1
00:00:01,800 --> 00:00:10,980
In this lecture I will explain about how to categorize events in screen so as we have noticed that the

2
00:00:11,460 --> 00:00:18,360
first two group groups of events are likely virus infections.

3
00:00:18,780 --> 00:00:26,210
So it would be useful if we can't categorize events and view events for each category.

4
00:00:26,220 --> 00:00:37,980
So for example I clicked on the query menu and then query by category and then select pharaohs fiction

5
00:00:38,550 --> 00:00:39,990
category or Category 7

6
00:00:43,290 --> 00:00:49,560
and then I have to change the date to include the

7
00:00:52,490 --> 00:00:59,790
events that the alerts were generated and then I will click on submit.

8
00:00:59,930 --> 00:01:06,070
We see that we do not have any results and this is because we.

9
00:01:06,180 --> 00:01:11,800
Well we have not categorize events yet so we have to do that beforehand

10
00:01:14,800 --> 00:01:25,080
so I will close the query builder and I will right click on the event

11
00:01:30,090 --> 00:01:36,120
and then I will choose update event status and then I will

12
00:01:39,030 --> 00:01:44,040
choose the category 7 or forest fiction category

13
00:01:46,750 --> 00:02:00,460
and we see that the event disappeared from the queue here because it is moved to Category 7.

14
00:02:00,610 --> 00:02:12,140
Now if we debated the query again so query by category and then Paris and fiction or Category 7 and

15
00:02:12,250 --> 00:02:17,770
then I have to change the date and then click on submit.

16
00:02:17,770 --> 00:02:32,760
Now we see that we have those 24 rows that we have categorized them to be in Category 7 and we can execute

17
00:02:32,760 --> 00:02:41,270
the query also by right clicking on the alert and then select advance query.

18
00:02:41,340 --> 00:02:51,420
And then the category that we are searching for and we see that the same window for the query builder

19
00:02:51,420 --> 00:02:52,130
was opened.

20
00:02:52,170 --> 00:02:59,960
So then we can change the date and then click on submit to get the same results.

21
00:02:59,970 --> 00:03:11,920
Another way is by right clicking on the alert and then choose quick query and then Paris fiction.

22
00:03:12,510 --> 00:03:20,970
And here we see that we have gotten zero rows because the date.

23
00:03:20,970 --> 00:03:29,910
So we have to click on it and then we see also that we have we have gotten the same query builder window

24
00:03:30,240 --> 00:03:35,040
so we will change the date and then get the same results

25
00:03:43,020 --> 00:03:49,350
and you can categorize events quickly by using the F keys so you might notice that the partisan fiction

26
00:03:49,350 --> 00:03:52,800
category has an F saving key here.

27
00:03:52,830 --> 00:04:05,380
Therefore if I click on an event for example this one and then I can assign it too far as some fiction

28
00:04:05,380 --> 00:04:10,020
category by breaking the F seven key.

29
00:04:10,270 --> 00:04:19,390
So we see that the event disappeared now from the Q because it is a it has been assigned to its new

30
00:04:19,480 --> 00:04:22,060
category of pyros and fiction

31
00:04:27,710 --> 00:04:36,050
and here below we see other THC or the L L in Windows 5 download events

32
00:04:41,540 --> 00:04:49,090
which are once and I can categorize those but I will rather do that in squid

33
00:04:52,270 --> 00:05:00,700
also in addition to the event category we can escalate the event so events will appear under the escalated

34
00:05:00,850 --> 00:05:08,200
event step to be reviewed and analyzed by a higher level security analyst who can assign them to a specific

35
00:05:08,200 --> 00:05:09,370
category if needed.

36
00:05:09,370 --> 00:05:15,700
Or might it determined that it was a false positive for example.

37
00:05:15,700 --> 00:05:27,050
So for example I will escalate those two events so I will right click them and then select

38
00:05:32,010 --> 00:05:43,440
escalate and then I can't type for example e e download as a comment

39
00:05:50,540 --> 00:05:58,380
and we see that the events disappeared from the queue and you can find them under the escalated event

40
00:05:58,380 --> 00:06:00,900
step.

41
00:06:01,060 --> 00:06:12,760
And also we can add a comment for an event by right clicking on the event and then update event status

42
00:06:12,820 --> 00:06:15,340
and maybe add a comment.

43
00:06:19,180 --> 00:06:22,260
That is belonging to a specific category.

44
00:06:26,660 --> 00:06:32,740
And sometimes you might find it useful to do these categorization automatically for repeated events

45
00:06:33,130 --> 00:06:39,640
especially those who think they are false positives which will save your time and allows you to focus

46
00:06:39,670 --> 00:06:41,920
on the more suspicious events.

47
00:06:44,620 --> 00:06:54,550
So for example if I right clicked on this event and then select three it or cut from event and then

48
00:06:55,300 --> 00:07:02,160
I can set a period for that auto card categorization.

49
00:07:02,200 --> 00:07:16,000
So let us start as three hours and then I have to set the category which is by default category 1 or

50
00:07:16,000 --> 00:07:32,490
the in a category and the other seven categories have the numbers from eleven to 17 so I will click

51
00:07:32,490 --> 00:07:34,440
on submitter

52
00:07:40,300 --> 00:07:47,350
so in this picture I have explained about how to categorize events in screen and in the next picture.

53
00:07:47,590 --> 00:07:48,740
We will explore.

54
00:07:48,760 --> 00:07:49,270
Script.