Now that you have a dashboard with several security panels you can enhance the functionality for deeper investigation. One approach is to apply search parameters which allow you to filter down the amount of information displayed.
In this lab we are going to add look up tables to one of our previously created search parameters for easy investigation. You will create a lookup table and then change one of the previously created search parameters to use the lookup for a list of values.
Add a lookup table to the Parameter
- To add a lookup table, you will first need to create the table by using this query. On the last line, you will need to replace <your_intitials###> with your initials in the query and run for Last 24 hours.
| json field=_raw "userIdentity.sessionContext.sessionIssuer.userName" as actor
| count by actor
| fields - _count /* this removes the count leaving only the actors */
| save shared/<your_intitials###>_aws_actor_list /* puts the actors into lookup table */
- You will get a confirmation popup to make sure you confirm that you are not overwriting existing data you may want to keep
Next you will want to verify the contents of your lookup table. Open a new Log Search query and display the contents using the following code. Again, you will need to replace <your_initials###> with your initials in the query.
The lookup table will look like this.
Note that your lookup table may not look exactly the same, but it will be similar.
Manage parameters for using lookups
Now you will go and modify the actor parameter to use the lookup table. This will allow easy pivots to different actors for further investigation. In the SOC_<your_intials###> dashboard open up any of the five queries. In the upper right of the panel, click Show in Search.
. In the Parameters window, go to actor and click on the details icon. Click Manage Parameter Settings.
- A popup called Manage Parameter Settings will appear. The upper part will already be filled out correctly. Verify that your Default Value equals *. By using the wildcard, this will allow you to see everything with no filters applied. Click Set Values for Parameter to expand, and then using the dropdown in Select a format click Lookup.
Under Lookup file point to the lookup table you just created /shared/<your_intitials###_aws_actor_list and under Select a field for Values select actor.
Click Save. To observe the lookup table with this query, return to your query's Parameter window. In actor delete the wildcard asterisk. A lookup table will appear with a list of actors to choose from. Select one of the actors and watch the data pivot to supply data for the actor you chose. You now have a lookup filter which makes it very easy for any actor to be investigated.
Ideally you would repeat this lab for all 5 panels in your started SOC_<your_intitials###> dashboard. For now pick one more dashboard panel query of your choice and repeat. This will help in the next lab where you will learn how to filter at the dashboard level.
Using Filters for panels or dashboards
If you add a filter to a specific panel by clicking the Filter icon for the panel and then clicking Add Filter, the filter you select is added to the dashboard and linked to that specific panel. If you change the value, it will affect only the panel that's linked to it. See Create a filter in this topic. To see which panels are linked to a filter, hover over the blue filter icon in the filter box.
Quiz (True or False?)
- To display a lookup table I used the command cp.
- Search parameters allow me to pivot quickly to any metadata values.
- I use the save operator to create a lookup table.
Congratulations! You’ve completed these tasks:
- Created a lookup table.
- Verfied your lookup table.
- Created a lookup parameter.
- Displayed the parameters lookup table options to pivot on.