Constructing Queries:
IPS queries are constructed in the Events Query Pane and the results are displayed in the Display Pane. To access the Inspection Events Query Pane, click the Events button on the Toolbar and then click Inspection Events in the Navigation pane. To display the Events screen, click the Events button on the Toolbar.
Filter Criteria:
The Query Pane includes a general Filter option that enable you to search filters based on filter name, number, category, or profile. You can also add additional search criteria by selecting filter severity and action type options.
| Filter Criteria Query Pane Fields | ||
| Section | Description | |
| Filter Details | Enables you to enter the name and/or number of the filter | |
| Filter Category | Enables you to select one or more filter categories: | |
|
| |
| Profile | Enables you to select a profile | |
|
Suspicious URL Metadata | Enables you to filter events with suspicious URL metadata. | |
| Filter Severity | Enables you to select the severity of the event | |
| Filter Type | Enables you to filter the events by Security or Application type. | |
| Reputation Type | Enables you to filter the events by Reputation or Geographic filter. By default, both filters are selected. For Geographic filters, the Events table displays the name of the filter, any included or excluded countries (Filter Criteria), the country flag icon (if available), and matching IP address for the filter. If the Geographic filter events display as Reputation events, or if you have other issues with the search criteria, redistribute all the profiles to all the segments for the distribution to start working again. | |
| Action Type | Enables you to select the action; Permit, Block, Trust, Rate Limit or Quarantine. | |
| Event Comment | Enables you to select All Events, Events with Comments or Events without Comments. | |
Procedure:
- Log in to the SMS from a client.
- On the top Navigation menu click Events.
- Select Inspection Events from the left navigational tree. The Events - Inspection Events screen displays.
- On the Query pane, select the triangle symbol (▶) next to Filter Criteria to expand this option.. In the Filter Details fields, enter the appropriate information.
- In the Filter Severity area, deselect any option you do not want in your query.
- In the Filter Category area, select one or more categories in the Category list you want to include in your query. You can expand a listing to select individual entries or select a top-level list item to include every item listed under it.
- In the Profile area, select a profile from the drop-down list to include in your query.
- In the Action Type area, deselect any option you do not want in your query.
- Enter the number of matching rows (1 - 10,000) to list in the Display Pane. Limiting the number of row may decrease the query processing time.
- Click Refresh. The returned attack events display in the List pane.
- To save this query, click Save As. Enter a name for the query when prompted. The query displays in the Saved Queries section of the Events Navigation pane. To create a new query, click Clear. The query pane resets and clears the criteria fields.
Note: You are not required to complete all query fields. Complete only as many as you need to successfully execute your query.
Reference: SMS User Guide
