Analyze Catalog Messages screen

The Analyze Catalog Messages screen is accessed by clicking on the Analyze Messages hyperlink at the top of the Catalog Viewer Utility screen shown previously. This screen allows the operator to quickly see the occurrences of any devices, users, facilities, and severities within the catalog set. The screen is particularly useful for analyzing the contents of a Thread (that might contain diverse data sources and message types). A typical depiction of the Analyze Catalog Messages screen is shown as follows:

The preceding screen shows a typical depiction of the Analyze Messages screen, showing the distribution of facilities for the Common Threats thread during the last one day. The operator might select the analysis item to be Devices, Users, Facilities or Severities, and change the span time to be one-hour to ten-days. To view all the occurrences of the specified item, the operator can click on the item hyperlinked name.

Types of Analyze functions

The Analyze function depicts occurrence counts associated with raw message data. The following links appear at the top of the screen and permit you to switch between the various occurrence counting functions within the data. You can either select a link at the top of the screen, or select the function from the Item drop down menu. Functions are as follows:

• Devices—This function tabulates the device counts within the selected data. If the operator drills down into a Device catalog, this function depicts just the device that was selected. Otherwise, the function lists all the unique devices in the recent messages of the selected catalog.
• Users—This function tabulates your counts within the selected data, using the Users > Catalogs screen as a reference for user names. If the operator drills down into a User catalog, this function depicts just the user that was selected. Otherwise, the function lists all the unique user names in the recent messages of the selected catalog.
• Facilities—This function tabulates the facility counts within the selected data. If the operator drills down into a Facility catalogs, this function depicts just the facility that was selected. Otherwise, the function lists all the unique facility names in the recent messages of the selected catalog.
• Severities—This function tabulates the severity counts within the selected data. If the operator drills down into a Severity catalogs, this function depicts just the facility that was selected. Otherwise, the function lists all the unique severity names in the recent messages of the selected catalog.
• Freq—This function is slightly different from other functions above. Rather than processing occurrence counts of items, the program tabulates the time between messages, achieving a spectrum analysis similar to (but not the same as) a Discrete Fourier Transform. This gives a projection of the message rates and how often messages occur within a set of messages. (See additional notes.)
• WinEvt—This function tabulates the Windows Event counts within the selected data. This link and function appears only if the selected data contains windows event messages. The function lists the Windows Application, System and Security event codes in the recent messages of the selected catalog.
• Common Fields—This function is a drop down menu, that permits the operator to select common fields that have been parsed from the raw messages. The function scans the first several hundred messages in the raw message list, and composes Parse Functions for the specific data. This is similar to the Parse Spec function below, except furnishes convenience by automatically detecting parse specifications.
• Parse Spec—This function displays an input window where the operator can enter any arbitrary Parse Specification, to parse any particular field within the data. Assistance on Parse Specifications is provided as a link when this function is selected.

This section provides information about the following topic: