Viewing Event Data
Once data has been ingested into Workstation, there are generally two main methods for locating events:
- Use the Events Explorer widget to find ingested events.
- If Event Notifications have been configured, utilize the Notifications or Notifications Explorer widgets to view the event notifications.
Regardless of which widget the event comes from, drag the event or notification into another widget to view its data.
The Object Details Viewer is the primary widget used to view the latest information on an event, or see our list of Cogynt Workstation Widgets.
Finding Ingested Events
The Events Explorer widget presents a table of recently ingested events with the following columns visible by default:
| Event Name | Risk Score | Occurred |
|---|---|---|
| The title of the event | An associated risk score as processed by Authoring/HCEP, if applicable | The timestamp of when the event occurred, if applicable. |
The table allows analysts to view event details at a glance, quickly identifying critical events and dragging them into Object Details Viewer for further review.
Editing Events Explorer Columns
At the top right side of the widget, find the Fields icon. Click this icon to add or remove system and other fields by ticking or unticking the box next to each field.
The following system fields are possible to show or hide:
- Core ID
- Event Name
- Risk Score
- Created
- Occurred
- Updated At
Additionally, toggle all currently visible system fields on or off by ticking the System Fields box. Use Unselect All to unselect all other fields.
Pinning Columns
Pinning a column keeps it in place while scrolling through other system field columns.
To pin columns:
- In the Events Explorer widget, locate the column to pin.
- At the top of the column, hover to reveal the pin icon and click it to pin the column.
- Click the pin again to unpin the column.
Hiding Columns
Columns can be hidden to focus on other priority data fields, or simply to arrange and personalize a workspace.
To hide columns:
- In the Events Explorer widget, locate the column to hide.
- At the top of the column, hover to reveal the more menu icon and click it to open the more menu.
- Select Hide Column to hide the selected column.
- To unhide a column, use the system fields icon to add the unticked/hidden column.
Sorting Columns
Column values can be sorted in either ascending or descending order, affecting the display of columns.
To sort columns:
- In the Events Explorer widget, locate the column to sort.
- Click the column to sort by ascending order.
- Click the column a second time to sort by descending order.
- Click the column a third time to return to default sorting.
Or, use the More menu:
- At the top of the column, hover to reveal the More menu icon. Click it to open the More menu.
- Select your sort method.
Sorting will work on alphanumeric strings, floats, integers, and timestamps.
Searching For Events
At the top of the Events Explorer widget, find the search bar. Entering text in the search bar returns Events Explorer results that match the entry. Some useful searches include:
- Searching by subject name.
- Searching for events by event title.
- Searching for keywords contained within the event's data.
To search by text string:
- From an open workspace, at the top of an Events Explorer widget, click the magnifying glass icon (🔍).
- Type a keyword into the search field.
- Press the ENTER key, or wait a moment for Workstation to return results. Any data fields that matched your search term are displayed as a column on the Events Explorer widget.
Workstation datasets are usually extremely large. Broad keyword matching can take a moment to compile a full list of events.
More detailed search facets applied to the events stream can help hone results faster.