Threats and Observables wid-
get.
Kill Chain Analysis

The Kill Chain Analysis widget displays violations by kill chain stage. “Kill chain” is the
term used to describe the sequence of events that must occur to create a threat.
The purpose of kill chain analysis is organize policy violations by the type of threat they
represent so you can identify violations early and predict whether a violator will escalate
the risky behavior further down the kill chain. This means you can detect and mitigate a
threat before it causes loss to your organization. To categorize policies into stages of the
Kill Chain, see Policies in the SNYPR Analytics Guide.
The Kill Chain includes the following stages:

l Recon Stage: Attackers gather information before an attack in an attempt to find a vulnerable
point in the network. Example: Phishing emails.
l Delivery Stage: Attackers deliver a malicious package to gain access to a network. Example: A
user clicks a link in a phishing email and downloads malware from a malicious site.
l Exploit Stage: Attackers find a vulnerable point of entry into the network and gain access.
Example: Zero-day attack.
l Execute Stage: Attackers escalate access to execute the attack. Example: Escalating privileges
or stealing admin credentials, lateral movement.
l Exfiltration Stage: Attackers move freely around the network and access or remove any sens-
itive data at will. Example: An insider uploading customer information to a personal file shar-
ing/storage site.
Violation Timeline
The Violation Timeline widget displays a bubble chart that describes the name and count
of violations along the specified time line. Use your mouse to hover over a data point to
view a quick summary of the time, policy violated, and number of violations.
Note: To accommodate performance and scalability, the Violation Timeline value reported is not
always exact when processing large amounts of data. It can vary by up to 5% of the actual value
for high valuations.

Watchlisted Entities
The Watchlisted Entities widget displays a list of all entity types. On the Watchlisted Entit-
ies widget, you can perform the following actions:
You can also create custom widgets for watch lists. See Watchlists to learn more.
Violation Summary
The SCC screen displays the name of top violations, threats, or entities. You can click
any violation, threat, or entity to view the summary of the violation. The Violation Sum-
mary screen provides various of options to analyze the violation or threat, investigate,
take action, create an incident, or run playbook. The actions you can take depend on the
type of violations you are viewing.
The actions you can take depend on the type of violations you are viewing. You can per-
form the following actions on all of the Violation Summary screens:

Manage Violators
Violators can be users, activity accounts, resources, network addresses, and resource
group accounts.
From the Top Violators widget in the SCC, you can click a violator to view the summary
list of the entity's violations, which displays details about an entity including lists of policy
violations and threats. From this screen, you can drill down into the violations and take
actions such as launching an investigation, creating a case, searching Spotter, managing
the threat, and collaborating with other members of the team who are viewing the entity.
The Violation Summary screen for a violator:
If you have SecuronixSOAR, the screen displays the Playbook Output button. When you
click the Playbook Output button, the Playbook Output section is displayed.
The top section of the screen displays the playbook details and the playbook status. The
left section of the screen displays completed tasks for the playbook. The green check
sign signifies that the task completed successfully. The right section of the screen dis-
plays the details of each tasks such as input, output, and status.

UI
Description
Element
a: Back Return to the SCC.
b: Risk
Display the risk score of the violator.
Score
c: Tenant
Display the tenant name where the violator is located.
Name

UI
Description
Element
Display the options that you can perform.
d: Take
Action
e:
Incident Include the entity details, entity profile, and risk score trends of a
and Entity violator.
Details
f:
Display a summary of all violations connected to the entity.
Violations
g:
Violation Run the Spotter query for the entity.
Events
Select all violations or none. When you select all violations, the Take
h: Select
All
Action button appears on the screen.

UI
Description
Element
i: View
Session Displays the violation timeline for the violator.
Timeline
j: Filter
Type to filter threats.
Threats

UI
Description
Element
Filter the violations by:
k: Filter
a. Show Only (Threat or Violations): You can filter the records either by threat

UI
Description
Element
or violations.
b. Incidents (Incident Created or Comments Available): You can select Incident

Created to view if any incident is created for the entity, or you can select
Comments Available to view only the incidents that have comments added
by analysts.
c. Criticality (None, High, Medium, Low, Custom): You can filter incidents
based on the criticality.
d. Action Status (In progress, New Violations, Reviewed): You can filter
records based on incidents statuses.
l: Refresh Refresh the results on the screen.
Click to expand or collapse the violations. When you expand, the following
information displays for each violation:
m:
Expand
n:
Display a summary of all violations connected to the entity.
Violations
On the violator summary screen, you can perform the following actions:
Take Action
This option is available when you view Violation Summary screen for a user.
To take action on an entity, complete the following steps:

1. Click Take Action, then select from the following options:

a. Search Spotter: Click to launch Spotter to search events for this entity.
b. Add to Watch List: Add an entity/user to a selected Watch List.
c. Add to White List: Add entity/user to white list to approve activity that would oth-
erwise result in a violation
d. Non-Concern: Reduce the entity/user risk score to zero.
e. Mark in progress (still investigating): Retain the entity/user existing risk score.
f. Mark as concern and create incident: Retain the entity/user existing risk score and
creates an incident on the entity that will include all the violations performed by the
entity
2. Do one the following, depending on the action you selected in the previous
step:
Search Spotter
This action will launch Spotter in a new tab. From here, you can
search events for the entity.
Add to Watch List
To add the entity to a selected Watch List, follow the steps below:
a. Complete the following information in the Add Entity To Watch
List pop-up:

1. Choose the Watchlist you want the entity to be added to: Click
the drop-down and select an existing watchlist or create a new

watchlist.
2. (Optional) Do you want to create a new widget on the Security
Command Center for this Watchlist?: Select one of the fol-

lowing options:
l YES: Allows you to create a custom widget on the SCC dashboard
for a watchlist.
l NO: Select this option if you don't want to create a custom widget
on the SCC dashboard.
3. Expiry Date: Enter a date for when the entity will automatically
removed from the watchlist.
Note: If there is no expiry date, the entity will remain on the watch-
list for 12 months.

4. Provide reason for Watchlisting User: Enter a reason for
adding this entity to the watch list.
b. Click Add.
Add to White List
a. Complete the following information in the Add Entity To Whitelist

pop-up:
b. Click Add.

Non-Concern

Mark in progress (still investigating)

Mark as concern and create incident
You can also take action on individual violations for the entity/user. Hover over a
violation in the Violations list, then click Take Action.
View additional details
Click the ellipsis icon to view the Entity Details, Entity Profile, and Risk Score
Trends:

The information available here will vary depending on the properties of the user,
actions taken against the user, and the type of violation(s) associated with the
user.
Entity Details
Click the Entity Details tab to view information such as User Details,
Workflow Details, Employment History, and Custom Properties.
Note: This section will be labeled differently and include different information
for the different entity types: Users, Activity Accounts, Resources, and Net-
work Addresses, and Resource Group Accounts. If Data Masking is enabled
in your environment, some attributes may appear masked.
Click a value in the User Details section to launch Spotter for that attrib-
ute.

Entity Profile
Click the Entity Profile tab to view information such as the Peer Groups
to which the entity belongs, the Access Accounts they hold, and the
Watchlists on which they appear.
View Risk Score Trends
Click the Risk Score Trends tab to view the entity's Risk Score Trend for
violations over time. Hover over any data point to view details.

Filter Threats
Type text in the Filter threats box to filter the violations displayed.
Take actions on violations
On the entities Violations tab, you can also take actions on individual violations.
When you hover over the violation, the Take Action menu appears.
The action you select will apply only for this violation. You can add the policy to a
targeted white list for the entity, mark the violation a non-concern, mark the

violation in progress, or mark as a concern and create an incident. If you add the
violation to a white list or mark it as a non-concern, the risk score will decrease to
zero only for this violation. When you mark a violation as in progress or a con-
cern, the risk score will remain the same. After you take an action on a violation,
the status will appear.
Take actions on violators
On the Policy Violation Overview screen, you can also take actions on individual
violators.
To do this, hover over the violator, and the Take Action menu appears.
The action you select will apply only to this violator. You can add the violator to a
targeted white list, add the violator to a watch list, mark the violation a non-con-
cern, mark the violation in progress, or mark as a concern and create an incident.
If you add the violator to a white list or mark as a non-concern, the risk score will
decrease to zero only for this violation. When you mark a violation as in progress
or a concern, the risk score will remain the same. After you take an action on a
violator, the status will appear.
View the Violation Details
On the entity summary screen, you can click any violation to drill down into more
details. The violation details screen displays the reason for the violation and the
risk score trend.

View Violation Summary
The Violation Summary view shows specific information about the

events such as the files accessed and the request URLs involved in the
violation. The information that appears here is based on the violation
summary configured by the content developer during policy or threat
model creation.
From here, you can toggle between the securonix attribute names and
the user-defined attribute names the content developer selected during
activity import.
If no custom attribute names were defined, you will see the original attrib-
utes for the datasource that were mapped to the Securonix attributes dur-
ing activity import.
Click a date on the timeline to view only events for that date.

Click any value to launch Spotter.
For behavior-based policies, you can switch to an analytics summary

view to see the behavior profile information.
The analytics summary view displays the clear deviation from the estab-
lished behavior baseline. You can also view a summary of the frequency
of the behavior and the number of number of data points used to estab-
lish the behavior baseline.
If you click the Deviation from Baseline you can see the Sigma value and
the Variance.

View Violation Events
You can click Violation Events to view the individual events associated
with the violation as a Spotter search. You can drill down or edit the
query.
Search Violation Events
On the violation details screen, click the Violation Events tab to view individual
events associated with the violation as a Spotter search. You can drill down or
edit the query. For more information, see Spotter.

Manage Threat Violations

Threat models feature stages that include one or more policy violations to detect a spe-
cific type of threat. For more information, see Threat Models.
On the Top Threats widget, click a threat to view the threat violation summary screen,
which displays details about the threat violation including a list of entities who violated
the threat model.
On the threat violation summary screen, you can perform the following additional actions:
View threat model details
Click the ellipsis icon to view more details about the threat model.

Take action on a violator
Hover over a violator to see a list of actions you can take.
Most of the actions are the same as what you see on the entity screen, but the
type of white list is targeted. This is different than a global white list. If you add
the user to a targeted white list here, it will exempt the violator from the policies in
only this threat model, not all of the policies in SNYPR.
View entity details
Click an entity name to view details about the entity associated with the violation.

Filter Threat Violation
You can filter threat based on the following:

l Entities: You can filter the records either by any of the following entity types:
l Users
l Resources
l Activity Account
l Network Address
l Resource group account
l Incidents (Incident Created or Comments Available): You can select Incident Created
to view if any incident is created for the threat, or you can select Comments Available
to view only the incidents that have comments added by analysts.
l Action Status (In progress, New Violations, Reviewed): You can filter records

based on incidents statuses.
View a Violation Summary
On the Violation Summary tab, you can view a summary of the stages of the
threat model.

This summary includes:

1. Threat Model stages
2. Duration of time between each violation
3. Threat Indicators (policies within the stages)
4. An option to View Non Violated Policies to see policies for the threat model not viol-
ated by this entity
Click a policy to view a violation summary.

View Other Policies
Click the Other Policies tab to view other policies violated by this entity that are
not part of the threat model.
Click the Violation Events tab to view the events associated with this threat
model.
For information about the actions you can take from this section, see Spotter.
Manage Policy Violations

From the Top Violations widget in the SCC, you can click a policy violation to view the
policy violation summary, which displays details about a policy including a list of policy

violators and threats. From this screen, you can drill down into the violators and take
actions such as launching an investigation, creating a case, searching Spotter, managing
the threat, and collaborating with other members of the team who are viewing the entity.
On the policy violation summary screen, you can perform the following additional actions:
View policy details
1. Click the ellipsis icon to view more details about the policy.
2. Hover over the blue policy details to launch Spotter.
Filter violators
Type text in the Filter violators box to filter the violators displayed.
Take actions on violators
On the Policy Violation Overview screen, you can also take actions on individual
violators.
To do this, hover over the violator, and the Take Action menu appears.

The action you select will apply only to this violator. You can add the violator to a
targeted white list, add the violator to a watch list, mark the violation a non-con-
cern, mark the violation in progress, or mark as a concern and create an incident.
If you add the violator to a white list or mark as a non-concern, the risk score will
decrease to zero only for this violation. When you mark a violation as in progress
or a concern, the risk score will remain the same. After you take an action on a
violator, the status will appear.
Click the Violation Events tab to view individual events associated with the
policy violation.
For information about the actions you can take from this section, see Spotter.

View Violation Details
Click a violator name to view a summary of the policy violation for the entity and
take action on the policy.
Note: The violation summary will display different information based on the Action Fil-
ters enabled in Activity Data and the analytical technique configured in the Policy Viola-
tions. For more information, see the SNYPR Integration Guide.
Example: Landspeed Violation

The following example displays a summary for a landspeed violation.
Example: Flight Risk User

The following example displays a violation summary for a Flight Risk User—Job
Search policy.

Run SecuronixSOAR Playbook
Run Playbook from SNYPR

You can manually run a SOAR playbook by performing the following steps:
1. Access the Security Command Center.
2. Select an alert/violation from the Top Violator widget.
3. Select a violation and click Run Playbook.
4. Select a playbook from the Run Playbooks section.

5. Click Run Playbook. The screen displays the message Playbook execution in pro-
gress.


Once the playbook is executed, the screen displays the playbook status.
Get Started with Response Bot

The Securonix Smart Response framework uses machine learning to understand typical
actions taken by Tier 2 and Tier 3 analysts to predict the most appropriate action for a viol-
ation. The goal is to provide Tier 1 Analysts with smart actions for dispositions prior to
escalating alerts when a policy is violated.
For example, if Tier 2 analysts frequently mark the category "job search" as a concern,
the Response Bot will suggest that the Tier 1 analyst should mark this as a concern. It
will also indicate the percentage of probability based on the percentage of times this
action was performed by the Tier 2 analysts. For example, if the Tier 2 analysts mark this
as a concern 85% of the time, the Response Bot will suggest with 85% probability that the
Tier 1 analyst should mark this as a concern.
Enable Response Bot

The Response Bot learns based on the type of violation and attributes within the violation
that influenced the tier 2 and tier 3 analysts’ actions. Based on what it learns, the
Response Bot provides recommendations to tier 1 analysts.
To enable Response Bot, complete the following steps:
1. Navigate to Menu > Analytics > Policy Violations.
2. Click +, then choose Create Policy.

3. Complete the Enter Policy Details, Provide Conditions, and Choose Risk Scoring Technique
steps as described in the Policy Violations section of the SNYPRAnalytics Guide.
4. Scroll down to the Response Bot Recommendations section and complete the fol-
lowing information:
a. Enable Response Bot: Set to YES.
b. Choose one or more features for Response Bot: Select one or more features for Response
Bot.
c. Choose one or more user attributes for Response Bot: Select one or more user attributes
for Response Bot.

d. Do you want to select aggregated functionality on the features?: Set to YES to
learn actions taken on specific attributes in aggregated events for the features
selected above.
l SUM: The aggregated SUM value for specified field.
l COUNT: The aggregated COUNT value for specified field.
l DISTCOUNT: Returns only distinct (or different) values for specified field.
Note: This option appears for behavior and directive-based Aggregated Event Evaluator
(AEE) policies.
View Response Bot Suggestions

You can view Response Bot suggestions in SNYPR from the Security Command Center
(SCC) and Incident Management dashboard.

To view the Response Bot suggestions from the SCC, complete the following steps:
1. Navigate to Menu > Security Center > Security Command Center. You can access
Response Bot suggestions in one of two ways:
l Click an entity name from the Top Violators widget.
l Click a policy violation on the Top Violations widget.

2. On the Violation Summary screen, the suggestion indicates the type of action taken
and the percentage of probability that a tier 2 analyst would take the action based on
the number of times they have done so in the past for this type of event and user attrib-
utes that appear in this event.
3. Click the suggestion to take the action indicated.
For more information about taking actions, see Take Action on a Violator.
Incident Management Dashboard

You can configure Response Bot to learn from the actions taken on cases on the Incident
Management dashboard. For more information about managing incidents, see Incident
Management.
By default, Response Bot is only configured for threat management. To configure the
actions to consider for learning during incident management, use the following sample
script:
INSERT INTO configxml (xmlkey, xmlvalue, glossary)VALUES

('PREDICTION_ACTIONS', '<actionsToBeConsidered>
<actions>VIOLATION</actions>
<actions>ACCEPT RISK</actions>
<responseType>INCIDENTMANAGEMENT</responseType>
</actionsToBeConsidered>', 'Actions That Will Be Considered For
Learning');
To view the Response Bot suggestions from the Incident Management dashboard, com-
plete the following steps:

1. Navigate to Menu > Security Center > Incident Management .
2. Select a case from the dashboard.
The case details display on a new screen.
3. Click an available action to take that action on the case.
The Response Bot shows the learned action and the probability percentage.
Chat with an Analyst

The Chat feature is a messaging tool that enables security analysts to collaborate on
cases. This feature can be accessed from the Violation Summary screen.
For this example, the Chat feature is accessed from the Violation Summary screen. On
the top right of the screen, there is a Viewers section that displays the initials of the secur-
ity analyst(s) viewing the same case as you, as seen in the image below:

To start a conversation with another analyst, click the green chat icon . A text box
will appear, allowing you to type and send your message:

Note: Only users viewing the case at the same time will appear as available for chat.
To send your message, click the green arrows . To close the chat conversation,
click the green chat icon.
On-Demand Incident
The On-Demand Incident feature enables analysts and threat hunters to create a case on
non-entity attributes and attach events to a new or existing incident directly from Spotter,
even when there isn't a policy in place to detect the threat. This on-demand functionality
gives analysts and threat hunters more control over their investigations, as they are
provided with greater flexibility during the incident creation. Analysts and threat hunters
can also manage activity from the Incident Management dashboard to better manage
emerging threats that may have previously gone unnoticed.
This sections covers the following topics:
l The Incidents Panel
l Create an On-Demand Incident
The Incidents Panel

The On-Demand Incident icon opens an Incidents panel, which provides a consolidated
list of existing incidents in one location. This list also includes multiple features that make
it easy to find the information you need, including:

a. Incident ID: Each incident is assigned a unique number that is used to track the incident. Click
the Incident ID to view the incident management details for the selected incident.
b. Incident Name: Each incident includes a specific name that helps to quickly identify the incident
and focus the investigation on the most important threats in their environment.
c. Attachment icon: You can click this icon to attach important files to the incident.
d. Comments icon: This icon is used to provide additional information about the incident to help
communicate analysis.
Note: Any incident created from the Incidents panel will not have a risk score associated to the
incident.
Create an On-Demand Incident

To create an On-Demand Incident, complete the following steps:
1. Click the On-Demand Incident icon, located in the global header of SNYPR.
2. Click Create new On-Demand Incident.
3. Complete the following information:

a. Incident Name: Provide a unique name for this incident. This name appears on the incidents
panel.

b. Select Criticality: Use the slider to select the criticality for the incident.
c. Select Tenant: Choose the tenant to create an incident for.
d. Incident Description: Provide a description to help you identify the incident. This description
appears on the incidents panel.
e. Select Workflow: Choose a workflow to trigger.
f. Assign To Analyst: Select an assignee.
g. Comment: Add comments.
You can also add events to a new or existing incident from the Spotter Search Results
view. See the Spotter section for more details.
Unmasking
Data Masking in SNYPR allows you to mask users, activity, and access accounts,
resource names, network addresses, and any data source attribute. To enable invest-
igation and response, analysts can request to unmask entities when violations occur.
The entity unmasking workflow is described in the following illustration:

The following roles interact with the Data Masking functionalities in SNYPR:
l Admin:The role in SNYPR that enables and disables masking, configures the unmasking
approval workflow and the Approver role, and selects the user responsible for approving unmask-
ing requests. The Admin may not view masked data.
l Security Analyst: The role in SNYPR that has permission to view and investigate violations, hunt
for threats in spotter, launch playbooks, and remediate threats. The Analyst does not have per-
mission to view masked data, but can launch the unmasking request workflow from the Security
Command Center.
l Approver: The role in SNYPR that receives, reviews, and approves or rejects unmasking
requests from the Analyst.

l Privacy Master:The only role that has permission to view ALL data in SNYPR as unmasked.
The Privacy Master does not have permission to enable or disable masking or approve unmask-
ing requests. Assign this role with caution.
Users in SNYPR may be assigned more than one role. For more information about roles,
see Access Control in the SNYPR Administration Guide.
Sending Request for Unmasking
Security analysts can request to unmask entities for a limited time period from Security
Command Center by clicking Take Action > Request to unmask entity.

Specify the reason to unmask entity and click Send Request.

The request status changes to pending and Take Action displays Request to unmask is
pending until the request is approved or denied. When the request is approved, SNYPR
sends an email, a notification appears in the security analyst's Notifications, and the viol-
ation record is unmasked.
If the request is denied, security analyst will get request denied notification.

Data Insights
Data Insights
Data Insights allow you to create, modify, save, and share custom dashboards to gain
data insights for your organizations. You can export dashboards in a variety of formats
such as, PDF, PowerPoint, and Excel. This allows you to reuse the Data Insights reports
within your organization and easily share the reports with management. These widely
usable formats enable analysts to create, modify, save, and share custom dashboards to
gain compliance for the organization.
The Data Insights dashboard is composed of widgets that provide visualizations of your
data, allowing you to quickly view and compare data at a glance.
Dashboards Overview
From Data Insights, you can create your own unique dashboard to access the information
that is most relevant to you and your organization. Once you have created a dashboard,
as discussed in Manage Dashboards, you will select from a variety of widgets to build out
its display.
Widgets Overview
A widget in Data Insights is a mini-report that displays your data in a number of present-
ation styles, including:
l Line Chart
l Area Chart

Data Insights
l Bar Chart
l Geolocation Map
l Tabular Data
l Number Chart
l Heat Map
l Donut Chart
l Stacked Bar Chart
l Top N Results
l Bubble Chart
l Source Destination Chart
l Text/Note
l Geolink
For information on configuring settings that are specific to a particular widget type, see
Configure a Widget.
Explore the Dashboard Icons

To access your Data Insights dashboards, navigate to Menu > Security Center > Data
Insights.
The following table provides a description for each of the icons referenced in the figure
above:

Data Insights
Icon Description
Displays a list of the existing dashboards you have configured.
a: All
Dashboards
This icon also allows you to filter the dashboard results. For example, if you
select the Email dashboard from the All Dashboards drop-down list, the left
pane will only display the Email dashboard as seen in the image below:

Data Insights
Icon Description
To remove a dashboard filter, click the All Dashboards icon and select
Showing All dashboard's from the drop-down list.

Data Insights
Icon Description

Data Insights
Icon Description
The reorder icon allows you to rearrange dashboards by dragging them to

new locations on the left pane. To rearrange your dashboards, click the
Rearrange icon. A check mark icon will display once you're in edit mode, as
seen in the image below:
b: Reorder
Click the dashboard title and drag it to your desired location on the left pane.
To save your dashboard arrangement, click the check mark icon.

Data Insights
Icon Description
The share icon allows you to share the dashboard, enabling every member
of your team to access to the same information. Check the box for each
permission you want the user to have.
c: Share
d: Edit The Edit icon enables you to edit the contents of a dashboard or widget.
The Delete icon deletes a dashboard. A confirmation message

e: Delete displays to confirm the removal of the dashboard. Click Yes to
delete your dashboard.
f: Time The Time Range icon displays for each widget, enabling you to change the
Range time frame of results for a specific widget.
The Select Duration icon is similar to the Time Range icon, except it
g: Select
controls the time frame of the results for all the widgets on the
Duration
dashboard.

Data Insights
Icon Description
The Filter icon allows you to filter the widget results by Field and
Value.
h: Filter
The Reports icon enables you to export a dashboard and run a

i: Reports
report.
k: Refresh The Refresh icon refreshes the dashboard results.
k: Play/Stop The Play/Stop icons play and stop the dashboard results.
Manage Dashboards
The Data Insights dashboards enable you to create a customized and strategic view of
your system, ensuring that the data you need is available at a glance. The steps outlined
in this section describe how to create and edit a dashboard.
Create A Dashboard
To create a dashboard, complete the following steps:
1. Navigate to Menu > Security Center > Data Insights.
2. Click + > Create New Dashboard from the left pane.

Data Insights
3. Complete the following information to create the dashboard:
a. Dashboard Name: Provide a unique name for your dashboard.
b. (Optional) Dashboard Description: Provide a brief description for your dashboard.
c. (Optional) Select a category for your dashboard: Select a category from the drop-down or
Create New Category.
d. Tenant Information: Select a tenant for which you want to create the dashboard. You can
select all tenants or any combination of tenants to create the dashboard.
e. Select Any One Template: Choose a template layout to specify the grid structure
of the widgets on your dashboard. A preview of the template displays when you
click a template.
4. Click Save to save your dashboard creation.

Data Insights
Edit Dashboards
Once a dashboard has been created, it can be edited. To edit a dashboard, complete the
following steps:
1. Navigate to Menu > Security Center > Data Insights.
2. Click a dashboard name from the left pane, then select the edit icon.
A section displays at the top of the screen, enabling you to edit the dashboard details.
The following dashboard details are available:
l Dashboard Name: Enter a name for the dashboard.
l Category: Select a category from the drop-down list.
l Tenant List: Select a tenant for the dashboard.
l Description: Provide a description for the dashboard.
From here, you can add a new widget by clicking Add Widget. For more information
on customizing widgets, see the Manage Dashboard Widgets section.

Data Insights
3. Click Save to save the dashboard details.
Manage Dashboard Widgets

The Data Insights dashboards contain one or more widgets that give you an overview of
the data you care about most. The steps outlined in this section describe how to add a
widget to your dashboard, how to configure each widget type, and how to edit an existing
widget.
Add a Widget to the Dashboard

Once you have created a Data Insights dashboard, as discussed in the Create a Dash-
board section, you can add a widget to your dashboard.
To add a widget, complete the following steps:
1. Click Add Widget from the header of the dashboard you previously created.
2. Select the type of widget you want to add to the dashboard.

Data Insights
Tip: Hover over each icon to view the widget type.
Customize a Widget
Upon selecting a widget type, you are presented with the various configuration settings
for that widget. This section provides instructions on how to configure settings for each
widget type.
Line Chart
A Line Chart displays information as a series of data points connected by straight

line segments. Use this chart to track patterns.
The following image is an example of the Line Chart widget:

Data Insights
Note: Based on the configuration, facet levels can cause the y-axis to spike upwards.
To work around this, an aggregation must occur on the y-axis attribute.
To configure the Line Chart widget, complete the following steps:

1. Complete the following information in the General Details section:
a. Chart Label: The label entered here displays at the top of the widget.
b. (Optional) Chart Orientation: Specifies whether the orientation of the widget is ver-

Data Insights
tical or horizontal.
c. (Optional) Chart Color: The color that is applied to the widget.
2. Complete the following information in the Chart Details section:
a. (Optional) Datasource: The datasource you want to create the chart for.
b. What type of data you want to use: The type of data you want to run the query on.
c. Time Range: The date range you want to run the query for.
3. Select one or multiple tenants from the Tenant Information section.

Data Insights
4. Complete the following information in the X - Axis section:
a. (Optional) X-Axis Label: The text that displays on the x-axis.
b. Field: An attribute. Available attributes are based on the datasource, if it has been
selected for this chart.

Data Insights
c. (Optional) Label Rotation: The rotation style for the x-axis label. You can choose to
display the label horizontally, vertically, or at a slant.
5. Complete the following information in the Y- Axis section:
a. (Optional) Y-Axis Label: The text that displays on the y-axis.
c. (Optional) Label Rotation: The rotation style for the y-axis label. You can choose to
6. Click Create Chart.
Area Chart
An Area Chart is similar to a Line Chart, except the area under each line is filled
in with color.
The following image is an example of the Area Chart widget:

Data Insights
Complete the following steps to configure the area chart widget:





Data Insights
Bar Chart
The Bar Chart is a chart with horizontally or vertically-plotted bars (categories)

with lengths proportional to the values that they represent.
The following image is an example of the Bar Chart widget:
Complete the following steps to configure the Bar Chart widget:




Data Insights

Geolocation Map
The Geolocation Map displays a map showing where your active users are com-
ing from.
The following image is an example of the Geolocation Map widget:

b. (Optional) Chart Color: The color that is applied to the widget.

Data Insights
4. Select a geolocation map field.
5. Select a group by field.
Tabular Data
The Tabular Data widget organizes data into a table with rows and columns.
Each column in the table represents an x or y axis, and each row shows a selec-
ted attribute of that axis.
The following image is an example of the Tabular Data widget:
Complete the following steps to configure the Tabular Data widget:


Data Insights

4. Complete the following information in the Column 1 section:
a. (Optional) Column 1 Label: The text that displays on the first column.
c. (Optional) Label Rotation: The rotation style for the label of the first column. You
can choose to display the label horizontally, vertically, or at a slant.
Number Chart
The Number Chart widget displays a numerical value based on ???

The following image is an example of the Number Chart widget:

Data Insights
Complete the following steps to configure the Number Chart widget:

1. Enter the name you want to display at the top of the widget.

4. Complete the following information in the Field section:

Data Insights
a. Operator: Select the AVG (average), MAX (maximum), MIN (minimum), or SUM
operator from the drop-down.
c. (Optional) View Based on: Select Daily, Weekly, Hourly, or Monthly from the
drop-down.
Heat Map
The Heat Map chart is a combination of nested, colored squares, each rep-
resenting an attribute element. The squares contain many shadings of colors,
which emphasize various activity levels.
The following image is an example of the Heat Map widget:

Data Insights
Complete the following steps to configure the Heat Map widget:


3. (Optional) Click the drop-down to select a x-axis Field.
4. Click the drop-down to select a y-axis Field.
5. Select the AVG (average), MAX (maximum), MIN (minimum), or SUM oper-
ator from the drop-down.

Data Insights
6. Click the drop-down to select the color of your heat map blocks.
Donut Chart
A Donut Chart is a circular chart that is divided into slices, each of which rep-
resents a proportion to a whole. The size of a slice is determined by the per-
centage of the total of all values.
The following image is an example of the Donut Chart widget:
Complete the following steps to configure the Donut Chart widget:


Data Insights

4. Click the drop-down and select a label for the pie slice in the donut chart.
5. Click the drop-down and select the size for each pie slice in the donut chart.
Stacked Bar Chart
The Stacked Bar Chart is a chart that stacks multiple data on a horizontal or ver-
tical bar.
The following image is an example of the Stacked Bar Chart widget:
Complete the following steps to configure the Bar Chart widget:


Data Insights


drop-down.
d. (Optional) Label Rotation: The rotation style for the x-axis label. You can choose to
4. Complete the following information in the Stacks section:
a. Y-Axis Label: The text that displays on the y-axis.
b. Stacked on: Select a stacked field from the drop-down list.

Data Insights
c. Label Rotation: The rotation style for the y-axis label. You can choose to display the
label horizontally, vertically, or at a slant.
Top N Results
The Top N Results widget displays the top number, based on the Count (number
of results) and field(s) from your datasource.
The following image is an example of the Top N Results widget:
Complete the following steps to configure the Top N Results widget:


d. Field: An attribute. Available attributes are based on the datasource, if it has been
e. Count: A numeric value for "N". The default setting is 5.
Bubble Chart
The Bubble Chart is a chart that plots an x-axis (horizontal) and a y-axis (vertical)
as a set of points scattered on a graph.

Data Insights
The following image is an example of the Bubble Chart widget:
Complete the following steps to configure the Bubble Chart widget:



drop-down.
d. (Optional) Label Rotation: The rotation style for the x-axis label. You can choose to

Data Insights
5. Click the drop-down and select the z-axis field.
Source Destination Chart
The Source Destination Chart displays the source and destination by field.
The following image is an example of the Source Destination Chart widget:
Complete the following steps to configure the Source Destination Chart widget:

Data Insights

3. Click the drop-down and select a source field.
4. Click the drop-down and select a field.
5. Click the drop-down and select a destination field.
Text/Note
The Text/Note widget allows you to create more descriptive explanations to your
dashboard by adding texts or notes. There are various options for creating dif-
ferent text styles, such as changing the font color, defining the text alignment, and
adding hyperlinks.
The following image is an example of the Text/Note widget:

Data Insights
Geolink
The Geolink widget provides a quick and efficient method of locating anomalies
based on the geographical connection between two IP addresses. This widget
displays an arrow to indicate direction.
The following image is an example of the Geolink widget:

Data Insights
Complete the following steps to configure the Geolink widget:


3. Click the drop-down and select a source field.
4. Click the drop-down and select a destination field.
5. Click the drop-down and select a group by field.
You can follow many of these steps to edit an existing widget.
Edit a Widget
From the left pane, select the dashboard you want to edit, then click the edit icon.

Data Insights
In edit mode, you can perform the following actions on a widget:

Data Insights
a. Clone Widget: To clone a widget, click the Clone Widget icon and select Yes in the pop-up.
Selecting Yes will default the widget name to Copy of [Current Widget Name] - [Duration], and
will display the cloned widget at the bottom of the dashboard.
b. Edit Widget: To edit a widget, click the pencil icon. A dialog box displays on the right side of the
screen where you can edit the widget details. For more information on how to configure settings
for a specific widget,see the Configure a Widget section above.
c. Select Duration: To change the time range displayed on a widget, click the Select Dur-
ation icon and select a time value to filter the widget. You can select from a variety of
hours, days, and years, or you can create a custom time range. The time range you
select will become the new time range the widget displays.
Note: When you change Time Period or operator specific filter (such as Top 10 and daily) for
a dashoboard or a widget, the chart displays the data based on the selection but labels do
not change.
d. Close Graph: To delete a widget, click the Close Graph icon.
e. Resize the Widget: To resize a widget, hover over the widget. When a two sided arrow appears,
click and drag to resize. A gray dotted line appears to indicate the new widget size.

Data Insights
Use Data Insights Dashboards

When you configure the widgets for the Data Insights dashboards, SNYPR collects chart
data and renders the chart. You can filter the information on the dashboard or click data
points to launch actions.
From this screen, you can perform the following actions:
1. Refresh Dashboard: Click the icon to refresh the Data Insights dashboards.
2. Filter Notification: Click to provide a global filter to all the widgets on the dashboard.
l Click Add New Filter, and then select a filter from the Field drop-down or enter a query.
l To remove a filter, click the filter icon and then click the red X.

Data Insights
3. Select Duration—Dashboard: Set the time / date duration for the Data Insights dashboards.
4. Select Duration—Widget: Set the time / date duration for one widget on the dashboard.
5. Actions: Click a data point to select action options.
Note: Available actions vary based on the chart type and data type.
l Add to Filter: Filters the chart results based on the data point.
l Launch Spotter: Launches a Spotter search based on the data point. For more information
about searching SNYPR, see Spotter.
Appendix A: Compliance Dashboards

In Data Insights, you can create, modify, save, and share custom dashboards to gain com-
pliance data insights for your organization with the My Dashboards feature. Examples of
dashboards that are available include the following:
PCI Dashboards
The dashboards for PCI requirements are listed in the following table.

Data Insights
PCI Widget Device

Description
Requirement Samples Class
PCI - All Firewall

Configuration
Events
PCI - All Inbound
Connections
Install and maintain a Firewall, IDS
PCI - All Outbound
01 - Firewall firewall configuration (Intrusion
Connections
Configurations to protect cardholder Detection
data PCI - Denied System)
Inbound
Connections
PCI - Denied
Outbound
Connections
PCI - Password
Changes and
Do not use vendor-
Resets
02 - System supplied defaults for
Password system passwords PCI - Account OS
Management and other security Sharing
parameters
PCI - Account
Lockouts
PCI - Hosts with AV

Protect all systems Protection
against malware and
05 - Antivirus PCI - Hosts without
regularly update Malware
Deployment AV Protection PCI -
anti-virus software or
programs Hosts with Malware
Infection

Data Insights
PCI Widget Device

Description
PCI - User Account

Creation, Deletion
PCI - User Account
Privilege Changes
PCI - User Group
Identify and
Creation, Deletion
08 - Account authenticate access
PCI - User Group OS and DB
Management to system
components Privilege Changes
PCI - DB User
Account Creation,
Deletion
PCI - DB User
Privilege Changes

Data Insights
PCI Widget Device

Description
PCI - All
Authentication
Events
PCI - Denied
Authentication
Events PCI - All
System Auditing
Events
PCI - VPN Access
VPN, OS,
Summary
Restrict physical Access
09 - Physical
access to cardholder PCI - System Privilege, DB,
Access
data Admin/Root User Application
Activity and CMS
PCI - DB Admin
Activity
PCI - Application
Admin Activity
PCI - File and
Document
Management Activity

Data Insights
PCI Widget Device

Description
PCI - Critical
Vulnerabilities
PCI - Top
Vulnerable Assets
PCI - All
11-Test Security Regularly test Vulnerabilities by Scanner,
Systems and security systems and Criticality Firewall, IDS,
Processes processes Wireless
PCI - All Firewall
Configuration
Events
PCI - All Wireless
Configuration
Events
Maintain a policy that PCI - All Policy

12-Security addresses Changes
Policy Review information security PCI - All Policy
for all personnel Violations
HIPAA Dashboards
The dashboards for HIPAA are listed in the following table.

Data Insights
HIPAA Widget Device

Description
HIPAA Privacy Rule - 45

CFR Part 164, Subpart E
requires appropriate
safeguards to protect the
privacy of medical records HIPAA - All
and other personal health Application
HIPAA - information, and sets limits Activity
Privacy and conditions on the uses Application
Safeguards HIPAA -
and disclosures that may be Privacy
made of such information Violations
without patient authorization.
For more information visit,
https://www.hhs.gov/hipaa/fo
r-professionals/privacy/

Data Insights
HIPAA Widget Device

Description
HIPAA - All
Policy
Changes
HIPAA - All
Policy
Violations
HIPAA - File
and Document
Management
Activity HIPAA
- Critical
HIPAA Security Rule - Vulnerabilities
Administrative Safeguards - CMS,
HIPAA - Top
45 CFR 164.308 requires Scanner,
Vulnerable
appropriate administrative Firewall,
Assets
safeguards to ensure the IDS,
HIPAA -
confidentiality, integrity, and HIPAA - All Wireless,
Administrative
Vulnerabilities Malware,
Safeguards security of electronic
by Criticality OS, VPN,
protected health information.
Application
For more information visit, HIPAA - All Privilege,
https://www.hhs.gov/hipaa/fo Firewall DB
r-professionals/security/ Configuration
Events HIPAA
- All Wireless
Configuration
EventsHIPAA
- Anti-Malware
Deployed
HIPAA - Hosts
without Anti-
Malware
Protection
(Stopped,

Data Insights
HIPAA Widget Device

Description
Disabled, Not
installed)
HIPAA - Hosts
with Malware
Infection
HIPAA - Anti-
Malware
Protection
Events
HIPAA - Anti-
malware Scan
Summary
HIPAA - Anti-
Malware
Update
Failure,
Success
HIPAA -
Password
Changes and
Resets
HIPAA -
Account
Sharing
HIPAA -
Account
Lockouts
HIPAA - All
Authentication
Events
HIPAA -

Data Insights
HIPAA Widget Device

Description
Denied
Authentication
Events
HIPAA - VPN
Access
Summary
HIPAA -
System
Admin/Root
User Activity
HIPAA - DB
Admin Activity
HIPAA -
Application
Admin Activity

Data Insights
HIPAA Widget Device

Description
HIPAA - User
Account
Creation,
Deletion
HIPAA - User
Account
Privilege
Changes
HIPAA - User
Group
Creation,
Deletion
HIPAA Security Rule - HIPAA - User
Technical Safeguards - 45 Group
CFR 164.312 requires that Privilege
only authorized persons have Changes
HIPAA -
access to electronic protected HIPAA - DB
Technical OS and DB
Safeguards health information (e-PHI). User Account
Creation,
Deletion
HIPAA - DB
r-professionals/security/
User Privilege
Changes
HIPAA -
Account
Sharing
Summary
HIPAA -
Automated
Logoff of User
Account
HIPAA -
Critical File

Data Insights
HIPAA Widget Device

Description
Changes
HIPAA - EMR
Access by
Admin Users
HIPAA -
Encryption
Events
Summary
HIPAA - File
Integrity
Events
Summary
HIPAA - Logon
Attempts (Win)
HIPAA -
Summary of
Database
Accessed
HIPAA -
Summary of
File Access
HIPAA - User
Account
Access
Summary
HIPAA - ePHI
Application
Audit Events
HIPAA -
Application
Admin Activity
HIPAA - All

Data Insights
HIPAA Widget Device

Description
System
Auditing
Events
HIPAA -
System
Admin/Root
User Activity
HIPAA - DB
Admin Activity
HIPAA Security Rule -

Physical Safeguards - 45
CFR 164.310 - requires
facility access be restricted to
authorized persons. It
extends to proper use of HIPAA -
HIPAA -
workstations, devices and Badge
Physical Physical
Access to
Safeguards transfer, removal, disposal,
Datacenter
and re-use of electronic
media.
r-professionals/security/

Spotter
Spotter
Spotter is a lightning fast, natural language search engine that uses normalized search
syntax and visualization techniques to provide threat hunters the tools they need to invest-
igate current threats and trends, and track advanced persistent threats over long periods
of time. Spotter is built on Apache Lucene™, a java-based, high-performance text search
engine that provides powerful, efficient, and accurate search capabilities.
From the Spotter start screen, you can search for and view threats using various search fil-
ters. You can specify the report format to display information in tables, as bar charts,
bubble charts, and time charts, or view a geographical map.
Tip: Press F2 to launch the Spotter start screen from any section of the SNYPR UI.
Spotter User Interface

The Spotter user interface (UI) is your interactive portal to searching data within your
SNYPR deployment.
User Interface Elements

The Spotter UI has three key elements, as seen in the following image:

Spotter
Click a section to learn more about each UI element:

a: Spotter Search Bar
The Spotter search bar filters your data based on the query you provide.
It also contains a different components such as clear, save, and other actions that
let you manage your Spotter query, including:
1. Spotter search bar: Enter a query in the Spotter search bar, then click the magnifying
glass/search results icon or press Enter. This will filter and return only the results that
match your query.
2. Help: Opens a new tab with help information regarding the Spotter search lan-
guage. To learn more about the Spotter search language, click here.

Spotter
3. Clear: Clears the query that’s in the Spotter search bar.
4. Save: Saves the query that’s in the Spotter search bar.
5. Settings: Expands a list of Cached Queries and Saved Queries. The fol-
lowing four buttons are available, including:
a. Clear Queries: Clears the list of Cached Queries.
b. Refresh Config: If the Spotter search application has changed, this button will
refresh the configuration.
c. Update Cache: Refreshes the Cached Queries.
d. Close: Closes the list of Cached and Saved Queries.

Spotter
6. Time frame filter: Limits the search results based on the time frame you spe-
cify. You can select from a list of predefined time frames or create a custom
time frame:
a. Minutes: Ranges from the last 15 to 30 minutes.
b. Hours: Ranges from the last 1 to 72 hours.
c. Days: Ranges from the last 7 to 90 days.
d. Years: You can select Last Year or All Time.
e. Custom Range: Specify a custom time frame.
7. Search results: Searches and returns results based on the query you entered. You can
also press Enter to return your results.
C: Navigation Tabs
Within Spotter, you will be presented with various navigation tabs. These tabs
are structured to present you with key information about your search results, quer-
ies, and jobs.

Spotter
The navigation tabs include:

Summary
By default, you are directed to this tab. This tab displays a list of Avail-
able Violations and Available Datasources.
Search Results
Displays the search results and events generated by a query.

Spotter
a. Column chart: The column chart provides a way to visualize and compare
your data. The horizontal access shows the date an event was queried, and
the vertical access shows the number of events that match your query. Each
blue column represents a day.
b. Card View: Displays event cards horizontally, as a series of tiles.
This is the default view.
c. Tabular View: Displays the event data in a customizable tabular
format. The tabular view allows you to create a custom table layout by
specifying what data should be displayed, in what order, and how the
data should be sorted.
The Manage Columns button (shown in the following image)

provides tools that help you configure what categories or attributes
display in the table view and how they display. When you click Man-
age Columns, a new Configure Tabular View dialog box displays,
where you can:

Spotter
l Check columns you want to show
l Uncheck columns you want to hide
l Drag-and-drop to reorder the columns in the table view
In addition to the items listed above, you have the option to lock the
first three columns in place by enabling the Freeze column setting.
When you freeze a column(s), it remains in place as you reorder or
scroll through other columns in the Tabular View.
d. Reports: This button gives you the ability to export your Spotter query
results in multiple formats.
e. Add All Events to Incident: Allows you to add all the events or selec-
ted events from the Spotter query to an incident. To learn more about
how to create an incident, see the Create an On-Demand Incident sec-
tion of the Security Analyst Guide.

Spotter
Note: Only a maximum of 1,000 events can be added to an incident. The

first 1,000 events from the selection will be added to this incident. If you
want to add all events, generate a Spotter report and attach it to the incid-
ent.
f. Selected Fields: This button will expand and collapse the information in this
section.
g. Settings: When you click this icon, you can select how the attribute
names are displayed. The following two options are available:
l Show Securonix Attribute Names: Displays the attribute names defined

by Securonix, allowing security analysts to use attribute names to query
data.
l Show Data Dictionary Labels: Displays the labels defined by the

data dictionary, allowing security analysts to use data dictionary
labels to query data.

Spotter
Tip: To query data using Securonix attributes, use the "@" prefix, then
enter the Securonix attribute. The "@" prefix indicates you are using the
Securonix attribute to run a query.
Limitation:
l The search with resource type does not work when a resource type is
selected from the Spotter Summary screen for an existing resource.
l The Data Dictionary labels and @ Securonix Attribute only works

from SNYPR UI. You cannot use APIs to query data using labels and
@ Securonix Attribute.
h. Filter: Type to search and filter by field name.
i. Events: Each event card represents a matched result/event for your query.
The attributes are in the Key-Value Pair format.
j. Pagination: The number of page results which relate to your Spotter query.
Recent Queries
Displays the recently executed queries with the option to save or clear.
a. Filter: Filters cached queries.
b. Query: Displays a list of executed queries, with the most recent query at the
top.
c. Clear queries: Clears all the cached queries.
d. Save: Saves a cached query and opens the following dialogue box

Spotter
where you can save your details:

Spotter

Spotter
Saved Queries
Displays the saved queries with the option to share, edit, or delete.
1. Filter: Filters your query by name or contents of query.
2. Table of queries: Contains the query name, query string, and actions you can
perform on the query.
3. Share: Allows you to share the query with groups or users.
4. Edit: Allows you to edit the query.
5. Delete: Allows you to delete the query.
Console
Displays the console output for a search with the time stamp, query, and
number of results.
a. Time stamp: The time stamp of when the query was executed.
b. Query: The executed query.
c. Matches:The matches found within the specified time frame.
View Jobs
Displays query details including start and stop time stamps, records
returned, status, and provides the ability to delete the query.

Spotter
a. Search: Allows you to search and narrow down queries in the table.
b. Query: States the query that was used.
c. Records: Displays the number of records that match the query/report.
d. Job Start Time: Shows the time that the query was started.
e. Job End Time: Shows the time that the query ended.
f. Status: Displays the status of the query/report.
g. Actions: You can delete a job by clicking the delete icon.
c: Filter Toolbar
The filter toolbar allows you to limit the search results that display in the Avail-
able Violations and Available Datasources panel. Both panels have an inde-
pendent filter toolbar that appear above it.
The filter toolbar gives you access to many filter actions, including:
a. Search bar: The search bar auto-suggests policies/datasources as you type. Enter the
policy or datasource to filter the panels that display below the search bar.

Spotter
b. Drop-down filter: The drop-down will filter results by the following attributes:
l Name
l Count
l Criticality
c. Alphabetical Sorting: Sort by ascending or descending order.
d. Pagination: Divides the results into separate pages.
e. Total: The total number of results in the panel.
View Spotter Search Examples

This section includes Spotter search examples.
Note: All the images in this section are for illustrative purposes only and may differ from the
actual product due to product enhancements.
Example 1: Find Policy Violations

To view all the violations of a particular policy, use the syntax as in the following
example: policyname = "Spike in Number of Records accessed by an Employee".

Spotter
Note: To query data using Securonix attributes, use the "@" prefix, then enter the Securonix
attribute. The "@" indicates that you are using Securonix attribute to run a query.
Example 2: Check if user has sent email to personal

email address
To view check if a user has sent email to a personal email address, the following query
uses the CondensedStringMatcher: resourcegroupname = "Digital Guardian Send Mail"
| EVAL matchPerc = emailtoself(firstname,workemail,0.4).
Example 3: Find Asset Data

To view all the devices in the asset index, use the following query: index = asset.

Spotter
Example 4: View Top IP Address by Account Name

To view a table with the top IP addresses by account name for a data source, use the fol-
lowing query: resourcegroupname = "Bluecoat Proxy" | TOP ipaddress by
accountname.
Example 5: Search threat intelligence for top coun-

tries of origin
To find the top TPI domains from which threats originate in the Third Party Intelligence
index, use the following query: index = tpi | TOP tpi_domain.

Spotter
Run Reports from Spotter

In addition to the reports you can configure from the Menu > Reports > Categorized
Reports screen, you can run and export reports from the Search Results view in Spotter.
To run reports from Spotter, complete the following steps:
1. Navigate to Menu > Security Command Center > Spotter to conduct a search.
2. Click the Search Results tab, then select Reports > Export Spotter Results.
The option to Export Spotter Results appears in the drop-down along with any Spot-
ter reports configured under Menu > Reports > Categorized Reports. For information
about how to configure Spotter reports, see Reports.

Spotter
The Run Spotter Report window appears.
3. Click the Select Report Format drop-down and select a format for the report:

Spotter
l PDF
l CSV
l XLS
l RTF
l TXT
l DOCX
Note: When disabled, the toggle below the Select Report Format only exports 1,000 events
in the report.
4. Check the box next to each attribute you want to be included in the report, then click
the right arrow highlighted in blue. Attributes that appear in the User Attributes
column are included in the report.
Note: By default, when the STATS or TOP table queries are used, the attributes display in
the User Attributes (Securonix Attributes) box.
Tip: To select all attributes, check the Select All box in the column header.
5. Click Schedule to save the label and include the attribute in the report.
6. Click Run to run the report and download the report from the Notifications menu when
status is complete.

Spotter
Working with Live Channel

Live Channel provides a real-time view of your logs as they arrive into SNYPR, allowing
you to better understand and analyze your logs during the data ingestion process.
As data ingests into SNYPR, Live Channel streams the logs from all your datasources
and displays them through a new view in the Spotter user interface (UI), making logs
instantly available for search and investigation. With instant visibility into your logs and
regular expression, you can easily transform raw data into actionable information. Addi-
tionally, Live Channel allows you to scroll through and pause logs as they are generated,
allowing you to take a closer look at the data.
With better visibility into logs generated across your datasources, along with search
using regular expression, Live Channel improves your log monitoring process and makes
it easy to detect threats at the time of ingestion.

Spotter
Get Started with Live Channel

To get started with Live Channel, navigate to Menu > Security Center > Spotter, then
click the drop-down above the Spotter search query. Then, select the Live option from the
drop-down list.
You are directed to the Live Channel screen. This screen aggregates and consolidates
logs on a single UI, and is used for log troubleshooting and exploration.
Pausing Logs
To pause the Live Channel, scroll up in the Live Channel or click Pause.

Spotter
Resuming Live Channel

To start a Live Channel or when logs are paused, click Play to start or resume the Live
Channel.
Search with Live Channel

To find specific log information, you can filter by regular expression patterns. Add your
regular expression to the Live Channel search bar and click Play. Live Channel is rerun
with the new search query and the new logs automatically scroll, with the most recent
logs displaying towards the bottom of the Live Channel.
Click the help icon (?), located to the right of the Live Channel search bar to see regex
example searches.

Spotter
Saving Searches
Once you create queries and begin to successfully search your data, you can use the
Save Search icon to save your Live Channel. The Save Search icon is great for saving
queries you want to continuously run, such as malware detection patterns.

Spotter
Provide a name for the saved Live Channel, and optionally, share the saved Live Chan-
nel with other users or groups.
Once the search is saved, it displays in the Saved Live Channels section. To access your
Saved Live Channels, click the expand/collapse icon.

Spotter
Searching on Live Events

Live Channel also allows you to search your live events by time period. Click the live
mode drop-down list to filter and view logs received over a specific time period.
Filtering to Search
You can filter the Live Channel log events based on the filters you select.

Spotter
When the filters are applied, the Live Channel displays only the log events that match
your selected tenant or datasource. You can also click the filter tabs, just below the
applied filters, to browse between your selected tenant or datasource logs.

Spotter
Appendix B: Spotter Search Help

This section includes the common natural language search commands for Spotter, includ-
ing search, reporting, and analytical operators.
Spotter Query Structure

Spotter query structure includes the following elements:
Search Terms
Search Terms are the simple search parameters used to form a query. This is
also called Simple Search.
l Field-Value pair is a single search term.
l Logical operators are used to link multiple search terms together:

l AND: Indicates both(or multiple) linked search terms must be present in
the data set.
l OR: Indicates at least one of the linked search terms must be present in the data set.
l Parenthesis ( ) can be used to group search terms that must be processed

together.

Spotter
Example
Syntax: <field> <comparator> <value>
l Field: The field, or attribute, within the data.
l Comparator: The comparison, or condition, against which to match the value to the
field.
l Value: The value of the field within the data.
Search Term: accountname = John.Doe
Streaming Operators
Streaming Operators execute an action on the search results returned from the
Spotter query.
l All EVAL functions are steaming operators.
l Multiple Streaming operators can be used in a single query separated by a | (pipe).
Transforming Operators
Transforming Operators display the search results into different visual formats.
l Typical transforming operators include Statistical and Chart functions.
l Only a single transforming operator is allowed for a query.
Data Processing Operators
Data Processing Operators perform an action on the whole set of search results,
whether or not the results have been transformed by a transforming operator.
l Typical data processing operators are those such as Order by and Where.
l Multiple Data Processing operators can be used in a single query separated by a |

(pipe).
Query Syntax
Spotter queries use the following syntax:

Spotter
l Case-insensitive numbers do not require quotes.
l Strings that contain special characters and / or white space characters require quotes.
l Multiple values for operators such as “IN” and “NOT IN” require quotes as needed and must be
separated by comma’s. Example: accountname IN “jdoe”, “jsmith”.
l Quotes:
l Used around phrases and values that contain white spaces, commas, brackets, pipes, and
other punctuation.
l Must be balanced so an opening quote is later followed by a closing quote.
l Should be used around phrases, keywords, and wildcards (if you don't want to search for
their default meaning such as "AND" (the Boolean operator or) * (the multi-character wild-
card).
l Wildcards ( ?, *):
l *: Used to represent 0 or more characters wildcard in a search.
l ?: used to represent a single character wildcard in a search.
Indexes
Spotter uses natural language to search within the data indexed in SNYPR Search. You
can search within any index into which you have imported data. SNYPR Search uses the
following indexes to store data:
l Activity: Used to search for security log events from Windows, Proxy devices, Firewalls,
IDS/IPS, etc.
l Activelist: Used to locate entries on active lists stored in Redis.
l Archive: Used to search for historical (warm) data stored in HDFS.
Note: Queries are slower for this index than for the other (hot) indexes.
l Asset: Used to search metadata for assets such as servers, workstations, laptops, ATMs, POS
devices, etc.
l Geolocation: Used to search Geolocation correlated to IP Addresses.

Spotter
l Lookup: Used to search for entries in lookup tables such as Competitor Domains, Non-Business
Domains, etc.
l Riskscore: Used to search current risk score for entities.
l Riskscorcehistory: Used to search for historical risk scores for entities.
l TPI: Used to search for threat intelligence ingested from third party sources such as
ThreatSteam.
l Users: Used to search user information ingested through Identity Access Management devices,
HR systems, etc.
l Violation: Used to search for policy and threat violations that are associated with an entity and a
risk score.
l Watchlist: Used to search for entities that have been added to a watchlist.
l Whitelist: Used to search for entities that have been added to a whitelist.
Note: By default, Spotter searches the Activity index.
Common Fields
The following fields are commonly used in Spotter search:
l eventtime: Time the event occurred on the resource (datasource).
l generationtime: Time a violation was detected by SNYPR. appears only in indexes: violation,
risk score , and risk score history.
l index: Specifies the index in which to search.
l indexedat: Time the event was indexed into SNYPR Search.
l policyname: Used to search a specific policy name for which violations have been observed.
l publishedtime: Time event was published to Kafka.
l receivedtime: Time the event was processed by the enrichment job.
l resourcegroupname - Used to search for a datasource by the specific name the datasource was
given when the connection was created to import data.

Spotter
Search Operators
Search Operators tell the system how to locate, format, manipulate, and display the data
you want to see. These include the following types of commands:
Basic Commands
The following operators are used to form search terms in a query.
indexedat
The indexedat command finds events that are indexed within the specified dur-
ation.
Supported Variables:
l MINUTES: [NOW-5MINUTES NOW]
l HOURS: [NOW-5HOURS NOW]
l DAYS: [NOW-5DAYS NOW]
l Last 10 Minutes:[NOW-15MINUTES NOW-5MINUTES]
Syntax: indexedat BETWEEN (value1) (value2)
Example: resourcegroupname = Google-FileDS AND indexedat BETWEEN 2018-10-

05T00:00:00.000Z 2018-10-17T23:59:59.999Z; resourcegroupname = Google-FileDS
AND indexedat BETWEEN NOW-15DAYS NOW
Policy
The Policy command searches for a specific policy to find violations. The format
supported for the date attributes to query is MM/dd/yyyy HH:mm:ss.SSS.
Syntax: <policyname> <=> <value>
Example: policyname = “Accounts visiting Algorithmically Generated Domains-1”; poli-

cyname = Logon_Failure

Spotter
Data Sources
Queries the activity core for specific data sources. The format supported for the
date attributes to query is MM/dd/yyyy HH:mm:ss.SSS.
Syntax: <resourcegroupname> <=> <value>
Example: resourcegroupname = BCP1
Text
Returns all results that include the specified text.
Syntax: <value>
Example: smith
*
Multiple character wild card searches looks for 0 or more characters.
Syntax: <field1 | *> < field2 | *> <field n | *>
Example: MM*; With Field : firstname = Ma*
?
To perform a single character wild card search use the "?" symbol.
Syntax: <field1 | ?> < field2 | 2> <field n | ?>
Example: ??2497
Index Commands
The following operators are used to specify the index in which to search.
Lookup
Searches within lookup index for all items added in lookup tables.

Spotter
Syntax: index= < lookup > <and | or> <field>| Report Commands | Field Com-
mands
Example: index = lookup; index = lookup and lookupname = betaSpotter
Activity
Searches within the activity index for events. This is the default index for Spotter
searches.
Syntax: index = < activity > <and | or> <field> = <field value>
Example: index = activity; index = activity and accountname = secure; index = activity
and deviceaction = 26952 and transactionstring1 = THREAT
Violation
Searches within the index for policy violations.
Syntax: index = < violation > <and | or> <field> = <field value>
Example: index = violation; index = violation and violator = Users; index = violation
and sessionid = 1102
Riskscore
Searches within the riskscore index, which that stores all violators and provides
riskscore information based on doctype. Doctype can be further classified at the
policy level. This can be identified by “entity_policy” and “entity_threatmodel”.
Additionally, doctype can be aggregated at an entity level, identified by “entity”,
“entity_policy_rtaccount”, “entity_policy_rgaccount”, and “entity_policy_account”.
Note: Doctype “policy”, “threatmodel”, and “category” is used for RBAC and not used
for risk score calculations.
Syntax: Index = < riskscore > <and | or> <field>| Report Commands | Field Com-
mands

Spotter
Example: index = riskscore; index = riskscore and entityid = WHITE.DAVID; index =

riskscore and entityid = WHITE.DAVID and docype=”entity_policy”;index = riskscore
and entityidaccountname = WHITE.DAVID and docype=”entity”;
Archive
Searches historical data on HDFS using Impala/Hive. You must specify resource-
groupname, resourcetype, or rg_functionality, and tenantname in the query.
For Impala queries, resourcegroupname is the table name.
Syntax: index = < archive > <and> <resourcegroupname> <=> <value> <and | or>
<field> = <field value>
Example: index = archive and resourcegroupname = Google_login; index = archive

and resourcegroupname = Google_login and accountname = AJAIS@SEC.COM
Whitelist
Searches within the whitelist core for entities in a global or targeted whitelist.
Syntax: index = < whitelist > <and | or> <field> = <field value>
Example: index = whitelist; index = whitelist and entityname = 1115
TPI
Searches within the TPI index, which stores third party threat intelligence.
Syntax: Index = <tpi> <and | or> <field> | Report Commands | Field Commands
Example: index = tpi; index = tpi and tpi_addr = zztxdown.com; index = tpi and tpi_
srckey = zzshw.net_MalwareDomains
Asset
Searches within the asset index, which stores device metadata.

Spotter
Syntax: Index <asset> <and | or> <field> | Report Commands | Field Commands
Example: index = asset; index = asset and entityname = resource98
Watchlist
Searches within watchlist index for all watchlisted entities.
Syntax: Index = <watchlist> <and | or> <field> | Report Commands | Field Com-
mands
Example: index = watchlist; index = watchlist and watchlistitem_item2 = item2
Users
Searches within the user index.
Syntax: index = < users > <and | or> <field> = <field value>
Example: index = users; index = users and department = marketing
Riskscorehistory
Searches within the riskscore history index. This is primarily used for accu-
mulating and keeping track of historical risk scores information based on doc-
type. Doctype can be further classified at the policy level. This can be identified
by “entity_policy” and “entity_threatmodel”. Additionally, doctype can be aggreg-
ated at an entity level, identified by “entity”, “entity_policy_rtaccount”, “entity_
policy_rgaccount”, and “entity_policy_account”.
Note: Doctype “policy”, “threatmodel”, and “category” is used for RBAC and not used
for risk score calculations.
Syntax: Index = <riskscorehistory> <and | or> <field> | Report Commands | Field

Commands

Spotter
Example: Index = riskscorehistory; index = riskscorehistory and entityid =

SWIFT.JOHN;index = riskscorehistory and entityidaccountname = SWIFT.JOHN and
docype=”entity_policy”;index = riskscorehistory and entityidaccountname =
SWIFT.JOHN and docype=”entity”;
Geolocation
Searches within the geolocation index for IP address.
Syntax: index = < geolocation > <and | or> <field> = <field value>
Example: index = geolocation; index = geolocation and longitude = 9.491
Activelist
Searches within the activelist index for entries found on active lists in Redis.
Syntax: index = < activelist > <and | or> <field> = <field value>
Example: index = activelist and activelistname = Suspicious_File_Download
Comparators
The following operators compare a field to a value.
CONTAINS
Checks is a string field contains the specified value. Contains does not support
Date attributes like hiredate, terminationdate, expirydate and etc. Contains is not
case sensitive.
Syntax: <field> CONTAINS <value>
Example: resourcegroupname = BCP1 and accountname contains securonix

Spotter
NOT CONTAINS
Checks if a string field does not contain the specified value. This comparator
does not support date attributes like hiredate, terminationdate, expirydate and
etc. Contains is not case sensitive.
Syntax: <field> NOT CONTAINS <value>
Example: resourcegroupname = BCP1 and accountname not contains securonix
AND
Shows the result that fulfills both conditions.
Syntax: <field> <AND> <value>
Example: resourcegroupname = BCP1 and accountname = securonix
OR
Shows the result which fulfills either one of the specified conditions.
Syntax: <field> <OR> <value>
Example: resourcegroupname = BCP1 OR accountname = TG2277
BEFORE
Filter the events before date. The format supported for the date attributes to query
is MM/dd/yyyy HH:mm:ss.SSS.
Syntax: <field> BEFORE <value>
Example: policyname = test123 and createdate BEFORE 03/10/2016 06:21:31
AFTER
Filter events after specified date. The format supported for the date attributes to
query is MM/dd/yyyy HH:mm:ss.SSS.

Spotter
Syntax: <field> AFTER <value>
Example: policyname = test123 and createdate AFTER 03/10/2016 06:21:31
BETWEEN
Filter the events between value1 and value2. The format supported for the date
attributes to query is MM/dd/yyyy HH:mm:ss.SSS.
Syntax: <field> BETWEEN <value1><,><value2>
Example: policyname = test123 and week BETWEEN 4,30
NOT BETWEEN
Filter the events not between value1 and value2. The format supported for the
date attributes to query is MM/dd/yyyy HH:mm:ss.SSS.
Syntax: <field> NOT BETWEEN <value1><,><value2>
Example: bytesout NOT BETWEEN 250,251
STARTS WITH
Checks if string field value starts with specified value.
Syntax: <field> STARTS WITH <value>
Example: resourcegroupname = BCP1 and accountname STARTS WITH secur
NOT STARTS WITH

Checks if string field value does not start with specified value.
Syntax: <field> NOT STARTS WITH <value>
Example: resourcegroupname = BCP1 and accountname NOT STARTS WITH secur

Spotter
NULL
Returns the events if the field value is empty.
Syntax: <field> NULL
Example: accountname = securonix AND eventcountry NULL
NOT NULL
Returns the events if the field value is not empty.
Syntax: <field> NOT NULL
Example: accountname = securonix AND eventcountry NOT NULL
IN
Checks if string field value is present in specified list of comma separated values.
Syntax: <field> IN <value>
Example: resourcegroupname = BCP1 and accountname in TG2277,TG2207
NOT IN
Checks if string field value is present in specified list of comma separated values.
Syntax: <field> NOT IN <value>
Example: resourcegroupname = BCP1 and accountname not in TG2277,TG2207
ENDS WITH
Checks if string field value ends with specified value.
Syntax: <field> ENDS WITH <value>
Example: resourcegroupname = BCP1 and accountname ENDS WITH curonix

Spotter
NOT ENDS WITH

Checks if string field value does not end with specified value.
Syntax: <field> NOT ENDS WITH <value>
Example: resourcegroupname = BCP1 and accountname NOT ENDS WITH curonix
= (Equals)
Finds value that equals operator, tests quality.
Syntax: <field> <=> <value>
Example: resourcegroupname = BCP1
!= (Not Equals)
Finds value that does not equal operator, tests if field is not equal to value.
Syntax: <field> <!=> <value>
Example: resourcegroupname != BCP1
> (Greater Than)

Checks if a numerical field is greater than the specified value.
Syntax: <field> > <value>
Example: resourcegroupname = BCP1 and bytesOut > 200
< (Less Than)

Checks if a numerical field is less than the specified value.
Syntax: <field> < <value>
Example: resourcegroupname = BCP1 and bytesOut < 200

Spotter
<= (Less than or Equal to)

Checks if a numerical field is less than or equal to the specified value.
Syntax: <field> <= <value>
Example: resourcegroupname = BCP1 AND year <= 2017
>= (Greater than or Equal to)

Checks if a numerical field is greater than or equal to the specified value.
Syntax: <field> >= <value>
Example: resourcegroupname = BCP1 AND year >= 2017
Time Modifiers
These operators are used to specify Relative Time or Snap Time using date time
fields.
+/-Time_Offset_IntegerTime_Unit_String
Relative Time. Specifies a specific amount of time to be added or subtracted from
current time.
Note:
l Can be used with any time field
l Syntax for Relative Time and Snap Time can be combined.
l When no time offset integer is specified 1 is used by default
l Comparators BETWEEN & NOT BETWEEN require proper quotation
l If used with eventtime (index=activity) or generationtime (index=violation), the

time range selector on the right will be ignored.
l Only available in SNYP 6.2 CU4 SP2 or Newer.
l Not applicable to index=archive

Spotter
Syntax: <field> <comparator>+/-Time_Offset_IntegerTime_Unit_String
Example: eventtime after -2d (All events that occurred after Today -2 days or within
the last 2 days)
@Time_Unit_String
Snap Time. Specifies the beginning of the time unit selected. For example, @w
is start of the week.
Note:
l Can be used with any time field
l Syntax for Relative Time and Snap Time can be combined.
l When no time offset integer is specified 1 is used by default
l Comparators BETWEEN & NOT BETWEEN require proper quotation
l If used with eventtime (index=activity) or generationtime (index=violation), the

time range selector on the right will be ignored.
l Only available in SNYP 6.2 CU4 SP2 or Newer.
l Not applicable to index=archive
Syntax: <field> <comparator> @Time_Unit_String
Example: eventtime between “@m”,”@d” (All events from the start of the month to the
start of today)
+/-Time_Offset_IntegerTime_Unit_String@Time_Unit_String
Combines relative time and snap time.
Syntax: <field> <comparator> +/-Time_Offset_IntegerTime_Unit_String@Time_
Unit_String

Spotter
Example: eventtime between “-qtr@qtr+mon”,”-mon@mon” (All events from 3 months

prior to the beginning of the current quarter plus 1 month to 1 month prior to current
month)
Supported Time Units
Time Unit Supported Abbreviations
Second s, sec, secs, second, seconds
Minute m, min, minute. minutes
Hour h, hr, hrs, hour, hours
Day d, day, days
w, week, weeks
w0 (week0 = Sunday
w1 = Monday
w2 = Tuesday
Week w3 = Wednesday
w4 = Thursday
w5 = Friday
w6 = Saturday
w7 = Sunday (same as w0)
Month mon, month, months
Quarter q, qtr, qtrs, quarter, quarters
Year y, yr, yrs, year, years
Filter Command
This command is used to run a query on multiple collections such as: activity,
violation, watchlist, riskscore , riskscorehistory, users, lookup, geolocation, etc.

Spotter
FILTER
Performs an inner join on two indexes. This means that the results display the
specified value contained in both indexes based on the comparator.
Note:
l Negative comparators are not valid, as this only performs an inner Join
l Start with the larger index and filter to the smaller index
l Any search terms before | (pipe) are applied to the first index only. The search
terms that follow the | pipe are then used to further narrow and enrich your
returned events within the second index.
Syntax: FILTER index = <indexname> AND <field> <comparator> <value>
Example: index = violation and accountname = john.doe | FILTER index = riskscore

and violator = violator
Streaming Operators
Streaming Operators execute actions on search results.

Eval Commands
These streaming operators populate a new field based on an evaluation per-

formed against a field value pair on previously entered search terms.
Warning: Capital letters, dashes (-), and spaces in the generated field name breaks
the query when piped into other operators.
DEC
Returns the decimal value.
Syntax: EVAL (store-field) = (DEC) ( field )

Spotter
Example: resourcegroupname = BCP1 | EVAL x = DEC ( bytesin ); resource-

groupname = Email_sent_to_Users | EVAL x = DEC ( bytesin ) | EVAL y = HEX(x)
EQUALS
Returns true is value matches. Returns false if value does not match.
Syntax: EVAL <store-field> = <EQUALS> < field > < field-value >
Example: resourcegroupname = BCP1 | EVAL x = EQUALS ( accountname , 2029);

LEN: EVAL x = LEN ( accountname ) | EVAL y = EQUALS ( x , 6); UPPERCASE:
EVAL x = UPPERCASE ( accountname ) | EVAL y = EQUALS ( x , TG2277);
LOWERCASE : EVAL x = LOWERCASE ( accountname ) | EVAL y = EQUALS ( x ,
tg2277); REPLACE: EVAL x = REPLACE ( accountname ,TG2277 , securonix) |
EVAL y = EQUALS ( x , securonix) ; SUBSTR: EVAL x = SUBSTR ( accountname , 0 ,
2) | EVAL y = EQUALS ( x , TG); ISBOOLEAN: EVAL x = ISBOOLEAN ( bytesout ) |
EVAL y = EQUALS ( x , false); ISNOTNULL: EVAL x = ISNOTNULL ( resource-
groupid ) | EVAL y = EQUALS ( x , true); ISNULL: EVAL x = ISNULL ( accountname ) |
EVAL y = EQUALS ( x , false); ISSTRING : EVAL x = ISSTRING ( accountname ) |
EVAL y = EQUALS ( x , true); ISNUM : EVAL x = ISNUM ( accountname ) | EVAL y =
EQUALS ( x , true); ISINT: EVAL x = ISINT ( id ) | EVAL y = EQUALS ( x , true);
SDIGIT: EVAL x = ISDIGIT ( id ) | EVAL y = EQUALS ( x , true)
ISDIGIT
Returns true if the value is a digit. Returns false if value is not a digit.
Syntax: EVAL <store-field> = <ISDIGIT> < field >
Example: resourcegroupname = BCP1 | EVAL x = ISDIGIT ( accountname); LEN:

EVAL x = LEN ( resourcegroupid ) | EVAL y = ISDIGIT ( x ); REPLACE: EVAL x =
REPLACE ( accountname ,- , 1) | EVAL y = ISDIGIT ( x ); SUBSTR: EVAL x =
SUBSTR ( accountname , 0 , 1) | EVAL y = ISDIGIT ( x )

Spotter
MATCH
Populates the new field with true if the field’s value matches the regular expres-
sion pattern and false if it does not.
Syntax: VAL (store-field) = MATCH (Field, REGEX)
Example: EVAL x = MATCH (accountname, “JH*”) • accountname = JH321 Result: x

= true • accountname = SH321 Result: x = false
ADD
Returns sum of two or more fields / numbers.
Syntax: EVAL <store-field> = ADD (Field1, Field2, #) EVAL <store-field> =
Field1 + Field2 + #
Example: EVAL bandwidth = bytesout + bytesin • bytesout = 10 bytesin = 10 Result:

bandwidth = 20
SUBTRACT (DIFFERENCE)
Returns the difference of two or more fields / numbers.
Syntax: EVAL <store-field> = DIFFERENCE (Field1, Field2, #) EVAL <store-
field> = Field1 - Field2 - #
Example: EVAL freecache = customnumber1 - customnumber2 • customnumber1 =

200 customnumber2 = 80 Result:: freecache = 120
MULTIPLY
Returns the product of two or more fields / numbers.
Syntax: EVAL <store-field> = MULTIPLY (Field1, Field2, #) EVAL <store-field> =
Field = Field1 * Field2 * #

Spotter
Example: EVAL est_mon_bandwidth = (bytesout + bytesin) * 30 • bytesout = 10

bytesin = 10 Result: est_mon_bandwidth = 600
DIVIDE
Returns the quotient of two or more fields / numbers.
Syntax: EVAL <store-field> = DIVIDE (Field1, Field2, #) EVAL <store-field> =
Field1 / Field2 / #
Example: EVAL bw_kb = bytesout + bytesin / 1000 • bytesout = 10 bytesin = 10 Res-

ult: est_mon_bandwidth = 0.02
FROM_UNIXTIME
Returns date String from an epoch time.
Note:
l Only converts 10 digit epoch (unix) time at this time.
l Combine with TO_UNIXTIME to convert one human readable form to another

format.
The following date formats are supported:

l yyyy-MM-dd'T'HH:mm:ss'Z'
l yyyy-MM-dd'T'HH:mm:ssZ
l yyyy-MM-dd'T'HH:mm:ss
l yyyy-MM-dd'T'HH:mm:ss.SSS'Z'
l yyyy-MM-dd'T'HH:mm:ss.SSSZ
l yyyy-MM-dd HH:mm:ss
l yyyyMMdd
l MM/dd/yyyy

Spotter
l MM/dd/yyyy HH:mm:ss
l MM/dd/yyyy'T'HH:mm:ss.SSS'Z'
l MM/dd/yyyy'T'HH:mm:ss.SSSZ
l MM/dd/yyyy'T'HH:mm:ss.SSS
l MM/dd/yyyy'T'HH:mm:ssZ
l MM/dd/yyyy'T'HH:mm:ss
The following formats do not show timezone:

l yyyy-MM-dd'T'HH:mm:ss'Z'
l yyyy-MM-dd'T'HH:mm:ss.SSS'Z'
l MM/dd/yyyy'T'HH:mm:ss.SSS'Z'
Syntax: EVAL <store-field> = <from_unixtime> < field > < date format >
Example: EVAL x = from_unixtime (eventtime , MM/dd/yyyy HH:mm:ss)
to_unixtime
Returns epoch time from a valid date string.
Note: Only converts to 10 digit epoch (unix) time.
Syntax: EVAL <store-field> = <to_unixtime> < field | Valid String >
Example: EVAL x = to_unixtime (04/27/2017 15:03:49); EVAL x = to_unixtime (dt_first-

seen)
BASE64
Returns the base64 encoding value.
Syntax: EVAL (store-field) = (BASE64) ( field )
Example: requesturl = www.google.com Result: x = d3d3Lmdvb2dsZS5jb20=

Spotter
UNBASE64
Returns the base64 decoding value.
Syntax: EVAL (store-field) = (UNBASE64) ( field )
Example: requesturl = d3d3Lmdvb2dsZS5jb20= Result: x = www.google.com
CONCAT
Populates new field with results by concatenating (joining) the values specified.
Limited to 3 values.
Syntax: EVAL (store-field) = CONCAT (Field/”string”, field/”string”, field/”string”)
Example: EVAL x = CONCAT (firstname, “.“, lastname) firstname = John , lastname =

Doe Result: x = John.Doe
ISINT
Returns true if value is an integer. Returns false if value is not an integer.
Syntax: EVAL <store-field> = <ISINT> < field >
Example: resourcegroupname = BCP1 | EVAL x = ISINT ( accountname ); LEN:

EVAL x = LEN ( accountname ) | EVAL y = ISINT ( x ); UPPERCASE: EVAL x =
UPPERCASE ( accountname ) | EVAL y = ISINT ( x ); LOWERCASE: EVAL x =
LOWERCASE ( accountname ) | EVAL y = ISINT ( x ); REPLACE: EVAL x =
REPLACE ( accountname ,TG2277 , securonix) | EVAL y = ISINT ( x ); SUBSTR:
EVAL x = SUBSTR ( accountname , 0 , 2) | EVAL y = ISINT ( x )
ISNOTNULL
Returns true if value is not null. Returns false is value is null.
Syntax: EVAL <store-field> = <ISNOTNULL> < field >

Spotter
Example: resourcegroupname = BCP1 | EVAL x = ISNOTNULL ( accountname ) ;

LEN: EVAL x = LEN ( accountname ) | EVAL y = ISNOTNULL ( x ); UPPERCASE:
EVAL x = UPPERCASE ( accountname ) | EVAL y = ISNOTNULL ( x );
LOWERCASE: EVAL x = LOWERCASE ( accountname ) | EVAL y = ISNOTNULL ( x
); EQUALS: EVAL x = EQUALS ( accountname , - ) | EVAL y = ISNOTNULL ( x );
REPLACE: EVAL x = REPLACE ( accountname ,- , securonix) | EVAL y =
ISNOTNULL ( x ); SUBSTR: EVAL x = SUBSTR ( accountname , 0 , 5) | EVAL y =
ISNOTNULL ( x ); ISBOOLEAN: EVAL x = ISBOOLEAN ( bytesout ) | EVAL y =
ISNOTNULL ( x ); ISSTRING: EVAL x = ISSTRING ( accountname ) | EVAL y =
ISNOTNULL ( x ); ISNUM: EVAL x = ISNUM ( accountname ) | EVAL y = ISNOTNULL
( x ); ISEMPTY: EVAL x = ISEMPTY ( accountname ) | EVAL y = ISNOTNULL ( x )
ISBOOLEAN
Returns true or false if field is Boolean.
Syntax: EVAL <store-field> = <ISBOOLEAN> < field >
Example: resourcegroupname = BCP1 | EVAL x = ISBOOLEAN ( accountname );

LEN: EVAL x = LEN ( accountname ) | EVAL y = ISBOOLEAN ( x ); UPPERCASE:
EVAL x = UPPERCASE ( accountname ) | EVAL y = ISBOOLEAN ( x );
LOWERCASE: EVAL x = LOWERCASE ( accountname ) | EVAL y = ISBOOLEAN ( x
); REPLACE: EVAL x = REPLACE ( accountname ,TG2277 , securonix) | EVAL y =
ISBOOLEAN ( x ); SUBSTR: EVAL x = SUBSTR ( accountname , 0 , 2) | EVAL y =
ISBOOLEAN ( x ); ISNOTNULL: EVAL x = ISNOTNULL ( resourcegroupid ) | EVAL y
= ISBOOLEAN ( x ); ISNULL: EVAL x = ISNULL ( accountname ) | EVAL y =
ISBOOLEAN ( x ); ISSTRING: EVAL x = ISSTRING ( accountname ) | EVAL y =
ISBOOLEAN ( x ); EQUALS: EVAL x = EQUALS ( accountname , securonix ) | EVAL y
= ISBOOLEAN ( x )
LEN
Find length of field value.
Syntax: EVAL <store-field> = <LEN> < field >

Spotter
Example: resourcegroupname = BCP1 | EVAL x = LEN ( accountname );

LOWERCASE: EVAL y = LOWERCASE ( accountname ) | EVAL x = LEN ( y );
UPPERCASE: EVAL y = UPPERCASE ( accountname ) | EVAL x = LEN ( y );
ISEMPTY: EVAL x = LEN ( accountname ) | EVAL y = ISEMPTY ( accountname );
REPLACE: EVAL y = REPLACE ( accountname ,- , securonix) | EVAL x = LEN ( y );
SUBSTR: EVAL z = REPLACE ( accountname ,- , securonix) | EVAL y = SUBSTR ( z
, 0 , 5) | EVAL x = LEN ( y ); ISBOOLEAN: EVAL x = LEN ( resourcegroupid ) | EVAL y
= ISBOOLEAN ( x ); ISINT: EVAL x = LEN ( resourcegroupid ) | EVAL y = ISINT ( x );
ISNOTNULL: EVAL x = LEN ( resourcegroupid ) | EVAL y = ISNOTNULL ( x );
ISNULL: EVAL x = LEN ( resourcegroupid ) | EVAL x = ISNULL ( x ); ISDIGIT: EVAL x
= LEN ( resourcegroupid ) | EVAL y = ISDIGIT (x); EQUALS: EVAL x = LEN ( account-
name ) | EVAL y = EQUALS ( x , 5 )
ISNUM
Returns true is the value is a number. Returns false is value is not a number.
Syntax: EVAL <store-field> = <ISNUM> < field >
Example: resourcegroupname = BCP1 | EVAL x = ISNUM ( accountname ); LEN:

EVAL x = LEN ( accountname ) | EVAL y = ISNUM ( x ); UPPERCASE: EVAL x =
UPPERCASE ( accountname ) | EVAL y = ISNUM ( x ); LOWERCASE: EVAL x =
LOWERCASE ( accountname ) | EVAL y = ISNUM ( x ); EQUALS: VAL x = EQUALS (
accountname , - ) | EVAL y = ISNUM ( x ); REPLACE: EVAL x = REPLACE ( account-
name ,- , securonix) | EVAL y = ISNUM ( x ); SUBSTR: EVAL x = SUBSTR ( account-
name , 0 , 5) | EVAL y = ISNUM ( x )
UPPERCASE
Converts all characters to uppercase.
Syntax: EVAL <store-field> = <UPPERCASE> < field >
Example: resourcegroupname = BCP1 | EVAL x = UPPERCASE ( accountname );

LEN: EVAL x = UPPERCASE ( accountname ) | EVAL y = LEN ( x ); LOWERCASE:

Spotter
EVAL x = UPPERCASE ( accountname ) | EVAL y = LOWERCASE ( x ); ISEMPTY:

EVAL x = UPPERCASE ( accountname ) | EVAL y = ISEMPTY ( x ); EQUALS: EVAL
y = UPPERCASE ( accountname ) | EVAL x = EQUALS ( y , - ); REPLACE : EVAL x =
UPPERCASE ( accountname ) | EVAL y = REPLACE ( x ,- , securonix); SUBSTR:
EVAL y = SUBSTR ( accountname , 0 , 5) | EVAL x = UPPERCASE ( y );
ISBOOLEAN: EVAL x = UPPERCASE ( resourcegroupid ) | EVAL y = LEN ( x ) |
EVAL x = ISBOOLEAN ( y ); ISNOTNULL : EVAL x = UPPERCASE ( resource-
groupid ) | EVAL y = ISNOTNULL ( x ); ISNULL : EVAL x = UPPERCASE ( account-
name ) | EVAL y = ISNULL ( x ); ISSTRING : EVAL x = UPPERCASE ( accountname )
| EVAL y = ISSTRING ( x )
ISSTRING
Returns true is value is string. Returns false if value is not string.
Syntax: EVAL <store-field> = <ISSTRING> < field >
Example: resourcegroupname = BCP1 | EVAL x = ISSTRING ( accountname ); LEN:

EVAL x = LEN ( accountname ) | EVAL y = ISSTRING ( x ); UPPERCASE: EVAL x =
UPPERCASE ( accountname ) | EVAL y = ISSTRING ( x ); LOWERCASE: EVAL x =
LOWERCASE ( accountname ) | EVAL y = ISSTRING ( x ); REPLACE: EVAL x =
REPLACE ( accountname ,- , securonix) | EVAL y = ISSTRING ( x ); SUBSTR: EVAL
x = SUBSTR ( accountname , 0 , 5) | EVAL y = ISSTRING ( x )
ISNULL
Returns true if value is null. Returns false is value is not null.
Syntax: EVAL <store-field> = <ISNULL> < field >
Example: resourcegroupname = BCP1 | EVAL x = ISNULL ( accountname ); LEN:

EVAL x = LEN ( accountname ) | EVAL y = ISNULL ( x ); UPPERCASE: EVAL x =
UPPERCASE ( accountname ) | EVAL y = ISNULL ( x ); LOWERCASE: EVAL x =
LOWERCASE ( accountname ) | EVAL y = ISNULL ( x ); EQUALS: EVAL x =
EQUALS ( accountname , - ) | EVAL y = ISNULL ( x ); REPLACE: EVAL x =

Spotter
REPLACE ( accountname ,- , securonix) | EVAL y = ISNULL ( x ); SUBSTR: EVAL x =

SUBSTR ( accountname , 0 , 5) | EVAL y = ISNULL ( x ); ISBOOLEAN: EVAL x =
ISBOOLEAN ( bytesout ) | EVAL y = ISNULL ( x ); ISSTRING: EVAL x = ISSTRING (
accountname ) | EVAL y = ISNULL ( x ); ISNUM: EVAL x = ISNUM ( accountname ) |
EVAL y = ISNULL ( x ); ISEMPTY: EVAL x = ISEMPTY ( accountname ) | EVAL y =
ISNULL ( x )
ISEMPTY
Returns true if value is empty. Returns false is value is not empty.
Syntax: EVAL <store-field> = <ISEMPTY> < field >
Example: resourcegroupname = BCP1 | EVAL x = ISEMPTY ( accountname ); LEN:

EVAL x = LEN ( accountname ) | EVAL y = ISEMPTY ( x ); UPPERCASE: EVAL x =
UPPERCASE ( accountname ) | EVAL y = ISEMPTY ( x ); LOWERCASE: EVAL x =
LOWERCASE ( accountname ) | EVAL y = ISEMPTY ( x ); EQUALS: EVAL x =
EQUALS ( accountname , - ) | EVAL y = ISEMPTY ( x ); REPLACE: EVAL x =
REPLACE ( accountname ,- , securonix) | EVAL y = ISEMPTY ( x ); SUBSTR: EVAL x
= SUBSTR ( accountname , 0 , 5) | EVAL y = ISEMPTY ( x ); ISBOOLEAN: EVAL x =
ISBOOLEAN ( bytesout ) | EVAL y = ISEMPTY ( x ); ISNOTNULL: EVAL x =
ISNOTNULL ( resourcegroupid ) | EVAL y = ISEMPTY ( x ); ISNULL: EVAL x =
ISNULL ( accountname ) | EVAL y = ISEMPTY ( x ); ISSTRING: EVAL x = ISSTRING
( accountname ) | EVAL y = ISEMPTY ( x ); ISNUM: EVAL x = ISNUM ( accountname
) | EVAL y = ISEMPTY ( x )
HEX
Returns the hexadecimal value.
Syntax: EVAL (store-field) = (HEX) ( field )
Example: resourcegroupname = BCP1 | EVAL x = HEX ( bytesin ); Example 1:

resourcegroupname = Email_sent_to_Users | EVAL x = DEC ( bytesin ) | EVAL y =
HEX(x)

Spotter
LOWERCASE
Converts all characters to lowercase.
Syntax: EVAL <store-field> = <LOWERCASE> < field >
Example: resourcegroupname = BCP1 | EVAL x = LOWERCASE ( accountname );

LEN: EVAL x = LOWERCASE ( accountname ) | EVAL y = LEN ( x ); UPPERCASE:
EVAL x = UPPERCASE ( accountname ) | EVAL y = LOWERCASE ( x ); ISEMPTY:
EVAL x = LOWERCASE ( accountname ) | EVAL y = ISEMPTY ( x ); EQUALS: EVAL
y = LOWERCASE ( accountname ) | EVAL x = EQUALS ( y , - ); REPLACE: EVAL x =
LOWERCASE ( accountname ) | EVAL y = REPLACE ( x ,- , securonix); SUBSTR:
EVAL y = SUBSTR ( accountname , 0 , 5) | EVAL x = LOWERCASE ( y );
ISBOOLEAN: EVAL x = LOWERCASE ( resourcegroupid ) | EVAL y = LEN ( x ) |
EVAL x = ISBOOLEAN ( y ); ISNOTNULL: EVAL x = LOWERCASE ( resourcegroupid
) | EVAL y = ISNOTNULL ( x ); ISNULL: EVAL x = LOWERCASE ( accountname ) |
EVAL y = ISNULL ( x ); ISSTRING: EVAL x = LOWERCASE ( accountname ) | EVAL
y = ISSTRING ( x )
REPLACE
Returns a string after replacing all occurrences.
Syntax: EVAL <store-field> = <REPLACE> < field > < fieldvalue > <replace-
value>
Example: resourcegroupname = BCP1 | EVAL x = REPLACE ( accountname

,TG2277 , securonix); LEN: EVAL x = REPLACE ( accountname ,TG2277 , securonix)
| EVAL y = LEN ( x ); UPPERCASE: EVAL x = REPLACE ( accountname ,TG2277 ,
securonix) | EVAL y = UPPERCASE ( x ); LOWERCASE: EVAL x = REPLACE (
accountname ,TG2277 , SECURONIX) | EVAL y = LOWERCASE ( x ); EQUALS:
EVAL x = REPLACE ( accountname ,TG2277 , securonix) | EVAL y = EQUALS ( x ,
securonix); SUBSTR: EVAL x = REPLACE ( accountname ,TG2277 , securonix) |
EVAL y = SUBSTR ( x , 0 , 2); ISBOOLEAN: EVAL x = REPLACE ( accountname
,TG2277 , securonix) | EVAL y = ISBOOLEAN ( x ); ISNOTNULL: EVAL x =
REPLACE ( accountname ,TG2277 , securonix) | EVAL y = ISNOTNULL ( x );

Spotter
ISNULL: EVAL x = REPLACE ( accountname ,TG2277 , securonix) | EVAL y =

ISNULL ( x ); ISSTRING: EVAL x = REPLACE ( accountname ,TG2277 , securonix) |
EVAL y = ISSTRING ( x ); ISNUM: EVAL x = REPLACE ( accountname ,TG2277 ,
123 ) | EVAL y = ISNUM ( x ); ISINT: EVAL x = REPLACE ( accountname ,TG2277 ,
123 ) | EVAL y = ISINT ( x ); ISDIGIT: EVAL x = REPLACE ( accountname ,TG2277 ,
7 ) | EVAL y = ISDIGIT ( x )
SUBSTR
Returns substring of actual field value.
Syntax: EVAL <store-field> = <SUBSTR> < field > < start-position > <end-
position>
Example: EVAL x = SUBSTR ( accountname , 0 , 5 ); REPLACE: EVAL x =

REPLACE ( accountname ,TG2277 , securonix) | EVAL y = SUBSTR ( x , 0 , 3 ); LEN:
EVAL x = SUBSTR ( accountname , 0 , 3 ) | EVAL y = LEN ( x ); UPPERCASE: EVAL
x = SUBSTR ( accountname , 0 , 3 ) | EVAL y = UPPERCASE ( x ); LOWERCASE:
EVAL x = SUBSTR ( accountname , 0 , 3 ) | EVAL y = LOWERCASE ( x ); EQUALS:
EVAL x = SUBSTR ( accountname , 0 , 3 ) | EVAL y = EQUALS ( x , TG2);
ISBOOLEAN: EVAL x = SUBSTR ( accountname , 0 , 3 ) | EVAL y = EQUALS ( x ,
TG2) | EVAL z = ISBOOLEAN ( y ); ISNOTNULL: EVAL x = SUBSTR ( accountname ,
0 , 3 ) | EVAL y = ISNOTNULL ( x ); ISNULL: EVAL x = SUBSTR ( accountname , 0 , 3
) | EVAL y = ISNULL ( x ); ISSTRING: EVAL x = SUBSTR ( accountname , 0 , 3 ) |
EVAL y = ISSTRING ( x ); ISNUM: EVAL x = SUBSTR ( accountname , 0 , 3 ) | EVAL
y = ISNUM ( x ); ISINT: EVAL x = SUBSTR ( accountname , 0 , 3 ) | EVAL y = ISINT (
x ); ISDIGIT: EVAL x = SUBSTR ( accountname , 0 , 3 ) | EVAL y = ISDIGIT ( x );
SUBSTRBYINDEX
Returns sub-string of actual field value by index.
Syntax: EVAL <store-field> = <SUBSTRBYINDEX> < field > < delimiter > <An
integer indicating the number of occurrences of delimiter>

Spotter
Example: EVAL x = SUBSTRBYINDEX (workemail , @, 1 ); REPLACE: EVAL x =

REPLACE ( workemail ,TG2277 , securonix) | EVAL y = SUBSTRBYINDEX (x , @, 1
); LEN: EVAL x = SUBSTRBYINDEX (workemail , @, 1 ) | EVAL y = LEN ( x );
UPPERCASE: EVAL x = SUBSTRBYINDEX (workemail , @, 1 ) | EVAL y =
UPPERCASE ( x ); LOWERCASE: EVAL x = SUBSTRBYINDEX (workemail , @, 1 )
| EVAL y = LOWERCASE ( x ); EQUALS: EVAL x = SUBSTRBYINDEX (workemail ,
@, 1 ) | EVAL y = EQUALS ( x , TG2); ISBOOLEAN: EVAL x = SUBSTRBYINDEX
(workemail , @, 1 ) | EVAL y = EQUALS ( x , TG2) | EVAL z = ISBOOLEAN ( y );
ISNOTNULL: EVAL x = SUBSTRBYINDEX (workemail , @, 1 ) | EVAL y =
ISNOTNULL ( x ); ISNULL: EVAL x = SUBSTRBYINDEX (workemail , @, 1 ) | EVAL
y = ISNULL ( x ); ISSTRING: EVAL x = SUBSTRBYINDEX (workemail , @, 1 ) | EVAL
y = ISSTRING ( x ); ISNUM: EVAL x = SUBSTRBYINDEX (workemail , @, 1 ) | EVAL
y = ISNUM ( x ); ISINT: EVAL x = SUBSTRBYINDEX (workemail , @, 1 ) | EVAL y =
ISINT ( x ); ISDIGIT: EVAL x = SUBSTRBYINDEX (workemail , @, 1 ) | EVAL y =
ISDIGIT ( x );
VISUALCOMPARATOR
Provides the visual comparator value.
Syntax: EVAL (store-field) = VISUALCOMPARATOR( field , field value , (> | < |
<= | >= | = )(threshold value))
Example: EVAL (store-field) = VISUALCOMPARATOR( field , field value , (> | < | <= |
>= | = )(threshold value)); EVAL (store-field) = VISUALCOMPARATOR( field , field
value , (> | < | <= | >= | = )(threshold value)); EVAL (store-field) =
VISUALCOMPARATOR( field , field value , (> | < | <= | >= | = )(threshold value))
Note: Relation Operators to Use: > , < , <= , >= , =
Nested Queries
You can nest queries that use EVAL commands.

Spotter
Syntax: (resourcegroupname | policyname) | (EVAL) (=) (EVAL COMMANDS

(EVAL COMMANDS)( (fiel1) .. )field 2)))
Example: EVAL x = len ( uppercase ( lowercase ( substr ( concat(u_firstname,u_last-

name), 0,4) ) ) ); EVAL x = deviceaction | eval y = equals ( firstname , Kiran); isnum (
len ( uppercase ( lowercase ( substr ( concat(u_firstname,u_lastname), 0,4) ) ) ) );
replace (substr ( concat(u_firstname,u_lastname), 0,10),Secure, Securonix); EVAL x
= len ( substr ( concat(u_firstname,u_lastname), 0,4) )
Field Commands
These operators perform specific functions on a field.
RENAME
Rename the source field to destination field.
Syntax: RENAME < field1> <as> <field2>
Example: Resourcegroupname = BCP1 | RENAME ipaddress as hostaddress
FIELDS
Display or remove the specified fields from the Results. "+" displays only spe-
cified fields."-" removes the specified fields from results.
Syntax: FIELDS < + or - > <field1><,><field2><,>...<field N>
Example: resourcegroupname = BCP1 | FIELDS + ipaddress; +: FIELDS + ipaddress

, accountname; -: FIELDS - ipaddress , accountname
DELETE
Delete specific events.
Syntax: DELETE <field1 = value> ...<field N = value>

Spotter
Example: Resourcegroupname = BCP1 | DELETE ipaddress = 182.74.60.19 ... |

DELETE ipaddress = 182.74.60.19 accountname = TG2277
GEOLOOKUP
Extract location information such as city, country, latitude, and longitude, based
on IP address.
Syntax: GEOLOOKUP <field>
Example: Resourcegroupname = BCP1 | GEOLOOKUP ipaddress
REX
Extracts and creates fields based on regular expression groupings matched in
the specified key field.
Note:
l Field name is the same as Regex group name
l Performs extraction only, not filtering
l Multiple groupings (fields) can be formed from a single use as long as all the data is
in the specified field
Syntax: REX key=field “Regex_grouping”
Example: REX key=destinationprocessname "(?<dstproc>[^\/*<>|\r\n]+$)" • Extracts

the process name and extension to new field dstproc from the specified file path con-
tained in destinationprocessname attribute • destinationprocessname = c:\\program
files (x86)\\google\\chrome\\application\\chrome.exe Results: dstproc = chrome.exe
Transforming Operators
These operators display search results in various visualization formats.

Spotter
Reporting Commands
These operators transform search results into visual reports.
AVG DISTINCT
Get the Average distinct results for the field.
Syntax: AVG DISTINCT((filed 1) <,> (field N)) (by) ( houlry | daily | weekly |
monthly | field)
Example: resourcegroupname = Distinct | AVG DISTINCT(accountname,ipaddress)

by daily; resourcegroupname = Distinct | AVG DISTINCT(accountname,ipaddress) by
accountname
SUM DISTINCT
Get the Sum of distinct results for the field.
Syntax: SUM DISTINCT((filed 1) <,> (field N)) (by) ( houlry | daily | weekly |
monthly | field)
Example: resourcegroupname = Distinct | SUM DISTINCT(accountname,ipaddress)

by accountname; resourcegroupname = Distinct | SUM DISTINCT(account-
name,ipaddress) by daily
GEOMAP
Displays the events in a GEOMAP.
Syntax: GEOMAP < field1> <field2> <field-n>
Example: GEOMAP latitude longitude addr; Activity : resourcegroupname = BCP1 |

GEOMAP latitude longitude ipaddress; Violation : policyname = Logon_Failure |
GEOMAP eventlatitude eventlongitude ipaddress; Index : index = tpi | GEOMAP tpi_lat-
itude tpi_longitude tpi_addr; GEOLOOKUP: resourcegroupname = BCP1 |
GEOLOOKUP ipaddress | GEOMAP latitude longitude ipaddress; Group By:

Spotter
resourcegroupname = BCP1 | GEOMAP eventlatitude eventlongitude ipaddress by

eventregion
BUBBLECHART
Shows a type of chart that displays three dimensions of data (x, y, z).
Syntax: BUBBLECHART <field1> <count> <by> <field2> .... <field N>
Example: resourcegroupname = BCP1 | BUBBLECHART ipaddress; STACKED:

BUBBLECHART ipaddress by accountid; COUNT: BUBBLECHART count by ipad-
dress; STACKED with COUNT: BUBBLECHART ipaddress by accountid
BARCHART
Represents grouped data with rectangular bars with lengths proportionate to the
values they represent.
Syntax: BARCHART <field1> <count> <by> <field2> .... <field N>
Example: resourcegroupname = BCP1 | BARCHART ipaddress; STACKED:

BARCHART ipaddress by accountname; GROUP: BARCHART ipaddress account-
name; COUNT: BARCHART count by ipaddress; STACKED with COUNT:
BARCHART count by ipaddress accountname
TIMECHART
Displays the data for field(s) in a time series.
Syntax: TIMECHART <hourly | daily | weekly | monthly> <count by> <field1>
<by> <field2> ... <field N>
Example: TIMECHART weekly policyuniqkey by policyname; TIMECHART weekly

policyuniqkey policyname

Spotter
SPAN
Filters group information within a specified time span.
Note:
Duration: dur =
l Seconds - s, sec, second, seconds.
l Minutes - m, min, minute, minutes
l Hours - h, hr, hour, hours
l Days - d, day, days
l Month - mon, month, months
Syntax: SPAN dur=#period Field1, Field2, fieldN
Example: SPAN dur=5min ipaddress accountname; SPAN dur=weekly accountname
RARE
Displays the least common values of a field(s). Use this limit to restrict the num-
ber of displayed events.
Syntax: RARE <limit = constant> <filed1> <by> <field 2> .... <field N>
Example: resourcegroupname = BCP1 | RARE ipaddress; STACKED: RARE ipad-

dress by accountname; GROUP: RARE ipaddress accountname; LIMIT: RARE limit
=5 ipaddress; STACKED with LIMIT: RARE limit =5 ipaddress accountid
TOP
Displays the most common values of a field. Use this limit to restrict the number
of displayed events.
Syntax: TOP <limit = constant> <filed1> <by> <field 2> .... <field N>

Spotter
Example: resourcegroupname = BCP1 | TOP ipaddress; STACKED: TOP ipaddress

by accountname; GROUP: TOP ipaddress accountname; LIMIT: TOP limit =5 ipad-
dress; STACKED with LIMIT: TOP limit =5 ipaddress accountid
STATS
Displays the values as observed with count of events for each value based on
the specified attributes.
Note: Each field refers to faceting of the previous field. Field1 is L1, Field2 is L2, etc.
Syntax: STATS < field | count> <by> <field> STATS LIMIT=# Field1 Field2 field3
Example: STATS ipaddress accountname
LINK
Provide the Graphical tools for organizing and representing events.
Syntax: LINK < field1> <field2> <field-n>
Example: LINK emailsender filename emailrecipient; Activity: resourcegroupname =

BCP1 | LINK ipaddress accountname filename; Violation: policyname = Logon_Failure
| LINK ipaddress accountname filename
TABLE
Display the specified fields in table format and fields seperated by ","(comma).
Syntax: TABLE <field1><,><field2><,>...<field N>
Example: resourcegroupname = BCP1 | TABLE ipaddress; Multiple Attributes:

TABLE ipaddress , accountname, accountstatus

Spotter
GEOLINK
Plots the geographical connection between two fields on a world map.
Note:
l Field1 sets the starting point
l Field3 sets the ending point
l Applicable to the following fields:

o ipadddress
o sourceaddress
o sourcehostname
o destinationaddress
o destinationhostname
o resourcehostname
o devicehostname
Syntax: GEOLINK Field1 Field2
Example: GEOLINK ipaddress destinationaddress
HEATMAP
Forms a matrix based on selected attributes where values are represented by
color.
Note:
l Chart does a count on field1 by default unless an aggregated operator is applied to
the attribute
l Count of field1 determines the color (and size of block if only one attribute is given)
l Field 2 is the values observed on the Y-axis

Spotter
l Field3 is the values observed on the X-axis
Syntax: HEATMAP Field1 Field2 field3
Example: LINK emailsender filename emailrecipient; Activity: resourcegroupname =

BCP1 | LINK ipaddress accountname filename; Violation: policyname = Logon_Failure
| LINK ipaddress accountname filename
INDEXEDVOLUME
Displays the number of events indexed based on a duration period in the form of
a table or bar chart.
Note:
l Duration periods:
o Seconds
o Minutes
o Hours
o Days
o Months
l Supported Start / End periods Now-#Timemodifier
l Supported Types:
o Table
l Chart
Syntax: INDEXEDVOLUME start=NOW/Time_Modifier-#Time_Modifier end-

d=NOW/Time_Modifier-#Time_Modifier span=#duration type=type

Spotter
Example: INDEXEDVOLUME start=NOW/days-14days end=NOW span=1hours

type=table; INDEXEDVOLUME start=NOW/days-14days end=NOW span=1hours
type=chart
Aggregation Operators
These operators function on the output of transforming functions.
Command Syntax
Example: resourcegroupname = BCP1 and accountname NOT STARTS WITH secur
Provides the MIN value for specified

field
MIN Note: MIN Operator should be used with MIN(<field>)
following commands: TOP, RARE,
STATS and BUBBLECHART
Examples: STATS MIN(bytesout) by ipaddress accountname; resourcegroupname =

Email_sent_to_Users | BUBBLECHART MIN(bytesout) ipaddress accountname;
resourcegroupname = Email_sent_to_Users | TOP MIN(bytesout) ipaddress
employeeid; resourcegroupname = Email_sent_to_Users | RARE MIN(bytesout)
ipaddress employeeid
Provides the MAX value for specified

field
MAX Note: MAX Operator should be used MAX(<field>)
with following commands: TOP, RARE,
Examples: STATS MAX(bytesout) by ipaddress accountname; resourcegroupname =

Email_sent_to_Users | BUBBLECHART MAX(bytesout) ipaddress accountname;
resourcegroupname = Email_sent_to_Users | TOP MAX(bytesout) ipaddress
employeeid; resourcegroupname = Email_sent_to_Users | RARE MAX(bytesout)

Spotter
Command Syntax
Provides the aggregated SUM value for

specified field
SUM Note: SUM Operator should be used SUM(<field>)
Examples: STATS SUM(bytesout) by ipaddress accountname; resourcegroupname =

Email_sent_to_Users | BUBBLECHART SUM(bytesout) ipaddress accountname;
resourcegroupname = Email_sent_to_Users | TOP SUM(bytesout) ipaddress
employeeid; resourcegroupname = Email_sent_to_Users | RARE SUM(bytesout)
Provides the AVG value for specified

field
AVG Note: AVG Operator should be used AVG(<field>)
Examples: STATS AVG(bytesout) by ipaddress accountname; resourcegroupname =

Email_sent_to_Users | BUBBLECHART AVG(bytesout) ipaddress accountname;
resourcegroupname = Email_sent_to_Users | TOP AVG(bytesout) ipaddress
employeeid; resourcegroupname = Email_sent_to_Users | RARE AVG(bytesout)

Spotter
Command Syntax
Finds changes in traffic flows that

indicate exfiltration.
Notes:
Analysis Techniques: Identify changes
in host roles, and investigate. PCR is a
normalized metric of traffic ratios and
from a host ranging from -1 to 1.
PCR = ( bytesin - bytesout ) / ( bytesin +
bytesout )
PCR host role:
l 1.0 pure push - FTP upload,
PCR PCR(field1,field2)
multicast, beaconing
l 0.4 70:30 export - Sending Email
l 0.0 Balanced Exchange - NTP, ARP

probe
l -0.5 3:1 import - HTTP Browsing
l -1.0 pure pull - HTTP Download
DNS is less noisy than HTTP for this

metric, and is a possible exfil channel. A
positive shift in PCR for DNS traffic may
indicate DNS Exfil.
Examples: TOP PCR( bytesin, bytesout) ipaddress accountname;

resourcegroupname = Email_sent_to_Users | BUBBLECHART PCR( bytesin,
bytesout) ipaddress accountname; resourcegroupname = Email_sent_to_Users |
BARCHART PCR( bytesin, bytesout) ipaddress accountname; resourcegroupname =
Email_sent_to_Users | TIMECHART weekly PCR( bytesin, bytesout) ipaddress
accountname
Calculates the Standard Deviation

STDDEV observed for the specified numeric STDDEV(Field)
attribute. values.

Spotter
Command Syntax
Examples: STDDEV(bytesin)
Calculates the sum of squares for all

values for the specified numeric
attribute.
SUMSQ SUM(Field)
Notes:
This function squares each value
observed before perform addition.
Examples: SUM(bytesin) • event 1 bytesin = 3 and event 2 bytesin = 2 Result: 18

Derived from math: 3^2 + 3^2 = 9 + 9
Calculates the variance observed for the

VARIANCE VARIANCE(Field)
specified numeric attribute.
Examples: VARIANCE(bytesin)
Data Processing Operators

These operators are used to perform actions on set of search results.
Operators
Command Description Syntax
Returns filtered results based on the

condition
HEAD Note: MHEAD Operator should be used HEAD <number>
Examples: HEAD 10; With Top: resourcegroupname = OKTA | top accountname |

HEAD 10; With STATS: resourcegroupname = OKTA | STATS accountname | HEAD
10; With BARCHART: resourcegroupname = OKTA | BARCHART accountname |
HEAD 10

Spotter
Command Description Syntax
Returns filtered results based on the

condition
Note: WHERE command should be WHERE <count> < =
WHERE
used with the following Operators: > > <number>
Greater than, >= Greater than or equal
to, < Less than, <= Less than or equal to
Examples: where count > 10; With Top - resourcegroupname = OKTA | top
accountname | WHERE count > 35; With Top & ORDERBY - resourcegroupname =
OKTA | top accountname | WHERE count > 35| ORDERBY asc; With STATS:
resourcegroupname = OKTA | stats accountname | WHERE count > 35; With STATS
& ORDERBY: resourcegroupname = OKTA | STATS accountname transactionstring1
| WHERE count > 0 | ORDERBY desc; With BARCHART: resourcegroupname =
OKTA | BARCHART accountname ipaddress | WHERE count > 5
Sort events by ascending or descending

or field. Default asc or desc will sort
events by count ORDERBY <asc or
ORDERBY desc or <field asc or
Note: ORDERBY command should be desc>>
used with the following commands:
TOP, RARE and STATS
Examples: ORDERBY asc; Sort Events Descending order: resourcegroupname =

Google_Login | STATS count by ipaddress firstname | ORDERBY desc; Sort Field By
Ascending order: resourcegroupname = Google_Login | STATS count by ipaddress
firstname | ORDERBY firstname asc; Sort Field By Descending order:
resourcegroupname = Google_Login | STATS count by ipaddress firstname |
ORDERBY ipaddress desc
Additional Search Examples

See the following examples to find top risk users, malicious IP addresses, and other com-
mon queries.

Spotter
Examples
Description Syntax
Index=riskscore <and> <violator> =

Get top risk users, activity accounts,
<Users | Activityip |Activityaccount |
activity IP addresses, and resources
Resources>| <top> <violator ID>
Examples: index=riskscore | top violatorid; Top Risk Users : index=riskscore and

violator= Users | top violatorid; Top Activityaccount : index=riskscore and violator=
Activityaccount | top violatorid; Top Activityip : index=riskscore and violator= Activityip |
top violatorid; Top Resources : index=riskscore and violator= Activityip | top violatorid

Get flight risk users <Users> |<Filter> <index> <=>
<watchlist> <and> <field1> <=> <field2>
Example: index=riskscore and violator = Users | Filter index = watchlist and

entityname = violatorid

<Activityip> | <Filter> <index> <=> <tpi>
Check if IP address is malicious
<and> <field1> <=> <field2> and
<field3> <=> <field4>
Examples: Index=riskscore and violator = Activityip | Filter; index = tpi and addr =
entityid and criticality = high
Get information about assets on the

Index = asset <and> <field1> = <field2>
network
Example: Resourcegroupname = BCP1 | index = asset and entityname =

accountname
Check if user has sent email to personal resourcegroupname = <value> | EVAL X

email address = emailtoself (firstname,workemail,0.4)
Examples: resourcegroupname = “ADEvents” | EVAL matchPerc = emailtoself

(firstname,workemail,0.4); resourcegroupname = “ADEvents” | eval x =
SUBSTRBYINDEX (workemail , “@”, “1” )
Best Practice
This section describes the recommended best practices and provides support for fre-
quently asked questions for searching in Spotter.

Spotter
Optimizing Queries
Follow these best practices to optimize queries.

l Use Operators that perform equals / exact matches.
l Limit operators to 3-5 for a search if the operators convert to a Regex match in Solr, as
they will be CPU intensive.
Refining Queries
Follow these best practices if a query times out:

1. Check if query is performing a transformation such as STATS.
If No, check the following:
l Time frame
l Search terms for excessive contains and wildcard usage
l Restrict to a single datasource
If Yes check the following:

l Number of unique values by replacing STATS with: distcount
l If value is excessively high use TOP/RARE Limit=#
l If value is low reduce timeframe and run again
2. Add additional search terms to reduce dataset which has to be counted
Querying Threat Models
Follow these best practices to query threat models:

l Query the name of the threat model in the violation index when name is know.
l Use the following query to see all threat model violations when name is
unknown: index= violation | FILTER index=riskscore and
employeeid=employeeid and doctype = entity_threatmodel
Note: You will be unable to see the violated policies that resulted in the threat
model violation.

Spotter
Support Queries
Issue Validation Additional Notes Fix
l If enrichment is
functioning, Open
ticket for further
Substitute / add support.
Geomap / eventlatitude
other fields from
Geolink not NOT NULL and l If no, validate
GEOMAP table to
displaying points eventlongitude enrichment in
validate if they are
on the map NOT NULL Activity import
populated
screens and
further validate
enrichment job.
l If no data in
index: import
geolocation data
(Maxmind)
Geolookup is
not populate index = ipto and ipfrom l If ipto and ipfrom
Geolocation geolocation must be populated are missing or
attributes has 0.0.0.0 the
index is not valid.
Re-import
geolocation data

Spotter
l Use external
unix to human
time convertor
to validate.
| EVAL x = to_
l All Times
unixtime(time_
attribute) | eval y should match
Validate Unix in human
=from_unixtime Open ticket if they are
Time
(x,"MM/dd/yyyy readable not functioning
Conversions
HH:mm:ss") | format
FIELDS + x,
l If field is
time_attribute, y
missing from
fields
command
switch to table
l If match observed
check continue
does the name
match when
added to spotter
index=violation
Validate policy search including
and
Missing details name matches all whitespace
accountname =
on Violation from SCC, trailing characters?
ACCOUNT_N_
Events Tab spaces are
Question | Stats l If no match, check
sometimes cut off.
policyname if any other
violation details
exist in riskscore
and/or
riskscorehistory

Spotter
l Need to know
data source
name
l If field is being
l Validate field is parsed send
being parsed in ticket to PM for
activity import further Support
configuration
screens l If field is not being
undefined field N/A
parsed work with
l Validate field & Content to
parsed field is parse and
stored in revalidate going
collection as it forward
may not exist in
older
collections.
l If Solr version is
SOLR 7 or newer
old, remove keys
Default Value: true
Spotter Setting / refine and
SOLR Error: Spotterconfig Acceptable values: overrefine from
Unknown spotterconfig in
Faceting Level > l simple
RefineMethod DB
Refine l TRUE
l Change value to
l none
true

Spotter
If the policy appears

in a wider time range
there is a delay in one
of the jobs.
index = violation | Example: policy A
Stats policyname l SCC is based eventtime is 11/1 but
For time frame on generation is processed as a
Policy Do not
select: time violation with
show in spotter,
but show l Spotter is generation time of
l Last 24 hours
current on SCC based on event 11/3
l Last 48 hours
time This will not be found
l Last 72 hours in Spotter unless
generation time
specified in query or
time frame selected
includes 11/1.
Limitations
Note: All of the following limitations are configurable in Configxml > spotter_config. If
you want to change beyond the default value, you must consider the Application
Resources & the Solr Cell configuration / resources to maintain application stability.
If changed while application is running, use Refresh Config button in Spotter expanded
spotter search bar to apply.
l Max Bucket Size: When you execute a Spotter Search which threatens to
take the application out of memory by returning too many tuples (unique Val-
ues). The application will cancel the Query to maintain application stability.
l Tag & default value: <maxBucketSize>100000</maxBucketSize>
l UI message: Query matched too many unique values. Query has been stopped to
maintain application stability.

Spotter
l Query timeout: All spotter queries will be canceled at the 3 minute mark regardless of
results returned, to prevent the underlying system, SOLR, from crashing which impacts
the application itself
l Tag & default value: <timeAllowed>3000</timeAllowed>
l UI Message
l 0 Results: Query Time out passed , current query is too resource intensive or
search servers are busy. Please narrow your search.
l Partial Results: Query time allowed exceeded. Partial results returned. Please
refine query.
l Allowed Faceting Fields for Commands: Any command that using faceting / aggreg-
ation has a set limit of fields allowed to be utilized to maintain application stability.
l Tag & default value: <allowedFacetField-
sForCommands>3</allowedFacetFieldsForCommands>
l Leftside Maximum collections: This is the number of SOLR collections that the system
will search through for the attributes added to the Selected Fields panel on the left side
for simple searches.
l Tag & default value: <leftSideMaxCollections>5</leftSideMaxCollections>
l Facet Levels: All aggregation commands and the time line that appears on spotter use
faceting to obtain the counts of events as designed. These are used to maintain applic-
ation stability. No message is displayed for this.

Spotter
l Tags & default value:

Spotter
l Use report with index = to archive to go beyond the Facet level limitations
l Others:
l Transforming and Aggregation Operators do not cross Archive. The operators are
performed in different systems and therefore can not be combined. If you need to
perform these action for data that includes archive prefix the query with index-
x=archive

Incident Management
Incident Management
SNYPR includes comprehensive case management capabilities that allow multiple
teams to collaborate on investigation and incident response. You can manage and col-
laborate on cases from the Incident Management dashboard.
Incident Management Workflow

Workflows are used to manage incidents and are invoked when you create incidents on
violations. SNYPR provides several default workflows that you can choose to manage
incidents, or you can create your own custom workflow.
You can run an Incident Management summary or detail report and it to the security oper-
ations center (SOC) manager or an analyst of your choice. The reports include:
l Incident Management Weekly Summary
l Incident Management Summary
l Incident Management Details
l Incident Management Weekly Details

Incident Management
Manage Cases
When a case is created, you can manage and track the case using the management fea-
tures on the Incident Management dashboard.
To get started, navigate to Menu > Security Center > Incident Management.
The following table provides a description for each element referenced in the previous
image:
Management
Description
Features
a: Time Range Changes the time frame of the dashboard results.
Filters the incidents by status that display on the dashboard.

b: Incident Status
You can filter by Opened, Updated, or Closed incidents.
c: Dashboard Filters the dashboard based on the criteria selected.

Incident Management
Management
Description
Features
Changes the status of one or more incidents.

To change the status of an incident, select one or multiple incidents. To
select all of the incidents on the dashboard, check the Change Status
box as seen in the image below:
d: Change Status
Click the drop-down and select a status. The following status options
are available:
l Assign to Analyst
l Close as Fixed

Incident Management
Management
Description
Features
l Claim
l Change Criticality
Searches the following values to get results:
l Entityid
l Employeeid
l department
l firstname
l lastname
e: Search l Incident id
l manageremployeeid
l title
l data source name
l comments
l policy name
l group name
Refreshes the dashboard after you update it with edits, filters, or if you
f: Refresh
want to view more recent data.
g: Filter
Filters the dashboard by incidents or reports.
Incidents/Reports

Incident Management
Management
Description
Features
Filters the incidents and violators listed in the dashboard in ascending or

descending order.
To filter incidents or violators, click the Filter Order icon, then choose
from the following options:
l Incident Updated Time
l Incident Created Time
l Risk Score
The default sort order on the dashboard is ascending. To descend the

h: Filter Order order, click the icon pointing down, as seen in the image below:

Incident Management
Management
Description
Features
Filters incident by the incident updated, created, and closed time.
i: Graphical
Analysis
Note: Incidents created with the On-Demand Incident feature do

not display in the Graphical Analysis.
Schedules the following incident reports:

l Incident Management Weekly Summary
l Incident Management Summary

j: Reports l Incident Management Details
l Incident Management Weekly Details
For more information, see Reports.

Incident Management
Management
Description
Features
Select any incident in the Incident Management panel to view the Case
Details. The Case Details screen includes the violator’s name and
information, a summary of the violation, the violation events, an activity
stream, and the playbooks associated with the event. From the Case
Details screen, you can take action on:
l An entity based on their violated policies
l A single policy
l Threats for entities that violated a threat model
Note: The details on this screen vary depending on the type of

incident.
k: Case Details
For this example, an On-Demand Incident is selected. The On-
Demand Incident includes the following tabs:
l Events: By default, displays the Events in Card View, as seen in the

previous image. You also have the option to view the Events in a
Tabular View, as seen in the following image:

Incident Management
Management
Description
Features
l Activity Stream: Displays a list of recent case activities performed

by the administrator.
To view a list of queries used while attaching events, click View

Queries. When you click a previously used query, Spotter opens in a
new tab with your selected query.

Incident Management
Chat with an Analyst

The Chat feature is a messaging tool that enables security analysts to collaborate on
cases. This feature can be accessed from the Violation Summary screen.
For this example, the Chat feature is accessed from the Violation Summary screen. On
the top right of the screen, there is a Viewers section that displays the initials of the secur-
ity analyst(s) viewing the same case as you, as seen in the image below:
To start a conversation with another analyst, click the green chat icon . A text box
will appear, allowing you to type and send your message:

Incident Management
Note: Only users viewing the case at the same time will appear as available for chat.
To send your message, click the green arrows . To close the chat conversation,
click the green chat icon.
View Case Details

The actions you can take on a case are based on the actions defined in the workflow
assigned to the case. For each action you select, you can enter comments to explain or

Incident Management
justify the action. See Take Actions on Cases for more information about the actions you
can take from this screen.
To view case details, complete the following steps:
1. Navigate to Menu > Security Center > Incident Management.
2. Click the case to view the case details.
The Case Management screen appears with the following information:
The following table lists the user interface elements (UI) on the Case Management
screen:
UI
Description
Element
a: Case The status of an incident. An incident will have an Open or Completed

Status status.

Incident Management
UI
Description
Element
Details about the violator, including:

l Employee ID
b: Violator l Department
Details l Manager Employee ID
l Title
l Policy Name

Incident Management
UI
Description
Element
Includes the incident and entity details.
The Incident Details tab displays details about the entity associated
with the violation.
c: Incident
and Entity
Details
The Entity Details tab displays information such as user and workflow
details, employment history, and custom properties.

Incident Management
UI
Description
Element
The information available in both tabs vary depending on the properties of

the user, actions taken against the user, and the type of violation(s)
associated with the user.
e:
Violation Displays the reason for the violation and a graph of the risk score trend.
Summary

Incident Management
UI
Description
Element
A live stream of activity for each case.
Note: Searching comments on the Activity Stream is available from

the 6.4 May2022 R1 build.
f: Activity
Stream
g:
A summary representation of the violation that is connected to the
Violation
incident.
Summary
h: Other
A list of additional policies violated by an entity.
Policies

Incident Management
UI
Description
Element
The individual events that are associated with the violation as a Spotter
search.
i: Violation
Events

Incident Management
UI
Description
Element
You can toggle between the securonix attribute names and the user-defined
attribute names the content developer selected during activity import. The
following options are available:
l Show Securonix Attribute Names: The standard naming format that
Securonix uses for an attribute.
j: Attribute
Names l User Defined Attribute Name: A customized naming format for an
attribute.
The information that displays in the images above are based on the violation
summary configured by the content developer during the policy or threat
model creation.

Incident Management
Take Action on Cases

The actions available for each case are based on the workflow selected for the case. For
more about configuring workflows, see the Workflows section in the SNYPR Admin-
istration Guide.
You can provide action on an incident or on multiple incidents.
a. Actions performed on multiple incidents: The bulk action feature is implemented

using RBAC. Only security analysts with admin privileges can claim, reassign, close,
and change the criticality of a single or multiple incidents. For non-admin users, you
have to assign bulk-action privileges from Access Control. You can also perform bulk
actions on multiple incidents simultaneously:
l Assign to Analyst
l Closed as Fixed
l Claim
l Change Criticality
b. Actions performed on an incident: The actions configured in default workflows

include the following:
l Assign cases to a specific analyst or group of analysts.
l Claim an open case (a case not yet assigned), and begin the investigation process.
l Accept the risk.
l Mark as a confirmed Violation.
l Release the case for another analyst to claim.

Incident Management
l
Note: These actions vary for all cases and may be labeled differently for custom work-
flows.
Actions You Can Take on Cases

To take action on an open case, complete the following steps:
1. Click an action from the Actions menu.
2. Provide the following information, depending on the action you select:

Assign to Analyst
This option is used to assign the case to an individual user or a user group.
To assign a case to an analyst, complete the following steps:

Incident Management
a. Comments: Provide comments for the analyst.
b. Criticality: Select the criticality.
c. Assign to Analyst: Select from the drop-down to assign to a single analyst or

group.
2. Click Submit.
3. Click the ellipses icon to view the analyst or group that the case is
Assigned To.
Change Criticality - Bulk Action
Use this option to change the criticality of the case. To change the criticality of
a case, complete the following steps:
1. Check the box next to the incident(s) you want to change the criticality for.
2. Click the bulk filter icon located in the column header.

Incident Management
3. Click Change Criticality.

Incident Management

Incident Management
4. Click the Criticality drop-down and select from one of the following status
options:
l None
l Low

Incident Management
l Medium
l High
l Custom
5. Click Update.
The criticality for the incident is displayed on the Incident Management

screen.
Claim
Use this option to claim the case for the current user (you) and start working
the investigation. To claim a case, complete the following steps:
1. Enter comments to explain or justify the action.
2. Click Submit.
The status appears as Claimed:

Incident Management
Note: Only the analyst who has claimed the case will have the authority to edit the
case. Other analysts in the group will be able to view the case and the case details.
Accept Risk
Use this option to close the case and mark the violation as fixed. To accept
risk for a case, complete the following steps:

Incident Management
a. Business Response: Select an appropriate business response from the drop-

down.
b. (Optional) Business Justification: Enter a comment.
c. (Optional) Remediation Performed: Enter a comment.
d. (Optional) Business Internal Use: Enter a comment.
2. Click Submit.
The case will appear as Completed.
Note: You will not be able to take further action on a case when it has been closed
for Accept Risk. You must reopen the case.
Violation
Use this option to close the case and mark the case a confirmed violation. To
close a case, complete the following steps:

Incident Management
a. Business Response: Select an appropriate business response from the drop-

down.
b. Business Justification: Enter a comment (optional).
c. Remediation Performed: Enter a comment (optional).
d. Business Internal Use: Enter a comment (optional).
2. Click Submit.
The case appears as Closed:

Incident Management
Note: You will still be able to take actions such as Claim, Release and Assign to
Analyst when the case is closed as a violation.
Create a Case from the Security Command Center

From the Violation Summary screen, you can create cases from the following security
incidents:
l Policy violations: For a policy violation, violators are grouped under one case.
l Threat violations: For a threat violation, violators are grouped under one case.
l Entity/violator: For an entity, violations across all jobs are grouped in one case.
After you create a case for the security incident, you can use the Incident Management
dashboard to analyze the data. For more details about the features available on this
screen, see Violation Summary.
To create a case, complete the following steps:
1. Navigate to Menu > Security Center > Security Command Center.
2. Click an entity, violation, or threat from any of the dashboard widgets. For example, a
violator is selected from the Top Violators widget.
3. Click Take Action from the right side of the violator, then select Mark as concern and

Incident Management
create incident.

Incident Management
4. Complete the following information in the Mark as concern and create incident dialog box:
a. Available Workflow: Select a workflow from the drop-down. For more information about con-
figuring work flows, see Workflows in the SNYPR Administration Guide.
b. Comments: A comment that describes the action.
c. Criticality: The severity level for the action.
d. Assign to Analyst: A user or group that the case is assigned to.
To search for a user or group, click the magnifying glass icon. The Select
Assignee pop-up displays. To select an assignee, select the radio button next to

Incident Management
the user or group you want to assign the case to, then click Assign.
5. Click Submit.
After you create the case, you can navigate to Menu > Security Center > Incident Man-
agement to manage the case from the Incident Management dashboard.

Reports
Reports
SNYPR has both out-of-the-box standard reports and extensive ad-hoc reporting cap-
abilities. From the Report menu, the following options are available:
l Categorized Reports: Schedule and run default reports or create custom reports.
l Auditing: View audit activity performed in the SNYPR application.
l Scheduled Reports Job: View existing report jobs and schedule new report jobs for saved
reports.
Categorized Reports
This feature allows you to schedule and run default reports, or create custom reports to
run on Spotter, database, or archived data.
To access categorized reports, navigate to Menu > Reports > Categorized Reports.
On the left navigation pane, reports are filtered by category. You can add categories and
create new reports within an existing category.
Screen
Description
Elements
a: Report
Category Type the report category name to filter records.
Filter

Reports
Screen
Description
Elements
b: Total
View total number of report categories.
Category
c: Add
Click to create a new report category.
Category
View the report categories. By default, the following report categories are
included:
l Auditing
l Incident Management
l Miscellaneous
d:
Category l Resources Reports
l Spotter Reports
l User Reports
You can click a report category to view the existing default reports available
for that category.
e: Add
Click to add a new report.
Report

Reports
Screen
Description
Elements
Click to view the scheduled report jobs.
f:
Schedule
d Reports
g: Merge
Click to merge two spotter reports into one.
Reports
h:
Archived Click to view the archived reports.
Reports
Type the report name or tenant name to search for report by name or tenant
i: Filter
name.
j: Report Display the report details such as report name, tenant name, and available
Details actions.
k: Tenant
Displays the name of the tenant the report is assigned to.
Name

Reports
Screen
Description
Elements
l: Edit Click to edit the report.
m:
Click to schedule the report job.
Schedule
n: Delete Click to delete the report.
o:
Click to download the report.
Download
Add a New Report Category

To add a new report category, do the following:
1. Navigate to Menu > Reports > Categorized Reports.
2. Click Add Category from the left pane.
3. In the Add New Category dialog box, enter a unique name in the Category Name
field.

Reports
4. Click Save.
The new category will appear in the left navigation pane. To create new reports for this
category, see Create a New Report.
Create a Categorized Report

To create a categorized report, do the following:
2. Click + to create a new report.

Reports
a. Report Name: Enter a unique name for the report.
b. Description: Enter a brief description for the report.
4. Click Save & Next.
5. Complete the following information in the Additional Details section:
a. Report Category: Select an existing report category from the drop-down under which the
new report will appear.
b. Report Visibility (Owner): Select a specific user or group or users who will have
visibility to the report. If no owner is selected, the report is visible to all logged in
users.
Tip: Click the magnifying glass to open a list of available groups and users. From here,
you can select a group or individual user.

Reports
6. Click Assign.
In the Connection Details section, you will set up the report file and connection type. You
can run reports on the following connection types:
Database
The Database option runs the report on data stored in a database. To create a
Database report, complete the following steps:
a. Choose the source of your report data: Select Database from the drop-down.
b. Tenant Name: Select the tenant name from the drop-down list.

Reports
c. Logo: Choose a jpg or png logo that is associated with the report.
d. JRXML template: Choose JRXML template file to be associated with this
report.
Note: SNYPR integrates with Jasper Reports to use the contents and con-
figurations of JRXML files as a template for the report. The securonix_home/re-
ports directory contains over 50 JRXML default files you can use. For more
information about Jasper Reports, see http://-
community.jaspersoft.com/project/jasperreports-library. For a complete list of
the JRXML files available in Securonix/tenants/<tenant>/securonix_home/re-
ports, see Report Templates.
e. Character set encoding formats: Choose the character set encoding that will be
used for the CSV reports. By default, UTF-8 encoding is used.
2. Click Save & Next to proceed to the Report Query section.
3. (Optional) Complete the following fields in the Parameters section:
Note: To add additional parameters, click the green plus + sign. To delete para-
meters, click the red minus - sign.
a. User-Friendly Name: Enter a name for the parameter.
b. Report Parameter: Enter the JRXML Parameter declared in the Jasper
Report file.

Reports
Example:
l The value of attribute NAME of the parameter tag from the report file
l REPORT_DATA_SOURCE
a. Type of Parameter: Select from the drop-down.
Example: Resource.
b. Mapping: Select from the drop-down.
Example: $ID.
4. Click Save.
Archived Data
The Archived Data option runs the report on historical data stored in HDFS. To
create an Archived Data report, complete the following steps:
1. Provide the following information:
a. Choose the source of your report data: Select Archived Data from the drop-down
list.
b. Tenant Name: Select the tenant name from the drop-down list. In-case of con-
nection type SPOTTER, filtered global tenants will be considered while running
report.
c. Logo: Choose a jpg or png logo that is associated with the report.
d. JRXML template: Choose JRXML template file to be associated with this
report.
Note: SNYPR integrates with Jasper Reports to use the contents and con-
figurations of JRXML files as a template for the report. The securonix_

Reports
home/reports directory contains over 50 JRXML default files you can use. For
more information about Jasper Reports, see http://-
community.jaspersoft.com/project/jasperreports-library. For a complete list of
the JRXML files available in Securonix/tenants/<tenant>/securonix_home/re-
ports, see Report Templates.
e. Character set encoding formats: Choose the character set encoding that will be
used for the CSV reports. By default, UTF-8 encoding is used.
Report file.
c. Type of Parameter: Select from the drop-down.
d. Mapping: Select from the drop-down.
4. Click Save.
Spotter
The Spotter option runs the report on data in Solr using Spotter search terms. To
create a Spotter report, complete the following steps:

Reports
a. Choose the source of your report data: From the drop-down list, select
Spotter as the connection type.
b. Logo: Choose JPG or PNG logo to be associated with this report. The file size
should not exceed 100 kilobytes (kB).
c. Currently using the default report template (reportTemplate.jrxml). Do you want

to upload your custom report template instead?: Toggle this setting to YES to
enable custom report templates.
d. Do You Want to Export All Records that matched the report query.: Toggle this
setting to one of the following options:
l NO: Specify a maximum number of records to export.
l YES: The report will export all records for the query.
e. Character set encoding formats: This is used for CSV reports. By default, UTF-8
encoding is used.
2. Provide the following Additional Details:

Reports
a. Do you want to export unmasked data even when masking is enabled?:When

enabled, unmasked data is exported in the report.
b. Do you want to export all records that match the report query?: When
enabled, the flag will fetch all entries (up to five million) for a given Spotter
query in reports.
Note: Only the csv format is available for exporting reports, and the zip file is
generated (which includes multiple CSV files).
c. Maximum number of records to export: Maximum number of records that

will be exported in the report. Select "Add Custom value" option to add cus-
tom value
Snypr Datasource Report
The Snypr Datasource Report option runs the report on SNYPR data source. To
create a Snypr Datasource Report, complete the following steps:

Reports
a. Choose the source of your report data: Select SNYPR Datasource Report from
the drop-down.
b. Logo: Select the logo you want to print on the report. To navigate to the appropriate
file location, click Browse.
c. JRXML template: Select the JRXML file of the template associated with this report.
To navigate to the appropriate file location, click Browse.
d. Character Set Encoding Format: Select the character set encoding format
if you are generating report in CSV format.
2. Click the Report Format Selection title to expand the section.

Reports
Incident Management
The Incident Management option runs the report on incident management. To

create an Incident Management report, complete the following steps:
a. Choose the source of your report data: Select Incident Management from
the drop-down.
b. Tenant Name: Select the tenant name from the drop-down.
c. Logo: Select the logo you want to print on the report. To navigate to the
appropriate file location, click Browse.
d. JRXML template: Choose the JRXML file of the template associated with
this report. To navigate to the appropriate file location, click Browse.
e. Character Set Encoding Format: Select the character set encoding format
3. Select the reports from the Supported Reports Formats box and click the double
arrows (>>) to move them to the Included Reports Formats box.

Reports
Report file.
6. Click Save.
The Security Command Center option runs the report on SCC. To create a SCC
report, complete the following steps:
a. Choose the source of your report data: Select Security Command Center
from the drop-down.
b. Tenant Name: Select the tenant name from the drop-down.
c. Logo: Select the logo you want to print on the report. To navigate to the
appropriate file location, click Browse.
d. JRXML template: Choose the JRXML file of the template associated with
this report. To navigate to the appropriate file location, click Browse.
e. Character Set Encoding Format: Select the character set encoding format
3. Select the reports from the Supported Reports Formats box and click the double
arrows (>>) to move them to the Included Reports Formats box.

Reports
Report file.
6. Click Save.
The new report appears under the category you selected when the Report Details were
configured.
Schedule and Run a Report

To schedule a report to run once now or on a schedule, complete the following steps:
2. Select a report category from the left pane.

Reports
3. Locate the report you want, then click the Schedule icon in the Actions column.
4. Complete the following information in the Job Details section:

Reports
a. Job Name: Enter a name for the report job.
b. (Optional) Job Description: Enter a brief description for the job.
Note: Fields on the form may vary depending on the type of report and resource on which the
report is to run.
5. Complete the following information in the Report Details section:
a. Report Name: A name for the report.
b. Tenant Information: Select the tenant you want to generate the report.
c. Select Report Format: Select the format for the report.
6. Choose an email template from the drop-down list.
7. Complete the following information in the Job Scheduling Information section:

Reports
a. Do you want to run Job Once?: Select to run the job once now.
b. Do you want to schedule this job for future?: Select this option to select how often
to run the job:
8. Click Schedule.
9. Download the report to a file or view the Scheduled Report Jobs.
The report opens in the format you selected in the Report Details section.
Download a Report to File

To download a report to file, complete the following steps:

Reports
2. Select a report category from the left pane.
3. Locate the report you want to run, then click the Download icon to run the report.
4. Select the appropriate file format. The following formats are available:
a. PDF
b. XML
c. CSV

Reports
d. RTF
e. TXT
f. DOCX
The report will download to your local machine.
Merge Spotter Reports

To merge Spotter reports, complete the following steps:
2. Click the Merge Reports icon.

Reports
4. Drag desired reports from the List of Available Spotter Reports section to the
Included Reports for Merge in Sequence section.
5. Complete the following information in the Schedule and Email Template Details section:
a. Select Report Format: Select an option from the drop-down. Example: pdf.
b. Choose Email Template: Select the email template you want to use to send the report via
email from the drop-down.

Reports
to run the job:
7. Click Schedule.
8. Download the report from Scheduled Reports Jobs when status is complete.
For more information, see Download a Report to File.
Run Reports from Spotter

In addition to the reports you can configure from the Menu > Reports > Categorized
Reports screen, you can run and export reports from the Search Results view in Spotter.
To run reports from Spotter, complete the following steps:

Reports
1. Navigate to Menu > Security Command Center > Spotter to conduct a search.
2. Click the Search Results tab, then select Reports > Export Spotter Results.
The option to Export Spotter Results appears in the drop-down along with any Spot-
ter reports configured under Menu > Reports > Categorized Reports. For information
about how to configure Spotter reports, see Reports.
The Run Spotter Report window appears.

Reports
3. Click the Select Report Format drop-down and select a format for the report:
l PDF
l CSV
l XLS
l RTF
l TXT
l DOCX
Note: When disabled, the toggle below the Select Report Format only exports 1,000 events
in the report.
4. Check the box next to each attribute you want to be included in the report, then click
the right arrow highlighted in blue. Attributes that appear in the User Attributes
column are included in the report.

Reports
Note: By default, when the STATS or TOP table queries are used, the attributes display in
the User Attributes (Securonix Attributes) box.
Tip: To select all attributes, check the Select All box in the column header.
5. Click Schedule to save the label and include the attribute in the report.
6. Click Run to run the report and download the report from the Notifications menu when
status is complete.

Reports
Manage an Existing Report/Category

You can delete reports by category or a single report within a category. When you delete
a category, the reports associated with that category are deleted. To retain all of the
reports associated with a category that you plan to delete, you must edit individual reports
and change their categories before you delete the category.
Edit a Category
To edit a category, complete the following steps:
2. Click the edit icon in the left pane next to the report you want to edit.

Reports
3. Update the Category Name in the pop-up window.
4. Click Save.
Edit or Delete a Report

To edit a report, locate the report you want to edit, then click the pencil icon at the end of
the row.
To delete a report, locate the report you want to delete, then click the trash icon at the end
of the row.

Reports
Auditing
The Auditing feature allows you to audit activity performed in the SNYPR application and
check log tampering. It maintains a historical record of users actions to provide proof of
compliance and system integrity. The audit trail contains details about each action, includ-
ing the date, time, the before and after changes, audit code, and information about the
user associated with the action.
To access the Auditing screen, navigate to Menu > Reports > Auditing. You can take the
following actions on this screen:
a. Configure auditing
b. Download Auditing Report and Log Tampering report
c. Click the Refresh icon to refresh results
d. Enter search criteria to filter results
Configure Auditing Reports

You can configure the types of activity to audit.
Note: Following the SNYPR 6.3.1 upgrade, you can only generate auditing report for the current
records from Auditing. To generate the auditing report for old records, refer to the Generate
Auditing Report for Old Data section.
1. Navigate to Menu > Reports > Auditing.
2. Click the cog wheel icon, then select Configure Auditing.

Reports
3. Select an activity type from the left pane. The following activity types are available:
a. Security Center
b. Operations Center
c. Views
d. Reports
e. Analytics
f. Administration
g. Add Data
h. User Authentication
i. Web Services
j. Content_Dispenser
k. Data Dictionary
l. Configuration Migration
4. Enable the Audit setting to configure auditing activity.

Reports
Activity Types Supported for Auditing

The following table describes the types of activity that are supported for auditing:
Activity Type Title Description
Login Success Successful login
Login Failure Failed login

User Authentication Logout Successful logout
Successful password
Change Password
change
Create user Created a new user
Delete All User Deleted all users
Edit user Edited a user
Add organization Added an organization
Removed an organization
Views - Users Remove organization
Edit organization Edited an organization
Add peer groups Added new peer groups
Remove peer groups Removed peer groups
Edit peer groups Edited a peer group
Create New Peer Created a new peer
Edit Peer Edited an existing peer
Added a new member to

Add Member
the peer group
Views - Peers
Removed a member from
Remove Member
the peer group
Edit Peer Group Type Edited a peer group type
Delete Peer Group Type Deleted a peer group type
Views - Resources Edit Resources Edited a resource

Reports
Create a new save watch

Create Save Watch List
list
Add the selected

Add Selected Members
members to a watch list
Views - Watch List
Remove the selected
Remove Selected Members
members from a watch list
Edit WatchList Edit an existing watch list
Delete WatchList Delete a watch list
Create a new save white

Create Save White List
list
Add Selected Members Add selected members

Views - White List
Remove Selected
Remove Selected Members
Members
Delete White List Delete White List
Create a new save lookup

Create Save Lookup Tables
Lookup Tables table
Delete Lookup Tables Delete lookup tables
Rule Based Policy Rule based policy
Rule Based HQL Policy Rule based HQL policy
Analytics - Policy Behavior Based Policy Behavior based policy

Violations Composite Policy Creating composite policy
TIER2 Policy TIER2 policy
TIER2 HQL Policy TIER2 HQL policy
Delete Access Outliers Delete Access Outliers
Configure Access Outliers

Analytics - Access Configure Access Outliers Job
Job
Outliers
Run Policy Run a policy
Delete Job Delete a policy job

Reports
Configure an access
Analytics - Access Configure Access Review Job
review job
Reviews Jobs
Delete Job Delete a policy job
Analytics - Behavior Schedule a behavior

Schedule Behavior Profile Job
Profiles profile job
Configure Threat Model Configure a threat model
Analytics - Threat Import Threat Model Import a threat model

Modeler Export Threat Model Export a threat model
Delete Threat Model Delete a threat model
Create New Report Create a new report
Run Run
Edit Report Edit a report

Reports - Categorized
Delete Report Delete a report
Reports
Add Category Add a new category
Edit Report Categories Edit a report category
Delete Report Category Delete a report category
Reports - Schedule
Schedule Report Schedule a report
Reports

Reports
Enable/ Disable User Enable/ Disable User
Create User Create User
Edit User Details Edit a user's details
Change a user's
Change Password
password
Administration - Access Create role Create a new role

Control Edit Role Details Edit role details
Delete Role Delete a role
Assign Role to a User Assign a role to a user
Create Group Create a group
Perform password control

Password Control
tasks
Add New Connection Add a new connection
Administration - Upload file Upload a file

Connection Types Download File Download a file
Register Connector Register a connector
Administration - Create a new email

Create a New Email Template
Email Templates template
Administration - Save a workflow

Users
Workflow configuration

Reports
User Import Job Import user data
Activity Import Job Import activity data
Access Import Job Import access data
Import access entitlement

Glossary Import Job
definitions
Import resource / asset

Resources
metadata
Add Data - Data Import
Import third party
Third Party Intelligence Job
intelligence
Import Geolocation and /

Geolocation / Network Map
or network map
Account Metadata Job Import account metadata
Watch List Job Import watch list data
Lookup Data Job Import lookup data
Enable geolocation in
Activity Geolocation
activity data
Run archival job on

Activity Archival Job
activity data
Create peer assignment

Peer Creation / Assignment Rules Job
rules
Add Data - Tasks
Organization Creation / Assignment Create organization
Rules Job assignment rules
Run job to index activity

Index Activity Transactions Job
transactions
Run event summarization

Event Summarization Job
job

Reports
Evidence saved
Save Evidence
successfully
Evidence deleted
Delete Evidence
successfully
Evidence image
Workbench - Evidence Download evidence image
downloaded successfully
Select case to link

Case link to evidence
evidence
Select case to unlink to

Case unlink to evidence
evidence
Download/Schedule an Auditing Report

This section explains how to download and schedule auditing reports and log tampering
report.
Auditing Report
To download or schedule an auditing report, do the following:
2. Click the download icon and select Auditing Report.

Reports
c. Select Report Format: Select an option from the drop-down. Example: PDF.
a. Report Name: Enter a name for the report.
b. StartTime: Click the field to use the calendar control to select the start date and time for the
report.
c. EndTime: Click the field to use the calendar control to select the start date and
time for the report.

Reports
d. Tenant Information: Select a tenant or multiple tenants for the report.
e. Select Report Format: Select a format for the report.
5. Choose an email template for the notifications.
to run the job:
7. Click Schedule.

Reports
Log Tampering Report

To download or schedule log tampering report, do the following:
2. Click the download icon and select Log Tampering.
3. Complete the following information in the Job Details:
c. Choose Email Template: Select an email template for the report.
a. Report Name: Enter a name for the report.
b. Start Time: Click the field to use the calendar control to select the start date and time for the
report.
c. End Time: Click the field to use the calendar control to select the start date and time for the
report.
d. Tenant Information: Select a tenant or multiple tenants.
e. Select Report Format: Select an option from the drop-down.
5. Complete the following information in the Job Scheduling section:
to run the job:
6. Click Schedule.
Schedule Report Jobs

The Scheduled Reports Jobs feature allows you to view existing report jobs and sched-
ule new report jobs for saved reports. The Scheduled Reports Job screen can be
accessed in one of two ways:

Reports
l Navigate to Menu > Reports > Scheduled Report Jobs.
l Click the schedule icon beside the search bar on the Categorized Reports screen:
You can take the following actions on report jobs from the Scheduled Report Jobs
screen:
1. Click the back arrow to return to the Categorized Reports screen.
2. Refresh the status of the Scheduled Report Jobs screen.
3. Stop a report job that is in-progress.
4. Re-run a completed report job.
5. Delete an existing report job.
6. Download a report as a PDF.

Views
Views
From the Views screen, you can view general details about users and resources, drill
down into users to view details such as peer groups, access, activity, and behavior pro-
files, modify and delete user identities, view and manage Watch Lists, create and man-
age White Lists, and view data in Lookup Tables.
The following Views are available in the SNYPR application:
l Users
l Peers
l Resources
l Watch List
l White List
l Lookup Tables
User Views
Users, in the context of the application, refers to all users interacting with the IT infra-
structure of the organization. Users can be employees, contractors, temporary workers,
partners, vendors, suppliers, and even customers.
The User Views feature allows security administrators to view user identity, access and
activity data, peer group memberships, and behavior profiles of individuals, and to modify
imported user identities within the SNYPR application.
Before you can view and manage users, you must import user data into SNYPR. For
more information about importing user data, refer to the User Data section in the SNYPR
Data Integration Guide.
Manage Users
To manage users, navigate to Menu > Views > Users to view and manage user iden-
tities. By default, the list is sorted by Employee ID in ascending order.

Views
Note: The column headings may vary depending on the attributes mapped when importing user
data.
Click the Advanced Options icon in the left navigation panel to view users by department
or division.
Click the filter icon to type text to filter the list of departments or divisions.

Views
Click an ID under the Employee ID column to view user details. For more information, see
View User Details.

Views
Search for Users

To search for users, do the following:
1. Navigate to Menu > Views > Users.
a. Search criteria: Enter the search criteria in the text box. For example, type "Clarke" to search
for users with the last name Clarke.
b. Clear: Click the icon to clear the search criteria text.
c. Advance Search: Click to perform an advanced search.

Views
d. Attribute search: Use the drop-down list to choose the attribute on which to search. For
example, lastname.
e. Search icon: Click the search icon to search. The screen refreshes with the search results.
View User Details

Security administrators can view and monitor General Details, Organizations, Peer
Groups, Access, Activities, and Behavior Profile for each user.
To view the details of a user, navigate to Menu > Views > Users, and then click the
Employee ID for the user you wish to view. By default, the General Details screen
appears. You can use the left navigation pane to view other user data.
General Details
The General Details option displays the identity details for the selected user. The inform-
ation displayed on this screen represents the data collected for the user during the import
process.
In the lower right corner of the screen is a collapsible menu. When the menu is expanded,
you can select from the following options to jump to that section of the user details:
l General Details
l Contact Details
l Workflow Details
l Employment History

Views
l Custom Properties
l Change History
Peer Groups
A user may belong to one or multiple Peer Groups. These Peer Groups are typically
based on user HR attributes such as job code, title, and manager. The application uses
peer groups to compare the user’s access and activities and determine outlier behavior or
anomalies.
Monitor Access
The Monitor Access option allows you to view the accounts, access privileges, and pro-
files held by a user on each resource. To view details of an account, click Account Name.
The Account Details dialogue box includes the following information:

Views
a. General Details about the account including the type, risk score, criticality, and status.
b. Access Details about the account including the values for each attribute mapped to
the account. For example, the employeeID.
Monitor Activities
The Monitor Activities option allows you to view all activities performed by a user across
all resources for a selected period. Click on any data point or field to filter events, enter a
custom Spotter query, or export the search results as Reports. For information about how
to search events and what actions you can take on this screen, see Spotter.

Views
Edit Users
Administrative users can make changes to individual users or groups of users.
Warning: To maintain integrity of user data, any changes to user information should be made in
the source application (HR data source), and then those changes imported into SNYPR from
the source using a data feed. If users are updated in SNYPR, and a new data feed is imported
from the source application, the latest information from the source will overwrite any manual
changes made in SNYPR.
To edit a single user, complete the following steps:

1. Navigate to Menu > Views > Users and click the Employee ID for the user you want to edit.
2. Scroll to bottom of the screen and click Edit.

Views
3. Edit the details for the user and click Update to save the changes, or click Disable to
inactivate the user.
Peer Views
A peer group in SNYPR is defined as a group of users who perform similar job functions.
Users may be grouped based on department, job code, location, and reporting manager.
HR user attributes are typically used for this purpose. You can also derive peer groups
based on resources to which users have access. Any number of peer groups can be
defined based on business requirements. There is no limit to the number of peer groups
that can be created or the number of users assigned to peer groups.

Views
Peer Groups are created to manage access outliers, access logs, and activity logs for the
users that belong to a particular peer group. Policies that search for abnormal behavior
compared to peers, also use peer group attributes.
How to Create Peer Groups

You can create new peer groups in two ways:
l Peer Creation Rules: Use existing user identity attributes to form peer groups and assign users
to the groups automatically.
l Peer Assignment Rules: Manually create peer groups and assign users to the groups.
For additional information, see the Peer Groups in the SNYPR Data Integration Guide.
Explore Peer Views

To explore the features for peer views, navigate to Menu > Views > Peers. The following
components display:
a. Filter: Click the icon to expand or collapse the text filter box.
b. Advanced Options: Click the icon to choose whether to show peer groups by type or
peer name.
a. Peer Group Type: Lists all the peer groups of a selected Peer Group Type.
b. Peer Name: Lists all the peers within a selected peer group.
c. Text Filter: Type text to filter the list of peer groups shown in the left navigation pane.
d. All Tenants: Select a tenant(s) from the drop-down to filter the peer names that display in the
table.
e. Peer Group Type: Click a peer group type to display all peer groups associated with a
peer group type.

Views
Note: If Peer Name is selected, click a peer group name to view the details for the peer
group.
f. Collapse: Click the icon to collapse the left navigation pane. Click the expand icon: to
expand the left navigation pane.
g. Refresh: Click the icon to return to the default peer views screen.
h. Search Criteria: Type text to search for a peer group name that matches the search text.
i. Clear: Click the icon to clear the search criteria text.
j. Attributes: Click the drop-down to search by a specific peer group attribute.
k. Search: Click the icon to search by the specified search criteria.
l. Peer Name: Click a peer group name to view and the General Details, Members, and Behavior
Profile associated with the peer group. For more information, see View Peer Group Details.
View Peer Group Details

To view peer group details, do the following:
1. Navigate to Menu > Views > Peers.
2. Click a Peer Name to view details about the group.
3. Click an option on the left navigation pane to view the following details:

Views
Note: You can edit the Owner field on this screen. Click Update to save.
a. Name: Provide a name that identifies this connection.
b. Owner: The user that will own the peer group.

Views
c. Criticality: The criticality affects the risk factor of peer group.
d. Type: Select a peer type.
For more information, see View User Details.
Edit Peer Groups

To edit peer groups, do the following:
1. Navigate to Menu > Views > Users.
2. Click the Employee ID for the user you want to edit.
Resource Views
Resources are the applications, servers, databases, and etc. that enable users to perform
various tasks. One resource may contain one or more datasources. For example, Google
is a resource, and the datasource for the resource may include Google Admin and
Google Login.
Explore Resource Views

To view the Resource Views user interface (UI) components, navigate to Menu > Views >
Resources. The following components display on the UI:

Views
1. Filter: Click the icon to expand or collapse the text filter box.
2. Advanced Options: Click the icon to choose whether to show Resources by Type, Cat-
egory, IP Address, or Vendor.
3. Text to Filter: Type text to filter the list of peer groups shown in the left navigation pane.
4. Resource Type: Click a resource name to view the datasources associated with the resource.
5. Exit: Click the icon to exit the left navigation pane. Click the expand icon to expand the left
navigation pane.
6. Search Criteria: Type text to search for a resource name that matches the search text.
7. Clear: Click the icon to clear the search criteria text.
8. Attributes: Click the drop-down to search by a specific resource attribute
9. Name: Click an option under the Name column to view the Resource Details screen. For more
information, see View Resource Details.
View Resource Details

To view resource details, do the following:

Views
1. Navigate to Menu > Views > Resources.
2. Click a resource from the left pane.
3. Click a name from the Name column to view the Resource Details screen.
The following resource details will display in the left pane:

General Details
On the left navigation pane, click this option to view the following information
for the datasource:
l Resource Details: Displays the connection details configured during data import.
l Access/Activity Attributes: Depending on the datasource type, the attributes asso-

ciated with the datasource.
Peer Groups
Select a resource in the drop-down list.
Monitor Activities
On the left navigation pane, click Monitor Activities > Events to supervise the
activity event data associated with different data sources.

Views
Click any data point or field to filter events, enter a custom Spotter query, or
export the search results as Reports. For information about how to search
events and the actions you can take on this screen, see Spotter.
Behavior Profile
Behavior profiling analyzes what users do on a company network by col-

lecting all user privileges, resources, and activities, establishing a baseline of
normal behavior, and then identifying the abnormal or outlier behaviors to
bring to the attention of security administrators. Behavior profiles are gen-
erated based on attributes in the datasource, which are specified during
policy creation and selected based on the requirements for the policy.
For example, for the policy Rare Service Creation, if one service account is
created on Windows per day, SNYPR establishes a baseline of one, daily for
the resource. If two service accounts are created on Windows in one day,
SNYPR detects the rare behavior as an outlier, and a violation is generated.

Views
For more detailed information about how behavior profiles are generated,
refer to the Behavior Profiles section in the SNYPR Analytics Guide.
On the Behavior Profile screen for a Resource, you can perform the following
actions:
1. Select a policy that has been configured for the datasource for which to view the
behavior profile.
2. From the Type drop-down, select options to view the Resource Behavior,
the Account Behavior, and the Account Names.
Note: Menu options may vary based on the violation entity selected during
policy creation.
l Resource Behavior shows the baseline activities for the selected

resource and any anomalies that deviated from the baseline across
time line.
o Resource: Select a specific resource from the drop-down to view behavior
profile for that resource.
l Account Behavior shows account behavior across the time line for the
selected resource.

Views

l Account Names shows the behavior profile for the account across a
time line for the selected resource.
o Account: Select an account from the drop-down to view events for that
account.
3. Select a time range in which to view the behavior baseline: daily, weekly,
monthly, day of week, or time of day.
4. Click All Attributes to filter the data points on which to view the baseline.
Baseline is defined as the maximum value for a valid cluster.

Views
5. View Valid Clusters on which the profiles are generated. Valid Clusters
are a numerical measure applied to judge various aspects of cluster valid-

ity. Multiple groups of similar data points between minimum frequency and
maximum frequency help to create a valid cluster.
6. View a Summary of the events associated with the behavior profile you are
viewing. Click any data point on the baseline to view specific events or
enter a custom Spotter query. For more information about what you can do
in this section, see Spotter.

Views
Monitor Events on a Resource

The Monitor Activities section allows you to supervise the activity data for different data-
sources. Within the Monitor Activities section, you can use the left navigation panel to
monitor the following resource activity events:
1. Navigate to Menu > Views > Resources.
2. Click a name from the Name column.
3. Click Monitor Activities > Events.
On this screen, you can take the following actions:

Views
a. Click a date on the timeline to see the events that took place on that date:
b. Click a field in an event to choose from the following filter options:
In this example, if you click Add to search, the filename "marketingplan2017.pptx"

is added to the event filter:

Views
c. In the filter field, you can enter a custom Spotter query. For more information, see Spotter.
d. Click Reports to export the search results as a report. For more information, see Reports.
View Resource Behavior Profiles

Behavior profiling analyzes what users do on a company network by collecting all user
privileges, resources, and activities, establishing a baseline of normal behavior, and then
identifying the abnormal or outlier behaviors to bring to the attention of security admin-
istrators. These behavior profiles are generated based on attributes for the datasource,
which are specified during policy creation and selected based on the requirements for the
policy.
For example, for the policy Rare Service Creation, if one service account is created on
Windows per day, SNYPR establishes a baseline of one, daily for the resource. If two ser-
vice accounts are created on Windows in one day, SNYPR detects the rare behavior as
an outlier, and a violation is generated.

Views
For more detailed information about how behavior profiles are generated, refer to Beha-
vior Profiles in the SNYPR Analytics Guide.
On the Behavior Profile screen for a Resource, you can perform the following actions:
1. Select a policy that has been configured for the datasource for which to view the beha-
vior profile.
2. From the Type drop-down, select options to view the Resource Behavior, the Account
Behavior, and the Account Names.
a. Resource Behavior: Shows the baseline activities for the selected resource and any devi-
ations from the baseline across the time line.

Views
l Resource: Select a specific resource from the drop-down to view the behavior profile for
that resource.
b. Account Behavior: Shows account behavior across the time line for the selected resource.
l Resource: Select a specific resource from the drop-down to view the behavior profile for
that resource.
c. Account Names: Shows the behavior profile for the account across the time line for the selec-
ted resource.
l Resource: Select a specific resource from dropdown to view behavior profile for that
resource.
l Account: Select an account from the dropdown to view events for that account.
Note: These options may vary based on the violation entity selected during policy creation.
3. Select a time range in which to view the behavior baseline: daily, weekly, monthly,
day of week, or time of day.
4. Click All Attributes to filter the data points on which to view the baseline. Baseline is
defined as the maximum value for a valid cluster.

Views
5. View Valid Clusters on which the profiles are generated. Valid Clusters are a numer-
ical measure applied to judge various aspects of cluster validity. Multiple groups of
similar data points between the minimum frequency and maximum frequency help to
create a valid cluster.
6. View a Summary of the events associated with the behavior profile you are viewing.
Click any data point on the baseline to view specific events or enter a custom Spotter
query. For more information about what you can do in this section, see Spotter.

Views
Watch List Views

A watch list is a means to place entities on a close watch based on inherent risks. This
feature helps to monitor a user, account, host, etc. that is deemed problematic and
requires special attention. For example, a user who has an upcoming termination event
can be put on a watch list to closely monitor the activities that the user performs. Security
analysts are notified if the user performs certain actions such as data exfiltration or inap-
propriate data access. Another example could be a malware infected account that is put
on a watch list to closely monitor its activities and detect further activities.
Manage Watch Lists

From the Watch List screen, you can view watch lists, manage members in a watch list,
and delete watch lists.
To access Watch Lists, navigate to Menu > Views > Watch Lists. You can perform the fol-
lowing actions in the left navigation panel:

Views
a. Watchlist Name: Click the drop-down list to filter by the watch list name or tenant name.
b. Text to Filter: Type text to filter the list or click the Advanced Options menu to search for a spe-
cific watch list.
c. Edit: To edit a watch list, click the edit icon. An edit dialog box will appear with the fol-
lowing fields:

Views
1. Do you want to create a new widget on the Security Command Center for this
Watchlist?:
l Toggle to YES and provide a new widget name to create a new widget on the Security
Command Center.
l Toggle to NO to remove an existing widget from the Security Command Center.
2. Provide New Widget Name: Enter a name for the widget.
3. Click Save. The widget will appear on the Security Command Center.
d. Delete: Click the delete icon to delete a watch list.
When you select a watch list, the list of members appear on the right side of the screen.
From here, you can add, remove, or view members in a watch list. Members can be users,
activity accounts, network addresses, or resources.
Manage Watch List Members

This section describes how to add and remove members from a Watch List.
Add Members to a Watchlist

To add members to watch lists1, complete the following steps:
1. Navigate to Menu > Views > Watch List.
2. Click the watch list you want to edit from the left pane.
3. Click Add Member(s) to select entities to add to the watch list.
1Lists of users, activity accounts, network addresses, and resources that are deemed prob-
lematic and require special attention due to suspicious activity or inherent risk factors.

Views
4. Click the drop-down and select the type of entity to be added to the watchlist. The fol-
lowing options are available:
a. User
b. Activity Account
c. IP Addresses
d. Resources

a. Please choose the resource group from which you want to add entities to the
watchlist
b. Input the resource name
c. Input the account names separated by ","
6. Click Next.

Views
a. Watchlist
b. Expiry Date
c. Location
d. Reason for Watchlisting
8. Click Addto add the entities to the watch list.
Note: If you have a paginated list of users, select and add users one screen at a time; changing
pages may clear any selections. You may change the number of records shown per page to add
multiple users.
Remove Members from a Watchlist

To remove members from a Watch List, do the following:
1. Navigate to Menu > Views > Watch List.
2. Click the watch list you want to edit from the left pane.
3. Click Remove Member(s) to remove entities from the watch list.
A confirmation message will appear to confirm that the member is removed from the
watch list.

Views
White List
SNYPR uses white lists to exempt entities and attributes from monitoring. You can create
following types of white lists:
l Global White List
l Targeted White List for Policy and Threat Model
l Targeted White List for Functionality
From White List option, you can only create global white lists but add entities or attributes
for all types of white lists.
Global White List

You can create global white list to exempt any entity from all violations for a tenant. When
you add entities to a global white list, SNYPR ignores all violations and does not cal-
culate the risk score for the selected entities. You can select any of the following entities
to whitelist:
l Users
l Activity Account
l Resources
l Network Address
l RG Activity Account
You can create global white list and add entities from the following options:
l White List of View
l User Import of Add Data
l Add to White List of SCC
Targeted White List for Policy/Threat Model

You can create a targeted white list to exempt attributes for a policy, set of policies, or
threat models. Only for the selected policy, set of policies, or threat models, SNYPR does
not flag violations and calculate the risk score for selected attributes. For other policies or
threat models, SNYPR includes those attributes for violations and risk scoring.

Views
You can create targeted white list for policy or threat model only from Security Command
Center. However, you can add attributes to an existing whitelist from the following
options:
l Attributes from the SCC widgets.
Targeted White List for Functionality

You can create a white list to exempt any attribute or entity for a functionality. Func-
tionality is a group of policies created for a datasource type. Only for the selected func-
tionality, SNYPR does not flag violation and calculate the risk score for selected entity or
attribute.
You can create targeted white list for functionality only from Security Command Center.
However, you can add attributes to an existing functionality from the following options:
l Attributes from the SCC widgets
Create Global White Lists

This section explains how to create global white list and how to assign members to
global white lists.
Adding White Lists from View
1. Navigate to Menu > Views > White List.
2. Click + to create a new white list.

Views
3. Provide a unique name for the white list in Whitelist Name. Example: VIP Users.
4. Select an entity type from the following options:
l User
l Activity Account
l Resources
l Network Address
l RGActivityaccount
5. Select a tenant from Select Tenant drop-down list to create the white list.
6. Click Save.
Adding Members to Global White List
2. Select a white list from the left navigation pane and click Add Member(s).

Views
a. Select Datasource: Select the datasource from which you want to whitelist
the attributes.
b. Input the resource name: Provide the resource name from which you need to add
entities.
c. Enter filter criteria:Enter the following information:
l Select Attribute: Select the attribute. The list displays the attributes from the
selected datasource.
l Select Condition: Select any of the following conditions to apply on the selected
attribute:
l Equals
l Contain
l Does not contain
l Not equal to
l Attribute Value: Enter the whitelist value.

Views
l AND / OR: Select AND or OR condition if you want to set multiple filter criteria.
l +: Select + to add another filer criteria.
l -: Select - to delete the filter criteria.
d. Comments:
e. Do you want to reduce the risk score for selected entity to zero?: Enable
to reduce the risk score of the user. Disable to retain user's risk score
when they violate a policy.
f. Add expiry date?:Enable to specify the duration the attributes will be white listed.
Disable if you don’t want to set the expiration date for white listed attributes.
4. Click Add to add members in the white list.
Adding Members to Global White Lists from SCC
2. Click a violator from the Top Violators widget.
3. Click Take Action and select Add to White List.
4. Select Globally for Whitelist Entity.
5. Perform any of the following:

l Select a white list from the drop-down.
l Select Create New and enter the white list name in New Whitelist Name.
6. Enable Do you want to reduce the risk score for selected entity to zero?to reduce
the risk score of the user. Disable to retain user's risk score when they violate a policy.
7. Enable Add expiry date? to specify the duration the white list attributes will be enabled.
Disable if you don’t want to set the expiration date.
8. Select the duration the attribute will be white listed in Select Duration. When
Add expiry date? is enabled, you have to specify the duration after which the
attribute will not be white listed.

Views
Creating White Lists during User Import
1. Navigate to Menu > Add Data > User.
2. Select an existing connection in the Connection Name drop-down.
3. Click Save And Next.
4. Scroll down to the Additional Settings section, then click White List.

Views
1. Select an existing watch list from Whitelist Name.
2. Perform any of the following for Do you want to white list this entity indefinitely:=
l Select NO for and specify the date in Whitelist Until.
l Select YES.
3. Do you want to reduce the risk score for selected entity to zero?: Enable to reduce
the risk score of the user. The selected user will be skipped next time they violate a
policy. Disable to retain user's risk score when they violate a policy.
4. Enter the filter criteria as explained:
l Attribute: Select the attribute. The list displays the attributes from the selected data-
source.
l Condition: Select any of the following conditions to apply on the selected attribute:
l Contain
l Does not contain
l Not equal to
l Equal to
l In
l Greater Than
l Less Than
l Value: Enter the whitelist value
l AND / OR: Select AND or OR condition if you have to set multiple filter criteria.
l +: Select + to add one more filer criteria.

Views
Create Targeted White Lists

You can whitelist attributes for policies, threat models, or functionality from the following
SCC widgets:
l Top Violators widget
l Observables widget
l Top Threats widget
These white lists are displayed in White Lists option of View. You can assign more attrib-
utes from White List option, if required.
Add Attributes to Policy White List from SCC
2. Click a violator in the Top Violators section.
3. Click Take Action and select Add to White List.
4. Select For Policies or Threat Models for Whitelist Entity.
5. Enter a policy name to search for a policy.
6. Select a policy.
8. Select the duration the attribute will be white listed in Select Duration. When
Add expiry date? is enabled, you have to specify the duration after which the
attribute will not be white listed.
This creates a new White List for the policy. You can add more attributes from the
White List option of View.
Adding Attributes to Targeted White List for Policy
2. Select a white list from the left navigation pane.

Views
3. Click Add Attributes.
Complete the following information:

a. Select Attribute: Select the attributes that you want to whitelist.
b. Enter filter criteria:Enter the following information:
attribute:
l Equals
l Contain
l Does not contain
l Not equal to
l Attribute Value: Enter the whitelist value

Views
c. Add expiry date?: Enable to specify the duration the white list attributes will be
enabled. Disable if you don’t want to set the expiration date.
d. Select Duration: Select the duration the white list attribute will be enabled.
When Add expiry date? is enabled, you have to specify the duration after
which the attribute will not be white listed.
e. Click Add to add members to the white list.
Add Attributes to Functionality White Lists from SCC
1. Navigate to Menu > Security Center > Security Command Center, and then
click a violator in the Top Violators section.
2. Click Take Action next to the violators name, then select Add toWhite List.
3. Select a white list name from the Whitelist Name drop-down.
4. Select For Policies or Threat Models as the Whitelist entity.
5. Enter a policy name to search for a policy.
6. Select a policy.
8. Select the duration the white list attribute will be enabled in Select Duration.
Adding Attributes to Targeted White List for Functionality
2. Select a white list from the left navigation pane.
3. Click Add Attributes.
Complete the following information:

Views
a. Select Attribute: Select the attributes that you want to whitelist.
b. Enter filter criteria:Enter the following information:
attribute:
l Equals
l Contain
l Does not contain
l Not equal to
l Attribute Value: Enter the whitelist value
c. Add expiry date?:Enable to specify the duration the white list attributes will be
enabled. Disable if you don’t want to set the expiration date.
d. Select Duration: Select the duration the white list attribute will be enabled.
This creates a new whitelist for functionality. You can add more attributes from
the White List option of View.
Manage White Lists

To create and manage global and targeted white lists, navigate to Menu > Views > White
List. The following actions are available:

Views
UI Element Description
Allows you to filter the white lists that appear in

the left navigation pane. When you click the filter
icon, it displays a drop-down list and text box.
You can filter the whitelist by the following:
a: Filter

Views
Allows you to create a new global white list.

l Whitelist Name: The White List name that
displays the datasources associated with the
white list.
l Whitelist Entity Type: Signifies the white list

type. There are following white list icons:
o : Policy.
o : Functionality.
o : Activity account.
b: Add
o : User.
o : Resource.
o : Network address.
o : RG activity account.
o : Threat model.
l Select Tenant: Represents the tenant where

the white list is created.

Views
The White List name that displays the

c: Whitelist Name
datasources associated with the white list.
Represents the tenant where the white list is

d: Tenant
created.
Signifies the white list type. There are following

white list icons:
l : Policy.
l : Functionality.
l : Activity account.
e: Whitelist Type l : User.
l : Resource.
l : Network address.
l : RG activity account.
l : Threat model.
f: Delete Allows you to delete the white list.

Views
Search White Lists in Spotter

After a white list has been created and configured, you can use it for searching in Spotter.
Use the following steps to search white list data in Spotter:
1. Navigate to Menu > Security Center > Spotter.
2. Type index=whitelist in the search bar, and then click the search icon.
Lookup Table Views

A Lookup Table is similar to an Excel table. The Lookup Table functions like an index for
faster processing, wherein the lookup function is used to find a one-row or one-column
range (known as a vector) for a value. The function then returns a value from the same
position in a second one-row or one-column range.
For example, an Excel spreadsheet contains Resources to Business unit mappings
required to populate the business unit name against the resources table in the applic-
ation. You can use a pre-processor or a stored procedure to reference this spreadsheet to
obtain the corresponding values for each resource name, and then populate the resource
table with the business unit name for each resource. The application provides the Lookup
Tables as extra tables that can be used according to individual user needs.
For more detailed information and to import lookup data, see Lookup Tables in the
SNYPR Data Integration Guide.
View Lookup Tables

The Lookup Tables screen displays lookup data. To view data in Lookup Tables, nav-
igate to Menu > Views > Lookup Tables.

Views
The left navigation panel displays a list of imported Lookup Tables. From the left nav-
igation panel, you can perform the following actions:
a. Filter: Expands the type text to filter search bar.
b. Tenant: Displays which tenant the lookup table applies to. The lookup table can apply to all ten-
ants or a specific tenant.
c. Edit: Allows you to restrict access to the lookup table. When selected, choose one of
the following options for the Restrict Access to this lookup table to your user groups?
setting:
l NO: When disabled, the lookup table is accessible to all users.
l YES: When enabled, the User Group table displays, allowing you to select which

Views
users have access to the lookup table.
d. Delete: Delete the lookup table.
You can also add or delete lookup data. To add lookup data, click the Add Lookup
Records button, located below the search bar.
Tip: To select all your lookup tables at once, check the box in the header row.

Views
The Add Lookup Data dialogue box displays. In a multi-tenant deployment, you can add
three types of lookup tables, including:
l Global: The lookup data you add is available across all tenants.
l Tenant: The lookup data you add is only available for a specific tenant.
l Meta: The lookup data you add can be available across all tenants or for a specific
tenant. This allows content developers to create a single policy for all tenants, elim-
inating the need to duplicate and customize policies per tenant.
Limitations:You can only add one column (key) to the meta lookup table.
a. Enter Lookup(Key): Allows you to add multiple records to a lookup table using
comma separated values.
Example: -.zip,.tar,.7z
b. Select Tenant: Select the tenant that should have access to this lookup data.

Views
c. Choose lookup key attribute: Select a lookup attribute from the drop-down list.
d. Encryption enabled?: Set to YES to enable encryption.
To delete a lookup table, check the box next to the lookup table(s) you want to delete,
then click the Delete Lookup Records button.

6.4 Security Analyst Guide For Multi-Tenant

Uploaded by

Copyright:

Available Formats

You might also like

6.4 Security Analyst Guide For Multi-Tenant

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

6.4 Security Analyst Guide For Multi-Tenant

Uploaded by

Copyright:

Available Formats

SNYPR 6.

Date Published: 2/14/2023

Securonix Copyright Statement

Copyright © 2022 Securonix. All rights reserved.

SNYPR Security Analytics Guide 2

SNYPR Security Analytics Guide 3

SNYPR Security Analytics Guide 4

SNYPR Security Analytics Guide 5

SNYPR Security Analytics Guide 6

l Risk-ranks entities involved in threats to enable an entity-centric (user or devices) approach to

SNYPR Security Analytics Guide 7

Words in bold can indicate the following:

Bold font l Fields in the user interface (UI)

l Menu options in the UI

l Information you need to type or select

Monospace font Indicates commands or code.

The navigation path to reach a specific screen in the UI is separated by a

UPPERCASE FONT All uppercase words are acronyms.

Document Name Audience

On-boarding team and deployment engineers who need to install the

l Data Integrators and deployment engineers who need to use

SNYPR Security Analytics Guide 8

Document Name Audience

l System administrators and service providers who need information

Developers who need to communicate to SNYPR using the REST

SNYPR Security Analytics Guide 9

Security Command Center

l View violators, violations, and threats

l Manage violations and threats

l Search Spotter for more information about a threat

a. SNYPR Top Header

SNYPR Security Analytics Guide 10

SNYPR Top Header

The previous image includes the following screen elements:

The navigation menu is separated by categories and provides a variety of sub-

SNYPR Security Analytics Guide 11

You can search for the following types of records:

SNYPR Security Analytics Guide 12

l Resource Group Account

SNYPR Security Analytics Guide 13

SNYPR Security Analytics Guide 14

SNYPR Security Analytics Guide 15

4. Refresh icon: Allows you to refresh your notification results.

6. Clear All: Allows you to clear your notifications.

7. More: Allows you to view more notifications.

SNYPR Security Analytics Guide 16

Allows you to filter on data viewed by one or multiple tenants.

SNYPR Security Analytics Guide 17

3. Refresh: Click the refresh icon to refresh the tenant data.

SNYPR Security Analytics Guide 18

l Security Command Center Widgets

SNYPR Security Analytics Guide 19

SNYPR Security Analytics Guide 20

SNYPR Security Analytics Guide 21

l Entities/Violator: The following options display:

l Policies: A list of policies display.

l Threats: A list of threats display.