Using Tables

Tables appear on many different screens in many different contexts, from tables of users to tables of events. This page describes how tables work in Stellar Cyber.

Common Controls

Several controls appear on most tables, allowing you to control the table itself:

• Use Search to use Lucene syntax to search within all pages of table (not just the currently displayed page).

• Click Export as CSV to download the table as a CSV file, suitable for import to a spreadsheet application. You can choose to export the table with the displayed columns only, or all columns, even if not displayed.

  

  You can export up to 100,000 rows of a table displaying Interflow data (for example, the table available in the Alerts page). For all other tables (for example, the System | Collection | Sensors table), there is no export limit.

• Click the column name to sort the table on that column. The and buttons tell you which column is being sorted on, as well as the direction of the sort.

• Tables listing alerts include an Add to Case button that lets you either create a new case based on the selected alerts or add them to an existing case.

• Hover over a column heading until the cursor changes to a pointed hand. Then, click and drag to rearrange columns in the table.

• Click a cell to see additional actions you can perform, from copying the contents of the cell to the clipboard to using the cell data as an include or exclude filter. The exact actions depend on the table and cell data type; see the example below:

  Not all cells provide this functionality. If the cursor changes to a pointing hand, you can click for additional actions.

  

  Depending on the type of data displayed, you may have access to more complex options for drilling elsewhere in Stellar Cyber, as described in Performing Field Actions and illustrated below.

  

• Click the refresh button to refresh the table.

Column Controls

Actions

Several controls allow you to perform actions on the items in the table:

• Click Create to add an item. The item added depends on the table; the Create button only appears on tables where you can add items. For example, it appears on the User, Tenant, and Automated Threat Hunting Playbooks tables, because you can add all of those items. It does not appear on any events tables, because you cannot add events.

• Click to edit an item.

• Click to delete an item.

• Click to see more information about an event in the events table.

Bulk Actions

Event tables allow you to perform bulk actions on multiple events at once. To modify multiple events, click the checkboxes next to the events you want to modify. The bulk actions become available, as illustrated below.

Depending on the table and data displayed, you can:

• Add to a case
• Add a comment
• Change event status
• Change event tags
• Change the assignee

Add a Comment

To add comments to the selected events:

1. Click Add a Comment. The ADD A COMMENT dialog box appears.
2. Enter your comment.
3. Click Submit. The comment is immediately added to the selected events.

To remove a comment, simply apply a blank comment.

Change Event Status

To change the status of the selected events:

1. Choose Event Status in the bulk actions drop-down.
2. Choose the new status.
3. Click Apply. The new status is immediately applied to the selected events.

The default event status filter is All Open. So if you change the status of events to Closed or Ignored, they disappear from the view.

Change Event Tags

To change the tags of the selected events:

1. Choose Event Tags in the bulk actions drop-down.
2. Choose the tag from the drop-down.
3. Click Apply. The tag is immediately applied to the selected events.

You can also Delete or Clear All tags.

Change the Assignee

To change the assignee on the selected events:

1. Choose Assignee in the bulk actions drop-down.
2. Choose the new assignee.
3. Click Apply. The new assignee immediately replaces the old assignee.

Table Navigation

Tables in Stellar Cyber include standard controls to move between multiple pages of data. As illustrated in the figure below, you can use the following tools to speed your way through multiple pages of data:

• See the total number of table entries across all pages.

• Change the number of entries per page.

• Scroll forward or backward a single page of data.

Using Table Filters and the Search Bar

You can also set filters directly from table cells. Once set, they appear in the Filters panel. This section provides some tips on using the global search bar, table filters, and the filters panel to find what you're looking for:

Searching for a Specific Interflow Key and Value

You can search for Interflow keys with specific values in a table in several ways:

• Find the key and value in a table and use the Filter For button to search for matching records. Once you add a term as a filter in this way, it automatically appears in the Filter Panel at the left of the display, too. For example, in the figure below, we're searching for Process Names matching the displayed value.

  

• Add the Interflow key directly in the Filter Panel. If the attribute you want to search for is not already listed in the panel, you can use the Add new filter functionality to add it. Then, supply the value in the field. For example:

  

Searching for a Value Without a Key

If you know the value you want to search for but aren't certain of the Interflow key (for example, a number), your best route is the global search bar at the top of all Stellar Cyber pages. Take advantage of the full Lucene syntax to search for partial matches, fuzzy matches, and so on.

Excluding Values from a Table

Sometimes, it can be useful to narrow a search by temporarily excluding all records with a certain Interflow key value. This is the perfect time to use the Filter Out button in a table cell. For example, in the figure below, we're excluding all records matching the selected Host Name:

Removing Some Filter Criteria

You can remove individual filter criteria from the current search by clicking their standard delete (X) icons in the filter panel. For example:

Removing All Filter Criteria

You can remove all filter criteria by clicking the handy Clear all button at the top of the filter panel. For example:

Searching for a Specific Alert Type

You can search the Alerts table for all alerts of a specific type using either the global search bar or a table filter in the Alert Type column:

• Use the global search bar to search the Alerts table for all alerts of a specific type by including the Interflow key of xdr_event.display_name followed by the name of the Alert Type you want to search for in quotation marks. For example, to search for the Recently Registered Domains alert type, you would enter the following in the search bar:

  

• Use a table filter in the Alert Type column as follows:

  1. Click the "hamburger" menu in the Alert Type column header.

  2. Navigate to the Filter tab in the context menu that appears.

  3. Start typing the name of the alert type for which you want to search in the text box.

  4. When the matching alert type appears, click its box to apply the filter.

     The filter appears at the top of the table, as in the figure below:

     

Search Tips

• When using table data as a filter, be aware of whether the data includes multiple values. For example, the figure below shows values of both modular_sensor and Linux_agent for the data_sources Interflow key. Rather than using the Filter For button to add this entire term as a search filter, try manually supplying one or the other in the Filters panel at the left of the display.

  

Other Filters that Affect Data Display (Tenant Selection & Indices)

As you navigate Stellar Cyber, notice these primary settings that affect data visibility in conjunction with the other settings you make in both the toolbar and the filters panel.

Tenant Filter

The Tenant selection menu is displayed at the top of the Stellar Cyber interface. While the tenant selection is not in the filter controls, selecting a tenant filters the results just as any other filter. You can also select All Tenants to essentially remove that filter. If your role is a tenant admin or user, your tenant is automatically selected and cannot be changed. This maintains privacy between tenants.

If you change a filter from All Tenants to a specific tenant, it is possible that the data displayed under All Tenants is not in scope for the tenant you selected. In that case, an error page displays to advise of the cause with a link to the Stellar Cyber home page. Navigate to your original location and perform the desired action with the desired tenant, which ensures the objects visible to that tenant are available for display.

Indices

The Data Lake stores data in indices. Each index is used for a different purpose depending on what the source of data is. For example, there is one index for Linux events and another for Syslog records. When building your filter, remember that:

• The search results always display data from a single index.
• The filter controls do not include a control for which index is used to produce the results. This parameter is usually supplied invisibly by the current page.
• On the XDR Kill Chain Home Page the Alerts index is used. Other pages might use a different index depending on their function.
• The Investigate | Threat Hunting page defaults to the Alerts index; a menu is available from this page for you to change the index to match the threat type you are investigating. Select one or more indices to complement the filter you set in the toolbar.

The indices are defined here.

Can't Use Table Buttons?

If you see buttons at the top of a table that are grayed out and unavailable, it's likely that you need to select one or more items in the table to enable them. Try checking the boxes of a few items in the table and see if the buttons become available.