Self-service search
What is self-service search?
The self-service search feature enables you to find and filter user events received from your data sources. You can explore the underlying user events and its attributes. These events help you to identify any data issues and troubleshoot them. The search page displays various facets (dimensions) and metrics for a data source. You can define your search query and apply filters to view the events that match your defined criteria. By default, the self-service search page displays user events for the last one month.
Currently, the self-service search feature is available for the following data sources:
Also, you can perform self-service search on the events that met your defined policies. For more information, see Self-service search for Policies.
How to access self-service search
You can access the self-service search by using the following options:
-
Top bar: Click Search from the top bar to view all user events for the selected data source.
-
Risk timeline on a user profile page: Click Event Search to view the events for the respective user.
Self-service search from the top bar
Use this option to go to the self-service search page from any place in the user interface.
-
Click Search to view the self-service page.
-
Select the data source and the time period to view the corresponding events.
Self-service search from user’s risk timeline
Use this option if you want to view the user events associated with a risk indicator.
When you select a risk indicator from a user’s timeline, the risk indicator information section is displayed on the right pane. Click Event Search to explore the events associated to the user and the data source (for which the risk indicator is triggered) on the self-service search page.
For more information on the user risk timeline, see Risk timeline.
How to use self-service search
Use the following features on the self-service search page:
-
Facets to filter your events.
-
Search box to enter your query and filter events.
-
Time selector to select the time period.
-
Timeline details to view the event graphs.
-
Event data to view the events.
-
Export to CSV format to download your search events as a CSV file.
Use facets to filter events
Facets are the summary of data points that constitute an event. Facets vary depending on the data source. For example, the facets for the Access Control data source include reputation, actions, location, category group. Whereas facets for Virtual Apps and Desktops include event type, domain, platform.
Use the facets to filter and focus on the required user events. For more information on the facets corresponding to each data source, see the self-service search article for the data source mentioned earlier in this article.
Use search query in the search box to filter events
When you place your cursor in the search box, the search box displays a list of dimensions based on the events received from the data source. Use the dimensions to define your search criteria and search for the events.
For example, in self-service search for access, you get the following dimensions for the access events. Enter your query by using these dimensions, select the time period, and then click Search.
Select time to view event
Select a preset time or enter a custom time range and click Search to view the events.
View the timeline details
The timeline provides a graphical representation of user events for the selected time period. Move the selector bars to choose the time range and view the events corresponding to the selected time range.
The figure shows timeline details for access data.
For example, you want to view the events that have occurred between July 08, 2019 to July 10, 2019. Use the selector bars to select the required timeline area and view the events corresponding to the selected area.
View the event
You can view the detailed information about the user event. Click a user to get insight into their data.
The figure shows the details about the user’s access data.
Add columns in the event table
You can add columns and select the data points that you want to display in the event table. Do the following:
-
Click + to add columns for the data points.
-
In the Add Columns window, select the data points and then click Add Columns.
If you deselect a data point from the Add Columns list, the corresponding column is removed from the event table. However, you can view the data point after expanding the event row for a user. For example, if you deselect the TIME data point from the Add Columns list, the TIME column is removed from the event table. To view the time record, expand the event row for a user.
Export the events to a CSV file
You can export the searched events to a CSV file and save the report for future reference. Click Export to CSV format to export the events and download the CSV file that is generated.
Supported operators in search query
You can also use the following operators in your search queries.
| Operator | Description | Example | Output |
|---|---|---|---|
| : | Assign a value to the search query | User-Name : John | Displays events for the user John |
| = | Assign a value to the search query | User-Name = John | Displays events for the user John |
| ~ | Search similar values | User-Name ~ test | Displays events having similar user names |
| ”” | Enclose values separated by spaces | User-Name = “John Smith” | Displays events for the user John Smith |
| <, > | Search for relational value | Data Volume > 100 | Displays events where data volume is greater than 100 GB |
| AND | Search values where both conditions are true | User-Name : John AND Data Volume > 100 | Displays events of user John where data volume is greater than 100 GB |
| * | Search values that match the character zero or more times | User-Name = John* | Displays events for all user names that begin with John |
| User-Name = *John* | Displays events for all user names that contain John | ||
| User-Name = *Smith | Displays events for all user names that end with Smith | ||
| != | Search values where the condition is not true | Country != USA | Displays events for the countries except USA |
The NOT EQUAL (!=) operator can be used only in the following conditions:
| Data source | Dimensions |
|---|---|
| Access Control | Country, City, Action, URL, URL Category, Reputation, Browser, OS, Device |
| Content Collaboration | Country, City, Client OS |
| Gateway | Authentication Stage, Client IP |
| Virtual Apps and Desktops | Country, City, App Name, Clipboard Operation, Browser, OS |
Note
For the NOT EQUAL operator, while entering the values for the dimensions in your query, use the exact values available on the self-service search page for a data source. The dimension values are case-sensitive.
For more information on how to specify your search query for the data source, see the self-service search article for the data source mentioned earlier in this article.