Filtering data in User view

Chronicle User view enables you to better understand how users within an enterprise might be impacted by security events. By focusing on the behavior of individual users, security administrators can search for activity indicating an account compromise or other security concern.

  1. To open User view, enter the username or email address of a user within your enterprise in the search field.

    Search for user from landing page Search for a user from the landing page

  2. Click SEARCH to pivot to User view.

  3. Select the user from the USERS dropdown menu.

    autodetected user menu Autodetected user menu

  4. User view is displayed.

    User View User view

  5. Click the right arrow in the Detections column in the left navigation panel.

    Raw Log details pop-up window Raw Log details pop-up window

  6. Click the Filter icon icon in the top right corner of the Chronicle user interface. The Procedural Filtering menu opens as shown in the following figure.

    Filtering menu in User view Filtering menu

    The following Procedural Filtering options are available in User view:

    • AUTH TYPE
    • EVENT TYPE
    • LOG SOURCE
    • OUTCOME
    • PRINCIPAL LOCATION
    • TARGET APPLICATION

Summary of Visual elements in the view

Chronicle includes the following user interface elements to help you investigate any issues that might be present within your enterprise:

Element Description
Time slider The time slider allows you to adjust the time period under examination. You can adjust the slider to view between one minute and one day of events. Available only in: Enterprise Insights, Asset view, IP Address view, Domain view, Hash view, User view, Rules Dashboard, Rules Editor.
Prevalence Prevalence measures the number of assets within your enterprise that have connected to a specific domain over the past seven days. Available only in: Asset view, IP Address view, Domain view, Hash view.
Right Navigation Panel
Expand all Expands all the collapsed items.
Collapse all Collapses all the expanded items.
Reset Displays the default view and includes All (there are exceptions).
Show all Includes all the items.
Hide all Excludes all the items.
Include Includes the excluded items. Hovering over the icon provides a preview in green.
Exclude Filters out the selected item. Hovering over the icon provides a preview in orange.
Exclude others FIlters out the other items except the selected item.
Left Navigation Panel
Expand all Expands all the collapsed items.
Collapse all Collapses all the expanded items.
Wrap text Wraps text to the next line when it gets to the right margin, otherwise the text is displayed on one line only.
Unwrap text Unwrap text expands the text in one line only.
Actions Download as CSV - Download the information in CSV format.
View first 50 results in VirusTotal Graph, providing the option to view 50 results on one page.
Search rows Provides an option to enter a keyword to search each row.