All events, from user logins to policy failures, that are detected by the UpGuard platform can be accessed via the events page. More importantly, specific views of these events can be set up, and actions set up to create processes around the events.
To view events logged with the system, navigate to Control > Events.
Viewing Details of an Event
There are many different types of events. When viewing the list the type can be seen at the left of each row, followed by a description of the event, and a timeframe indicating when the event was created.
Other than a type each event also has a set of associated properties (called variables). To view the variables of an event simply click the event row to expand it.
When first accessing Events you will be placed in the default All events view. This view shows you a reverse chronological list of every event detected by UpGuard in your platform.
To get the most use out of events though you will want to focus on specific views of the events. There are 3 main categories of event views:
- Global Views - these views are set up for all UpGuard accounts. They cannot be deleted or modified.
- Organization Views - these views are custom to the organization you are currently in, and can be seen by all users in that organization.
- My Views - these views can only be seen by the user who set them up.
Filtering Events & Creating Views
Events can be filtered using the search box at the top of the event list. For more information, please refer to Event Filter Syntax.
To filter events, you must first start by specifying which event type you would like from the dropdown options.
Once a type is specified you can add filters for both common attributes, and event specific variables. These are the common attributes available through filters:
- Group (Node Group)
- Start (Start Date/Time)
- End (End Date/Time)
For example, a query for all policies run between two days in a default environment would look like this:
type=Policy Ran AND environment=Default AND start=2017-08-15 AND end=2017-08-16
It will return the following results:
To add filters based on event variables you must add
variables before the variable name. eg:
type=Node Scanned AND group=Active Directory AND variables.status=success
This will return any results that match the query including the named event variable.
Saving a Filter as a View
When viewing a filtered list of events the star icon to the left of the filter indicates if the current filter already exists as a view. If it is empty it means that no view exists for the filter. To add a view for the filter simply click the star icon. A dropdown will appear asking whether you wish to create an Organization or Personal view.
Choose the scope of your view by clicking one of the options to bring up the save view dialogue:
Give the view a name and click Add to save it. It will now be available in the left navigation bar under the relevant section.
It is also possible to add views from the left nav by clicking the Add View button for the relevant type.
The real power of Events comes from the ability to create actions based on specific views. This enables you to tie events that UpGuard detects into your own processes.
Create a ticket in JIRA when a policy fails
Send an email to security if a non company user logs in
To find out more about creating and using Event actions please refer to Event Actions.