Devo Foundations - Exercise 3.1 - Using the Finder

Userlevel 2

We know that in Devo we access our data by using the finder tool, which can be found in the Data search area.

Let’s recall what we’ve learned by using the finder to look at the events that have been ingested by Devo up to now.

How many hierarchical tag levels does the finder contain?
How many brands of firewalls have sent events to this domain at least once?
How many brands of proxy have sent events to the domain in the last month?
Use the filter to double check that the domain does have tables containing the “offlinesales2020” tag. Does it?
Use the finder to get to the siem.logtrust level. These SIEM tables log system data from the domain. You can think of it as a SIEM logging itself. For example, open the siem.logtrust.collector.counter data table. Then check the “object” field. This information is very valuable to Arcadia’s recently created team, as they can check which data sources are already up and running.

💡 Hints:

The Finder has a time filter to show the tags/technologies that have sent events to the domain.

Userlevel 3

How many hierarchical tag levels does the finder contain? 4
How many brands of firewalls have sent events to this domain at least once? 7

Use the filter to double check that the domain does have tables containing the “offlinesales2020” tag. Does it? It does

Use the finder to get to the siem.logtrust level. These SIEM tables log system data from the domain. You can think of it as a SIEM logging itself. For example, open the siem.logtrust.collector.counter data table. Then check the “object” field. This information is very valuable to Arcadia’s recently created team, as they can check which data sources are already up and running.

Ok, thanks!

5 (Cisco, Fortinet, Juniper, Palo Alto, Sophos)

3 (Bluecoat, Mcafee, zscaler)

Use the filter to double check that the domain does have tables containing the “offlinesales2020” tag. Does it?

yes, it takes around 7-8 minutes for it to show

Use the finder to get to the siem.logtrust level. These SIEM tables log system data from the domain. You can think of it as a SIEM logging itself. For example, open the siem.logtrust.collector.counter data table. Then check the “object” field. This information is very valuable to Arcadia’s recently created team, as they can check which data sources are already up and running.

Userlevel 1

How many hierarchical tag levels does the finder contain? -------- 4
How many brands of firewalls have sent events to this domain at least once?------- 6 (Cisco, Fortinet, Juniper, Palo Alto, Sophos, watchguard)
How many brands of proxy have sent events to the domain in the last month?------- 3 (

bluecoat, mcafee, zscaler )
Use the filter to double check that the domain does have tables containing the “offlinesales2020” tag. Does it?

Use the finder to get to the siem.logtrust level. These SIEM tables log system data from the domain. You can think of it as a SIEM logging itself. For example, open the siem.logtrust.collector.counter data table. Then check the “object” field. This information is very valuable to Arcadia’s recently created team, as they can check which data sources are already up and running.

How many brands of firewalls have sent events to this domain at least once?
- 6
  - Cisco, Fortinet, Juniper, Palo alto, sophos, watchguard

How many brands of proxy have sent events to the domain in the last month?
- 3
Use the filter to double check that the domain does have tables containing the “offlinesales2020” tag. Does it?
- YES!
Use the finder to get to the siem.logtrust level. These SIEM tables log system data from the domain. You can think of it as a SIEM logging itself. For example, open the siem.logtrust.collector.counter data table. Then check the “object” field. This information is very valuable to Arcadia’s recently created team, as they can check which data sources are already up and running.

Sign up