This article provides you with an overview and the procedures on how to write SQL queries to get event logs from event browser, and save those queries to use later in the Resolution Intelligence Cloud.
Event browser
Event logs have a record of every event that happens in the IT systems. This information can be accessed by the security team to identify suspicious activities on the network and detect vulnerabilities. To fetch the event logs stored on the Google Cloud platform, you can use the Event browser. This is accessible only to users who have Google Chronicle enabled. It provides an intuitive interface for querying the events table using SQL queries, eliminating the need to navigate the Google Cloud platform for fetching events.
There are also sample SQL snippets available to retrieve the columns you want from the events table seamlessly.
Fetching event logs from the event browser
Use this procedure to fetch event logs from the event browser.
To fetch event logs from the event browser:
1. Navigate to SECURITY--> Event browser from the hamburger menu. The Event browser page appears.
- Domain level - You can view the Organizations and Tenants fields and filter the event logs by organization and tenant, at this level.
- Organization level – You can view the Tenants field at this level and select the tenant whose event logs must be fetched.
- Tenant level – You don’t view any of these fields.
Domain level
Organisation level
Tenant level
2. Provide the SQL query in the event search box to fetch the data for different columns from the events table. When you start to type, you get the list of column name suggestions available in the events table for selection.
3. Click Format Query to fix the indentation errors before you execute the query.
4. Click Run to run this query and fetch the event log records. You can export the results to a csv file, using the Export CSV option.
5. Click Save to save the query after you execute it for future use. All the Saved queries are stored and can be viewed in the Query library.
You can start a fresh search by clearing the previous query, using the Clear option.
If you need help constructing the SQL query, you can click the Help icon to get sample syntax, commonly used keywords, common use cases for queries, best practices for writing queries, and additional documentation. Click on the expand or collapse button to expand or collapse tabs available in the help section of event browser.
Saving the query
Use this procedure to save the SQL query.
To save an SQL query:
1. On the event browser screen, click Save to provide the details to save the query. This opens the Save query window.
2. Provide the query name and description in the respective fields.
3. Click Save to save this query.
Viewing and deleting saved queries
Use this procedure to view the saved SQL queries to reuse them later or delete the query that is not required. If there are too many queries, you can use the search to locate the required query.
To view and delete saved queries:
1. On the event browser screen, click Query library to view all the saved SQL. This opens the side panel displaying the list of saved searches.
2. Review the SQL query information in the following table:
Field name | Field description |
---|---|
Name | The name of the event query. |
Description | The description of the event query. |
Saved Query | The SQL query that was saved. |
Created By | The email address of the user who saved the query. |
3. Click the delete button corresponding to the saved query you want to delete. This opens the dialog.
4. Click Yes to delete the query successfully, and click No to discard the action.
Using the Sample queries
Use this procedure to use sample queries in the event browser to query and fetch the required information.
1. On the event browser screen, click Query library to view all the saved SQL. This opens the side panel displaying the list of Saved searches.
2. Click the Sample Queries tab and review this information:
Field Name | Field description |
Name | The name of the SQL query. |
Description | The description of the SQL query. |
Sample query | The example SQL query that you can use in event browser to fetch event logs |
3. Click on the sample query name link, and this defaults the selected query in the event search box on the event browser page to execute the query.
4. In the sample query editor of the Query library, click on the copy icon to copy and paste the sample query wherever required.
Comments
0 comments
Please sign in to leave a comment.