Self-service search

The self-service search feature enables you to find and filter user events received from your data sources. You can explore the underlying user events and its attributes. These events help you to identify any data issues and troubleshoot them. The search page displays various facets (dimensions) and metrics for a data source. You can define your search query and apply filters to view the events that match your defined criteria. By default, the self-service search page displays user events for the last one month.

Currently, the self-service search feature is available for the following data sources:

You can access the self-service search by using the following options:

  • Top bar: Click Search from the top bar to view all user events for the selected data source.

  • Risk timeline on a user profile page: Click Event Search to view the events for the respective user.

Self-service search from the top bar

Use this option to go to the self-service search page from any place in the user interface.

  1. Click Search to view the self-service page.

    Top bar search

  2. Select the data source and the time period to view the corresponding events.

    Top bar search page

Self-service search from user’s risk timeline

Use this option if you want to view the user events associated with a risk indicator.

When you select a risk indicator from a user’s timeline, the risk indicator information section is displayed on the right pane. Click Event Search to explore the events associated to the user and the data source (for which the risk indicator is triggered) on the self-service search page.

Risk timeline search

For more information on the user risk timeline, see Risk timeline.

Use the following features on the self-service search page:

Search explore

Use facets to filter events

Facets are the summary of data points that constitute an event. Facets vary depending on the data source. For example, the facets for the Access Control data source include reputation, actions, location, category group. Whereas facets for Virtual Apps and Desktops include event type, domain, platform.

Use the facets to filter and focus on the required user events. For more information on the facets corresponding to each data source, see the self-service search article for the data source mentioned earlier in this article.

Use search query in the search box to filter events

When you place your cursor in the search box, the search box displays a list of dimensions based on the events received from the data source. Use the dimensions to define your search criteria and search for the events.

For example, in self-service search for access, you get the following dimensions for the access events. Enter your query by using these dimensions, select the time period, and then click Search.

Search query

You can also use the following operators in your search queries.

Operator Description Example Output
: Assign a value to the search query User-Name : John Displays events for the user John
= Assign a value to the search query User-Name = John Displays events for the user John
~ Search similar values User-Name ~ test Displays events having similar user names
”” Enclose values separated by spaces User-Name = “John Smith” Displays events for the user John Smith
<, > Search for relational value Data Volume > 100 Displays events where data volume is greater than 100 GB
AND Search values where both conditions are true User-Name : John AND Data Volume > 100 Displays events of user John where data volume is greater than 100 GB
* Search values that match the character zero or more times User-Name = John* Displays events for all user names that begin with John
    User-Name = *John* Displays events for all user names that contain John
    User-Name = *Smith Displays events for all user names that end with Smith

For more information on how to specify your search query for the data source, see the self-service search article for the data source mentioned earlier in this article.

Select time to view event

Select a preset time or enter a custom time range and click Search to view the events.

Time selection

View the timeline details

The timeline provides a graphical representation of user events for the selected time period. Move the selector bars to choose the time range and view the events corresponding to the selected time range.

The figure shows timeline details for access data.

Timeline details

For example, you want to view the events that have occurred between July 08, 2019 to July 10, 2019. Use the selector bars to select the required timeline area and view the events corresponding to the selected area.

Selector bar

View the event

You can view the detailed information about the user event. Click a user to get insight into their data.

The figure shows the details about the user’s access data.

Events

Add columns in the event table

You can add columns and select the data points that you want to display in the event table. Do the following:

  1. Click + to add columns for the data points.

    Add more events

  2. In the Add Columns window, select the data points and then click Add Columns.

    Add columns

If you deselect a data point from the Add Columns list, the corresponding column is removed from the event table. However, you can view the data point after expanding the event row for a user. For example, if you deselect the TIME data point from the Add Columns list, the TIME column is removed from the event table. To view the time record, expand the event row for a user.

Hidden attributes

Export the events to a CSV file

You can export the searched events to a CSV file and save the report for future reference. Click Export to CSV format to export the events and download the CSV file that is generated.

CSV export