Documentation forSecurity Event Manager

About SEM nDepth search

The nDepth search engine can locate any event data that passes through a particular SEM Manager instance. You can use nDepth to conduct custom searches, investigate your search results with graphical tools, investigate event data in other explorers, and act on your findings.

Click the video icon to learn how to use nDepth in SEM.

nDepth visual tools

nDepth summarizes and displays search results with several different visual tools that can also be combined into a customizable dashboard. The tools are intuitive and interactive—you can point and click to refine your searches. Each graphical tool provides an alternative view of the same data, so you can examine your data from several perspectives. You can also view and explore a text-based view of the actual data.

nDepth employs drag-and-drop tools that let you configure simple or even complex search criteria. You can use these tools to dig deeper into your findings by adding search conditions, or by appending text to existing search strings. nDepth also includes a tool called Search Builder that lets you configure complex search criteria using the same sort of drag-and-drop interface found in Filter Creation.

nDepth primary uses

Use nDepth to do the following:

  • Search normalized event data.

    If the nDepth log retention option is enabled, nDepth search can also search raw (non-normalized) log messages that are stored separately. See Configure SEM to store original log messages to learn more about nDepth log retention.

  • View, explore, and search significant event activity. nDepth summarizes event activity with simple visual tools that you can use to easily select and investigate areas of interest.

  • Use existing filter criteria from the Monitor view to create similar searches.

  • Conduct custom searches. You can also create complex searches with the Search Builder, which is a tool that behaves just like the Filter Builder. You can also save any search, and then reuse it at any time by clicking it.

  • Save and reuse custom searches.

  • Schedule saved searches.

  • Create your own custom widgets for the nDepth Dashboard.

  • Export your findings to a printable report in PDF format, or your search results to a spreadsheet file in CSV format.

  • Use the Explore menu to investigate nDepth search results with other explorers.

  • Use the Respond menu to act on any of your findings.

  • Export your findings to a report in PDF format.

Events and Log Messages

If the nDepth log retention option is enabled, SEM uses two data stores: the first data store is for normalized event data, and the second data store is for original (raw) event data. Use the following nDepth modes if nDepth log retention is enabled:

  • Events mode. nDepth summarizes and explores your normalized event data. Normalized data appears in Monitor view and is stored in the SEM database.

  • Log Messages mode. nDepth summarizes and explores raw log messages received from the original event logs. Use this mode if you have specific data analysis needs and understand how to interpret raw log messages generated by network devices and tools.

Data storage is limited. If you have not configured a CMC option for archiving data, SEM will delete the oldest data to make room for new data.

Common data fields in nDepth search

See Common data field categories in SEM nDepth search