Performing Field Actions

In Stellar Cyber table views, many fields, such as URL, host, user names, and IP addresses, allow actions. You can access these options by clicking the field itself, or the more button to the right of the field. Examples below illustrate the options that may appear. If the option is not applicable to the selected data, it is not displayed (such as a Whois lookup on an a private versus public IP address):

 

In certain parts of Stellar Cyber, IP addresses and hostname fields may not have a more button. Click the field value itself to display the field actions menu.

Following are the possible actions:

• User Detail View
• Asset Detail View
• Whois Lookup
• Add as Including Filter
• Add as Excluding Filter
• ZOOM Lateral View
• ZOOM Chronicle View
• 360 Panoramic View
• VT VirusTotal Lookup
• Copy to Clipboard

User Detail View

To see the user details:

1. Click next to the Username. The Actions list appears.
2. Click User Detail View. You are immediately taken to the User Details page.

This action only appears if the user information is in the event record.

Asset Detail View

To see the asset details:

1. Click next to an asset. The Actions list appears.
2. Click Asset Detail View. You are immediately taken to the Asset Details page.

This action only appears if the asset information is in the event record.

Whois Lookup

This menu option is displayed when the selected field is either a srcip, dstip, srcip_host or dstip_host and the IP address is in the public range. When applicable and you use the action, a dialog similar to below is displayed with the available lookup information.

Add as Including Filter

This action creates a filter to display only those events containing the value in the field. For example, to see only those events with the same source IP address as the event you're looking at:

1. Click next to the Src IP field. The Actions list appears.
2. Click . The filter is immediately applied and the page is updated.

Add as Excluding Filter

This action filters out those events containing the value in the field. For example, to remove events with the same source IP address as the event you're looking at:

1. Click next to the Src IP field. The Actions list appears.
2. Click . The filter is immediately applied and the page is updated.

ZOOM Lateral View

To open the ZOOM lateral view with the field and value already populated:

1. Click . The Actions list appears.
2. Click ZOOM Lateral View.

The ZOOM feature is deprecated in 4.3.7 and will be removed in a future release.

ZOOM Chronicle View

To open the ZOOM chronicle view with the field and value already populated:

1. Click . The Actions list appears.
2. Click ZOOM Chronicle View.

The ZOOM feature is deprecated in 4.3.7 and will be removed in a future release.

360 View Panoramic

To open the panoramic view with the URL or IP address as the filter:

1. Click . The Actions list appears.
2. Click 360 View Panoramic.

See About the Panoramic View for more information.

VT VirusTotal Lookup

To open a new tab looking up the URL or IP address on VirusTotal:

1. Click next to the URL or IP address. The Actions list appears.
2. Click VT VirusTotal Lookup.

Copy to Clipboard

To copy the field value to your clipboard:

1. Click . The Actions list appears.
2. Click Copy to Clipboard.