Aanval's search mechanism is important to understand, as it is a powerful console management tool in addition to the basic functionality of searching and reporting.
There are two primary ways to access the search mechanism of Aanval, one is through the Advanced Search input box, which is usually found in the header portion of the console, and the other can be accessed by navigating to the Search display.
Full text searching is supported, and you can mix and match text searches along with combinations of keywords.
Search keywords
| Time | Event | Object | Miscellaneous |
| recent:[#] | risk:[1-5] | sensor:[#] | limit:[#] |
| today: | sport:[#] | incident:[#] | unified2: |
| yesterday: | dport:[#] | tag:[#] | syslog: |
| lasthour: | sip:[IP] | delete: | |
| lastweek: | dip:[IP] | ||
| ip:[IP] | |||
| protocol:[#] | |||
| signature:[#] | |||
| class:[#] |
Types of search keywords
There are two primary types of search keyword formats in Aanval. Both keyword formats require a : to immediately follow the search keyword (without spaces).
a) keyword - keywords perform a predetermined action in Aanval. An example is to limit a search to unified2 only events using the keyword "unified2:" or to limit your search to events imported today only, you would use the "today:" search keyword.
b) keyword with parameter - keywords with parameters are the most common, and require a value to be passed along with the keyword. An example is "recent:1000", which would return the most recent 1000 events in the console.
Time
recent:[#]
The recent keyword simply returns the most recent X number of events imported into the console.
Example: "recent:1000"
today:
The today keyword limits search results to the events that have been imported during the current day.
Example: "today:"
yesterday:
The yesterday keyword limits search results to the events that have been imported since the previous day.
Example: "yesterday:"
lasthour:
The lasthour keyword limits search results to the events that have been imported within the last hour.
Example: "lasthour:"
lastweek:
The lastweek keyword limits search results to the events that have been imported within the last week.
Example: "lastweek:"
Event
risk:[#]
The risk keyword limits search results to events that match the risk value provided after the keyword. Risk levels are numbered 1 through 5. 1 is the highest, while 5 is the lowest risk level.
Example: "risk:1"
sport:[#]
The sport keyword limits search results to events that match the source port value provided after the keyword.
Example: "sport:8080"
dport:[#]
The dport keyword limits search results to events that match the destination port value provided after the keyword.
Example: "dport:8080"
sip:[#]
The sip keyword limits search results to events that match the source IP address value provided after the keyword.
Example: "sip:10.1.20.101"
dip:[#]
The dip keyword limits search results to events that match the destination IP address value provided after the keyword.
Example: "dip:10.1.20.101"
ip:[#]
The ip keyword limits search results to events that match the source or destination IP address value provided after the keyword.
Example: "ip:10.1.20.101"
protocol:[#]
The protocol keyword limits search results to events that match the protocol value provided after the keyword.
Example: "protocol:6"
signature:[#]
The signature keyword limits search results to events that match the signature ID value provided after the keyword. Signature IDs are the associated signature numbers that the engine provides with every alert.
Example: "signature:2802"
class:[#]
The class keyword limits search results to events that match the class ID value provided after the keyword. Class IDs (or category IDs) are the associated class numbers that the engine provides with every alert.
Example: "class:22"
Object
sensor:[#]
The sensor keyword limits search results to events that match the sensor ID value provided after the keyword. The sensor ID value can be found in the sensor configuration display.
Example: "sensor:1"
incident:[#]
The incident keyword limits search results to events that match the incident ID value provided after the keyword. The incident ID value can be found in the incident summary / configuration display.
Example: "incident:1"
tag:[#]
The tag keyword limits search results to events that match the tag ID value provided after the keyword. The tag ID value can be found in the tag summary / configuration display.
Example: "tag:1"
Miscellaneous
limit:[#]
The limit keyword simply limits search results to the number of events provided by the value after the keyword.
Example: "limit:1000"
unified2:
The unified2 keyword simply limits search results to events from unified2 sensors.
Example: "unified2:"
syslog:
The syslog keyword simply limits search results to events from syslog sensors.
Example: "syslog:"
delete:
The delete keyword is a non-warning, irreversible, delete option that will immediately delete all events that would otherwise be returned in the search.
WARNING - the use of this command provides no warnings, or confirmations. It deletes instantly, and is not reversible.
Example: "spam delete:"
This example would instantly delete all events matching the word "spam"
Comments
0 comments
Article is closed for comments.