Browser

Introduction to the Browser Module

The Browser module is designed to provide a detailed, real-time view of events collected by CYBERQUEST. It offers operators and analysts a flexible interface to examine logs, investigate anomalies, and validate filtering rules across a wide range of data sources.

Browser can be accessed at any time by clicking the button located in the left-side navigation panel of the Web Interface.

Working with Browser module

The Browser module interface is organized into three main sections, each supporting a specific aspect of event analysis:

• Search and Filter: Enables granular control over the displayed information. This section allows the use of advanced search queries and filters to narrow down or expand the event data shown in the results.
• Results: Displays the list of events matching the defined criteria. This section presents the actionable data in tabular form, allowing sorting, detailed inspection, and redirection to other modules.
• Geolocation: Provides a graphical representation of events on a world map, based on originating or destination IP addresses. This visual aid supports the identification of geographic patterns or anomalies in the data.

Browser Search and Filter section

This section provides control over the information displayed in the Browser module. It allows the definition of additional filters and logical combinations for event data within a specified date and time range.

To access the Search and Filter section, expand the filters panel by pressing the button. The panel will then be displayed:

1) The Search field allows filtering of displayed data using free text queries. If left empty, all available events are shown.

A similar search capability is available in the Dashboards module. For detailed usage instructions, refer to the guide:Using Searches.

Unlike the Dashboards module, an additional drop-down list is available next to the Search field in the Browser module.

By clicking the button, the number of displayed items per page can be adjusted. The default is 10, with options to increase to 50 or 100 items.s.

2) Additional filters can be applied using the Filtering options section. By default, no filters are selected. Opening the Additional filters drop-down list reveals a wide range of predefined filters organized by technology. One or multiple filters can be selected as needed.

The Combining method drop-down list is used to define how the selected filters are applied together. Available options include the AND and OR logical operators. The selected operator applies globally to all chosen filters.

After completing the selections, navigate to Query Actions > Filter to apply the chosen filters

Additional options available in the Search and Filter section:

To view this section, expand the filter panel by pressing the button. The filter options will then be displayed:

• Send to Dashboards: Opens the Dashboards module in a new browser tab, displaying the filtered results based on the current selection.

• Send to Alerts: Opens the Alerts module in a new browser tab, listing the filtered results accordingly.

• Export All Events: Generates a CSV file containing all events displayed in the Results section. Due to the potential volume of data, this may take time. A status window will display the export progress percentage. Once the process reaches 100%, the file can be saved by clicking the Download report CSV link.

The current filter selection can be saved at any time. Pressing the button opens three options for saving the filter configuration permanently:

• Save as New Dashboard opens the Save as New Dashboard window, allowing the creation of a new dashboard. The following parameters must be configured:

  • A convention-based name for the dashboard, which will appear in dashboard lists

  • A descriptive, user-friendly name, displayed in the Dashboards interface

  • A description outlining the type of information presented in the dashboard

  • The field used for graph generation

  • How many records to display in the chart

  • A Data Filter that defines the search conditions to be applied for generating the dashboard content

  • Graphic type (barchart, pie, gauge etc.)

• The Save as New Report option opens the Save as New Report window, allowing the creation of a new report. A report name and description must be provided before the configuration can be saved.

• The Save as New Filter option opens the Save as New Filter window, enabling the creation of a new filter. A filter name and description must be specified before saving the configuration.

• The Search and Filter section includes options for setting the date and time interval to define the time range of the displayed information. This feature provides a quick overview of compliance data over a specified period.

The interface provides options to define a specific start and end date, along with predefined date ranges (e.g., last hour, last day, last three days, last ten days, last 30 days, last 90 days). By default, the Dashboards interface displays data from the last hour. Additional controls beneath the Start Date and End Date fields allow for quick adjustment of the time interval and selection of the time reference to be used, including GMT, Local Time, ReceivedTime, Now, AutoRefresh, TimeInterval, and Not in this time interval.

• GMT - is the time reference which converts your search time into GMT(Greenwich Mean Time Zone).

• LocalTime - is the time reference when an event occurred.

• ReceivedTime - is the time reference when the events arrived in CYBERQUEST machine.

• Now - self-update end data with current time.

• AutoRefresh - refreshes the page every 10 seconds.

• Time Interval - the search is made from Start Time to End Time interval

• Not in this time interval - the search outputs the events that are NOT between Start Time and End Time

Events overview graphic

This chart from the Browser module displays the total number of events in samples within the selected time interval.

To filter events within a specific time interval, click and drag across the graph to highlight the desired time range. The displayed events will adjust to match the selected interval.

After selecting the time range, click the Filter interval button. The Browser module will then display all events corresponding to the selected time interval.

Results section

This is the main display area for browsing activities. All events are listed in chronological order, the number of items on a page being the one set in Search and Filter options.

Not all event fields are shown by default. Fields can be customized by clicking in the field selection bar, which opens a drop-down list of available fields. Fields can be added by selecting them from the list and removed at any time by clicking the x next to a selected field. The following fields are available to add:

To see more information about the Log Record Fields, please follow the link: Log Records structure.

Browser interface allows users to interact with the listed events. For each event, clicking the icon on the left opens a drop-down menu with the following options:

• View Event - Opens a detailed information window displaying all data fields associated with the selected event.

• Export Event as JSON - Exports the full event data in JSON format for external analysis or archival purposes.

• Export Event as anonymised JSON - Exports the event in JSON format with sensitive or identifying information anonymized.

• Create Investigation case - Opens the Add Evidence to New Case window, allowing users to initiate a new investigation based on the selected event. See CQ 2.30 User Guide - Case Management Module for more.

• Add to Existing investigation - Opens a selection window to attach the event to an already existing investigation case.

• Add to Event Actions (Map) - If the event contains a public IP with a known geolocation, it will be plotted on the world map in the Geolocation section for visual context.

• Add to Compare List - Adds the event to a comparison list, enabling side-by-side review with up to five events simultaneously.

After adding the events, click the button located on the right side of the web interface to open the Event View Comparison window.

• Add Deduplicate Item - Marks the event as a potential duplicate to be used as a reference when identifying duplicate events.

• Set Deduplicate Of - Links the current event as a duplicate of a previously identified reference event.

• Change User Classification - Allows manual adjustment of the user classification assigned to the event (e.g., internal, external, trusted).

• Run PlayBook - Executes a predefined PlayBook (automated response workflow) associated with the event’s characteristics.

All fields, except Description, support contextual interactions within the Browser and other modules. Clicking on any field value of a specific event opens a drop-down menu with the following quick action options:

• Remove globally: Excludes all events containing the selected field value from the event list. The exclusion filter is automatically written in the Search box.
• Show only this item globally: Filters the event list to display only events containing the selected field value. The filter is automatically applied in the Search box.
• Send to Dashboards as : Redirects to the Dashboards module and applies the selected field value as a search query. Opens in a new browser tab.
• Send to Dashboards as :"": Redirects to the Dashboards module using a structured field-value filter (e.g., EventID:"<Value>"). Opens in a new browser tab showing only the matching results.
• Send to Browser as <Value>: Opens a new Browser tab and filters events using the selected raw value as a free-text search query, without specifying a field.
• Send to Browser as :"": Opens a new Browser tab and filters events using a structured field-value query (e.g., EventID:"<Value>"), displaying only the matching results.
• Send to Alerts: Redirects to the Alerts module, showing events that match the selected value. Opens in a new browser tab.
• Create UEBA EventID: Triggers the creation of a UEBA (User and Entity Behavior Analytics) event using the selected field. This integrates the event into behavioral analysis workflows for anomaly detection and user/entity profiling. Available only for fields like EventID, Computer, and UserName.
• Create Entity View: Opens a contextual entity view based on the selected field, consolidating related activity and behavioral patterns to enhance investigation insights. Available only for fields like EventID, Computer, and UserName.

All the quick actions mentioned above work by generating search queries, which are automatically entered into the Search box. When multiple actions are applied consecutively without clearing previous ones, the Browser inserts an AND operator between the search terms to combine them. For example, applying two Remove globally actions results in a search query like:

NOT DestIP:"IP_Address_1" AND NOT Computer:"IP_Address_2"

For further details, refer to CQ 2.30 User's Guide, Using Searches.

Events Manual Deduplication

To manually deduplicate events, click the button and choose either "Add Deduplicate Item" or "Set Deduplicate Of":

• Add Deduplicate Item — Adds the selected event to the deduplication list.

Set Deduplicate Of — Marks the selected event as a duplicate of one or more items previously added to the deduplication list via Add Deduplicate Item.

Geolocation section

When an event containing a public IP address with geolocation data is added to the map via the Browser, it will be pinpointed on the world map. This feature enables users to visualize the precise origin or destination of the event.