Search normalized data using nDepth search in SEM

This section describes how to use nDepth to search for normalized event data that passes through a particular SEM Manager.

Create an nDepth query

  1. Open the SEM console. See Log in to the SEM web console for steps.

    Log in as an administrator or an auditor.

  2. On the SEM toolbar, navigate to Explore > nDepth.

  3. To clear all existing parameters, click x in the search bar.

  4. Drag search items to the search box, and then enter a search expression.

  5. Modify the default time frame as required.

  6. To begin your search, click .

Choose an event in Monitor view to send to nDepth for historical search

  1. Open the SEM console. See Log in to the SEM web console for steps.

    Log in as an administrator or an auditor.

  2. On the SEM toolbar, navigate to Explore > nDepth.

  3. In the nDepth filter sidebar, select a filter.

  4. Locate an event in the event grid that you want to research.

  5. To stop the event feed, click Pause.

  6. Select the event in the grid.

  7. From the Explore drop-down list, select nDepth.

    The nDepth screen appears, displaying your results.

In the nDepth screen, you can narrow or widen your search time line using the nDepth histogram. After you establish your search time line, click a tool in the nDepth toolbar to review your results.

Choose a filter in Monitor view to send to nDepth for historical search

You can select a real-time filter in Monitor mode to open in nDepth search. This task requires either the Administrator or Auditor role.

  1. Open the SEM console. See Log in to the SEM web console for steps.

    Log in as an administrator or an auditor.

  2. On the SEM toolbar, click Monitor.

  3. In the filter sidebar, select the filter you want to send to nDepth.

  4. In the Filters pane, click , and then select Send to nDepth.

    The filter opens in the nDepth search engine.

  5. Modify the nDepth search Conditions or time frame to fine tune your search (Optional).

    Always click Search, denoted by a play button, after altering an nDepth search to get your new results.

Create an nDepth query for all activities by a single user

Use nDepth to create queries for all activity related to a single user or group of users on your network. This is currently the only method to perform this level of reporting and monitoring in SEM.

  1. Open the SEM console. See Log in to the SEM web console for steps.

    Log in as an administrator or an auditor.

  2. On the SEM toolbar, navigate to Explore > nDepth.

  3. To clear all existing parameters, click x in the search box.

  4. In the Refine Fields list, locate the User Name drop-down list.

  5. Drag User Name into the search box at the top. If you choose a different user, change the user next to the pencil icon in the search.

  6. Use this selection or change the user name in the Constant text box.

    When you change the user name:

    • Use trailing wild card characters (such as *) to search for part of a user name.

    • Avoid using leading wild card characters whenever possible.

    • Use user-defined groups or directory service groups to search for groups of users.

  7. Modify the default time frame as required.

  8. To begin your search, click .

Delete items from search strings

To delete a search string, click next to a condition in the search bar. You can delete individual conditions, groups of conditions, or the entire string.

Adjust the time frame for your nDepth query

  1. In the search bar, click the time selector drop-down list, and then select Custom range.

  2. Select the From and To dates and times in the calendars.

    By default, the custom time frame shows the time frame of your last search.

  3. Click outside the calendars to close.

    Searches that require several minutes to complete or searching several events can result in the search producing time outs or no results.