Event Relation

Event relation provides a mechanism by which a single controlled event can be manually related to other audited events to provide an audit trail for security analysts and administrators.

EXAMPLE: A Security Administrator log-in outside of Business Hours on the IBMi used for core banking is detected as a threat. The security analyst can relate all the actions performed by that user until they logged out of the system and attach it as evidence during the analysis process before closing the event.

Using Event Relation

From the Event Manager display, click on the eye symbol next to the event that you want to investigate further by relating additional events. The Overview screen is displayed. Click the Investigate tab.

By default, all of the events that occurred within a minute either side of the selected event are displayed.

Selecting column information

For most columns in the Investigate display, you can select additional information to include in the related event.

Search

If the Investigate for the selected event returns a large number of related events, use the Search facility to pinpoint those in which you are interested in linking.

Type the full alphanumeric text of the entry that you want to search into the Search box and press Enter. Alternatively, enter the partial text and use the wildcard '*' to search for all entries that match the text and wildcard pattern. For example, typing LocalHost and pressing Enter will find all entries containing LocalHost. Typing Loc* finds any entry that begins 'Loc', and typing *loc* will find any entry that contains the letters 'loc' in the middle of the text.

TIP: The Search facility is active across all fields.

Time range

By default, all events that occurred within one minute either side (prior to and following) of the selected event are shown on this display.

You can increase the time range to include more events if required. The minimum time period is one minute.

To change the time range, either directly over-type the existing entry with a new value or use the up and down arrows to increase or decrease the time value in one minute intervals. The display automatically refreshes whenever the time range is changed.

Search for other events matching

In addition to the free text Search facility, there are four pre-defined fields that allow you to search on the commonest attributes that are likely to be related to the selected event.

  • Operator Name: Retrieves all events in the time range that have the same operator name as the selected event.
  • Source Machine Name: Retrieves all events in the time range that have the same source machine name as the selected event.
  • Destination Machine Name: Retrieves all events in the time range that have the same destination machine name as the selected event.
  • Object Name: Retrieves all events in the selected time range that have the same object name as the selected event.

Click next to an attribute to select it. Multiple selections are permitted. The display automatically refreshes when a selection is made.

Linking events

To build an audit trail of events that are linked to the original selected event, click the corresponding link symbol in the first column of the event that you want to link. Continue to link events as required.

Linked events are displayed in the Related Events section of the Event Summary display so they can be reviewed by the appropriate personnel.

Unlink events

To unlink an event from the audit trail, simply click on the symbol again in the Related Events section and confirm the action to remove it. The event is also removed from the Related Events section of the Event Summary page.

Related Topics