The Events feature is a great way to view events that have been performed on your UpGuard application. You are able to monitor and track user-triggered or time-triggered events.

All events, from user logins to policy failures, that are detected by the UpGuard platform can be accessed via the events page. More importantly, specific views of these events can be set up, and actions set up to create processes around the events.

Accessing Events

Events can be found under the Control section of the website.

w800

Viewing Details of an Event

There are many different types of events. When viewing the list the type can be seen at the left of each row, followed by a description of the event, and a timeframe indicating when the event was created.

events

Other than a type each event also has a set of associated properties (called variables). To view the variables of an event simply click the event row to expand it.

events

Event Views

When first accessing Events you will be placed in the default All events view. This view shows you a reverse chronological list of every event detected by UpGuard in your platform.

To get the most use out of events though you will want to focus on specific views of the events. There are 3 main categories of event views:

  1. Global Views - these views are set up for all UpGuard accounts. They cannot be deleted or modified.
  2. Organization Views - these views are custom to the organization you are currently in, and can be seen by all users in that organization.
  3. My Views - these views can only be seen by the user who set them up.

events

Filtering Events & Creating Views

Events can be filtered using the search box at the top of the event list. For more information, please refer to Event Filter Syntax.

To filter events, you must first start by specifying which event type you would like from the dropdown options.

events

Once a type is specified you can add filters for both common attributes, and event specific variables. These are the common attributes available through filters:

  • Environment
  • Group (Node Group)
  • Start (Start Date/Time)
  • End (End Date/Time)

For example, a query for all policies run between two days in a default environment would look like this:

  type=Policy Ran AND environment=Default AND start=2017-08-15 AND end=2017-08-16

It will return the following results:

events

To add filters based on event variables you must add variables before the variable name. eg:

  type=Node Scanned AND group=Active Directory AND variables.status=success

This will return any results that match the query including the named event variable.

events

Saving a Filter as a View

When viewing a filtered list of events the star icon to the left of the filter indicates if the current filter already exists as a view. If it is empty it means that no view exists for the filter. To add a view for the filter simply click the star icon. A dropdown will appear asking whether you wish to create an Organization or Personal view.

events

Choose the scope of your view by clicking one of the options to bring up the save view dialogue:

events

Give the view a name and click Add to save it. It will now be available in the left navigation bar under the relevant section.

It is also possible to add views from the left nav by clicking the Add View button for the relevant type.

Event Actions

The real power of Events comes from the ability to create actions based on specific views. This enables you to tie events that UpGuard detects into your own processes.

For example:

  Create a ticket in JIRA when a policy fails

or:

  Send an email to security if a non company user logs in

To find out more about creating and using Event actions please refer to Event Actions.

Tags: events