Home

Events

With FIM, you receive real-time updates about anomalous activities that are detected. These updates (events) are sent with complete granular details such as who-what-when-where, about the changes occurring within the scope of your monitored area. Events can be expected and authorized or unexpected and malicious.

FIM provides one central location for viewing all of the events detected across all of your assets. The Events tab contains capabilities to search for events, group by options, and download the results.

Use tabs in the Events section to quickly identify:

(1) Event Insights: View the rules, profiles, processes, and users that have generated the highest number of events.

(2) All Events: View events detected across all of your assets are listed under this tab.

(3) Event Review: You can take actions such as ignore events or create incidents on the registered events from this tab. Only those events, which are not mapped to an incident are listed on the Event Review tab.

(4) Ignored: Events ignored from the Event Review tab are moved to this tab.

Note: All the date-related events on the cloud agent happen in the UTC zone with respect to the Asset time zone. The actual results in the UI show you the date as per your time zone. In addition, the Generated Report will have Date Time in UTC with respect to the Asset time zone.

All Events, Event Review and Ignored tabs.

Note: To add a folder path for file.fullPath and actor.imagePath QQL, user should avoid using “ \” at the end of the path as it results in invalid QQL while searching.

Searching for events using QQL

You can search events based on some criteria using the Qualys Query Language (QQL). For more information on QQL, see Search Tutorial and How to search.  These searches can then be saved using the "Save this Search Query" option. For more information, refer to the Search Action topic.

Save and manage searches

Note: The file.hash QQL token is supported only for PE files on Windows. On Linux, all types of files are supported. 

Note: The Actor column in Event Review is not available for OS AIX.

Viewing event details

Clicking Event Details in the Quick Actions for an event brings up the Event Details page. This page provides complete information about the FIM event.

Event Details option in Quick Actions menu.

Note: The QQLs actor.process, actor.UserID, actor.UserName, actor.imagePath are not supported for FIM assets on AIX, hence no data is fetched for AIX assets if you use these QQLs and the Actor column does not display any data.

Image of the Event Details page

Image of the Event Details page

Grouping Events by Assets in the All Events tab, brings up maximum of 1000 grouped assets.

group by assets

 You can view the event details with asset name and count of total events for the selected asset.

columns

You can see the file size of the FIM event on the Event Details page. 

Note: With Windows agent, you can see the File size of FIM events for Create, Content, and Attribute Action.
However, with Linux agents, you can see the File size of FIM events for Create, Content, and Security Action

On the Event Details page, you can view the success status of the event. The success status is shown as yes when the event is successfully executed and no when the event execution is unsuccessful.

Ignoring events

You can group together false-positive events that are of similar nature and add them to the 'Ignored' list.

Go to Events > Event Review and select specific events and choose Ignore Events from the Actions menu. Optionally, choose Ignore All Matching Events to ignore all events that are currently matching your query for the time frame that you've selected. Ignored events are moved to the Ignored list. Note - You may get similar events in the future that will appear in your Events list and you'll want to ignore those too.

Actions Menu with Ignore Events and Ignore All Matching Events options on Event Review tab.

Alternatively, click an event to go to the Event Details page. Select Ignore option from the Actions menu.

 Ignore option in Quick Actions menu on the Event Details page.

You can easily restore any ignored event from the Ignored list.

Ignoring events and applying exclusion filters

Ignore an event and at the same time modify the monitoring profile rule or rules that triggered the event. Identify the event and then click the event to go to the Event details page. From the Actions menu, choose Ignore and Whitelist. This option is unavailable 1) for events for which incidents are created and 2) events that are created for the rules of the profile that are imported from the profile library and profile rules for which you have set Rule Type as File.

Ignore and Whitelist option in Quick Actions menu in the Event Details page.

You'll see a list of profiles and rules associated with the event and a new exclude filter for the target directory or file. Feel free to make changes to the exclude filter before saving it. Once you hit Save, we'll add the exclude filter to the selected profile rules. The event will be moved to the Ignored list and new events will not be generated for the excluded directory/file.

Finding similar events

Search for events that are generated by the same process, user, filename, path and rule. Drill-down an event and on the Event Details page, click the Actions menu on the top. Select Find similar events and then choose a filter to view events that matches the value of the filter for the selected event.

For example, choose the Process filter to view all the events that are generated by the same process as the current event.

Find Similar Events options in the Actions menu on Events Details page.

Creating incidents

Go to Events > Event Review to see the events that are waiting to be reviewed.

Enter your search query to find related changes that are part of the same incident, and click Create Incident. All events matching your query will be included in the incident. You'll have the opportunity to review the incident and decide if it's valid.

Learn more >>

Create Incident in Event Review.

 

Related Topics

Qualys Query Library

Event Insights

Incidents

Configuration of correlation rules to auto create incidents

Configuration of rule-based alerts for events and incidents