Documentation forSecurity Event Manager

The Utilities view

Utilities view on the SEM Console

The Utilities view (Explore > Utilities) provides several IT analysis utilities, including Whois, NSLookup, Traceroute, and Flow (sFlow and NetFlow). These utilities are also available from the Explore > nDepth view, and Monitor view.

This topic provides help for the Utilities view on the SEM Console. For more information, see Use the explorer utilities in SEM to search or analyze nDepth query results .

This screen capture shows the Utility view on the SEM Console:

The following table describes the key features of the Explore > Utilities view.

Name Description

History pane

Displays a record of your explorer viewing history. Selecting an item in the history list displays the corresponding explorer event in the Explorer pane.

Utilities pane

Displays the explorers that are currently open. You can have multiple explorers open at the same time.

Cascade button

Arranges the open explorer windows so they appear in an organized cascade.


Responds to the event or event field that is the subject of the active explorer. You can also use the Respond menu to take action even when no explorer windows are open or active.


Contains options to open the other explorers. You can explore the event message or event field that is the subject of the active explorer or open a blank explorer to manually enter the item you want to explore.

Explorer windows

The active explorers within the Utilities pane. You can minimize, resize, and close each explorer window, as needed.

Minimized explorers

Any explorers that you have minimized appear at the bottom of the Utilities pane as a title bar. Click a title bar to reopen that explorer.

The Event explorer utility

The Event explorer displays all events related to an event that you select in the Monitor view events grid.

You can view events that occurred before, during, and after a selected event to identify the root cause of the event. This approach can help you visualize how an event occurred, as well as the system’s response to that event.

When you explore an event, the console sends a request to the SEM Manager to determine which events are related to the event. In response, the Event explorer displays the events that triggered the event, as well as the events that resulted because of the event (such as a response or notification).

The Event explorer includes three sections: Event Details, Event Map, and Event Grid. This example shows an event explorer that provides information about the TCPPortScan event selected in the Monitor events grid.

Event Details

The Event Details pane provides detailed information about the event you select in the Monitor grid. Information about the event data fields may vary depending on the selected event type. For example, network-oriented events display fields for IP addresses and ports, while account-oriented events display account names and domains.

Click Event Details to open the Event Details window. Click to read the event description and to return to the event details. If you need to research this event further, click to create a filter that displays this event type in the Monitor view event grid. The filter will display in the Filters pane under the last selected grid. When you complete your event review, click to move to the previous or next event in the grid.

Event Map

The Event Map displays a graphical view of the event you are exploring, as well as the triggering and proceeding events. This allows you to move through the entire chain of events to analyze the relationships between each event.

Event explorer always places your selected event in the center of the map. Related prior events that triggered your selected event display to the left. If no prior events exist, a box labeled None displays in the map. Related events that follow the central event appear to the right. These events were caused by the central event (such as system responses). If no events follow, a box labeled None displays. If the same event occurs multiple times, they appear together in a box.

Events that appear in the event map can be events, rules, or commands (system responses to an event). Each event type includes an icon that categorizes the event, as shown below.

Icon Description

Audit Event tree event.

Security Event tree event.

Asset Event tree event.
Incident Event tree event.
Internal Event tree event that is not related to rules or active response activity.
An internal command indicating the system is responding to an event.

Rule activity from a rule in test mode or a rule that initiated an active response.

Event Grid

The event grid lists all events that appear in the event map in chronological order—from the earliest event (top) to the latest event (bottom). The grid is useful for comparing events and exploring event data.

The event grid’s Order column icons indicate when each event occurred, as shown below.

Icon Description
The event occurred before the central event.
The event occurred during (as part of) the central event.
The event occurred after the central event.

The Whois explorer utility

Whois explorer is a network utility that identifies the source of an IP address or domain name based on how it is registered with domain and network authorities. This explorer contacts the central databases for IP addresses and domain names and returns the results of any of your searches. It can tell you where something is located physically in the world, and who actually owns the device you are trying to locate. For example, you can use this explorer to identify who owns a domain that corresponds to the IP address that caused a rule to fire.

The example on the left shows the results for an IP address. The example on the right shows the results for the SolarWinds domain name, From these results, you can find out who owns the IP address and where the server is hosted.

Opening the Whois Explorer adds a Whois explorer icon in the History pane of the Explore view.

nDepth explorer

nDepth is a search engine that locates all event data or the original log messages that pass through a particular SEM Manager. The log data is stored in real time as it occurs from each host (network device) and source (application or tool) that is monitored by the SEM Manager. You can use nDepth to conduct custom searches, investigate your search results with graphical tools, investigate event data in other explorers, and take action on your findings.

For more information about nDepth search, see:

The NSLookup explorer utility

The NSLookup explorer is a network utility that resolved IP addresses to host names and host names to IP addresses. Use this explorer to locate a name that corresponds to the IP address that caused the rule to fire. For example, you can resolve to an IP address.

In this example, NSLookup explorer is searching for IP address of The explorer retrieved the corresponding host name, which is

Opening the NSLookup explorer adds an NSLookup explorer icon to the History pane in the Explore view.

The Traceroute explorer utility

Traceroute explorer is a network utility that traces network links (or hops) from your host computer to a specific destination. Use this explorer to determine the network connections between yourself and the IP address that caused a rule to fire.

In this example, Traceroute explorer is tracing IP address The interface displays the hops between your computer and the destination IP address. In this example, connecting to the IP address required two hops.

Opening the Traceroute Explorer adds a Traceroute explorer icon in the History pane of the Explore view.

The Flow explorer utility

Flow explorer performs flow analysis to determine which IP addresses or ports are generating or receiving the most network traffic. Use this explorer to analyze the volume of data (in bytes or packets) transferring to or from an IP address or port number on your network.

For example, if an unknown IP address displays at the top of the Flow explorer’s activity list, you can select a bar on the graph or a row in the table, and then choose the Whois explorer from the Explore menu to identify the IP address and why it is transmitting so much data.

For more information, see Collect and view NetFlow and sFlow data in SEM.

Execute a Whois, NSLookup, or Traceroute task from an event or search result

  1. Locate and select the event or search result you want to explore.

  2. From the Explore drop-down list, select an option.

Execute a blank Whois, NSLookup, or Traceroute task

  1. On the SEM menu bar, navigate to Explore > Utilities.

  2. From the Explore drop-down list, select a utility.

  3. Complete the form for the utility, and then click Search.

Display flow data

SEM supports flow exports from both NetFlow and sFlow devices. Use the Flow Explorer on the SEM Console to view graphs, charts, and grids.

See Collect and view NetFlow and sFlow data in SEM to enable flow collection and analysis on the SEM appliance.