Skip to main content
Version: 2.17.X

Viewing Event Data

The Events Explorer Widget

Once data has been ingested into Workstation, there are generally two main methods for locating events:

  1. Use the Events Explorer widget to find ingested events.
  2. If Event Notifications have been configured, utilize the Notifications or Notifications Explorer widgets to view the event notifications.

Regardless of which widget the event comes from, drag the event or notification into another widget to view its data.

The Object Details Viewer is the primary widget used to view the latest information on an event, or see our list of Cogynt Workstation Widgets.

Finding Ingested Events

The Events Explorer widget presents a table of recently ingested events with the following columns visible by default:

IconEvent NameRisk ScoreOccurred
The icon, including color, used for the event set from the Data Ingestion Settings page.The title of the eventAn associated risk score as processed by Authoring/HCEP, if applicableThe timestamp of when the event occurred, if applicable.

Results are paginated. At the bottom right side of the Events Explorer widget, click the refresh button to reload events in the Events Explorer widget.

Viewing Events

Analysts can use the Events Explorer table to view some event details at a glance. Once events are identified for further review, they can be dragged into other widgets.

Each event in the table also includes the More menu (), and a clickable eye icon to send the event to either a new or already opened Object Details Viewer widget.

If multiple Object Details Viewer widgets are open, clicking the eye icon will reveal a sub-menu to select a specific Object Details Viewer to send the event to. Additionally, users can use CTRL + left click (for Mac, COMMAND + left click) to open events in a new tab, or SHIFT + left click to open events in a new window.

In the More menu (), users can also select from these options:

  • Open in New Browser Tab - Opens the selected event (or collection) in a new browser tab.
  • Copy Link - Copies a permalink URL of the event to your clipboard.
  • Open in New Viewer Widget - Opens a new Object Details Viewer widget that contains the select event's details.
  • Send to Viewer Widget - Select from any already opened Object Details Viewer widget.
  • Send to Another Workspace - Send to any Object Details Viewer inside of a workspace that the user has access to.
  • Manual Actions - Access the manual actions menu to perform a manual action, such as marking an event as "dismissed" or "in progress".
  • Add to Collection - Adds the selected event to any selected Collection, or a newly created Collection.
note

When a collection or event (referred below generally as object) is opened in a new tab, the following is true:

  • The object that has been opened has its own link that can be shared. This link is not permanent. For a permalink to the object, click the More menu () and select Copy Link.
  • All functionality typically available in either Collections Details Viewer or Event Details Viewer is available when opened in a new tab. This includes opening additional objects in a new tab.
  • The original object opened within a tab can open related objects within the same tab.
  • With a second object open, when a new object is opened from that second object, the tab will open the new object as though the page has been refreshed.
  • No more than two objects can be opened within the same tab.
  • Clicking the X button will result in different behavior depending on the situation. Clicking the X button of the originally opened object will close the tab. Clicking the X button on a newly opened object will close it.

Editing Events Explorer Columns

At the top right side of the widget, find the Fields icon. Click this icon to add or remove system and other fields by ticking or unticking the box next to each field.

The following system fields are possible to show or hide:

  • Core ID
  • Created
  • Event Name
  • Icon/Color
  • Occurred
  • Risk Score
  • Updated

Additionally, toggle all currently visible system fields on or off by ticking the System Fields box. Use Unselect All to unselect all other fields.

Pinning Columns

Pinning a column keeps it in place while scrolling through other system field columns.

To pin columns:

  1. In the Events Explorer widget, locate the column to pin.
  2. At the top of the column, hover to reveal the pin icon and click it to pin the column.
  3. Click the pin again to unpin the column.

Hiding Columns

Columns can be hidden to focus on other priority data fields, or simply to arrange and personalize a workspace.

To hide columns:

  1. In the Events Explorer widget, locate the column to hide.
  2. At the top of the column, hover to reveal the more menu icon and click it to open the more menu.
  3. Select Hide Column to hide the selected column.
  4. To unhide a column, use the system fields icon to add the unticked/hidden column.

Sorting Columns

Column values can be sorted in either ascending or descending order, affecting the display of columns.

To sort columns:

  1. In the Events Explorer widget, locate the column to sort.
  2. Click the column to sort by ascending order.
  3. Click the column a second time to sort by descending order.
  4. Click the column a third time to return to default sorting.

Or, use the More menu:

  1. At the top of the column, hover to reveal the More menu icon. Click it to open the More menu.
  2. Select your sort method.
note

Sorting will work on alphanumeric strings, floats, integers, and timestamps.

Searching For Events

At the top of the Events Explorer widget, find the search bar. Entering text in the search bar returns Events Explorer results that match the entry. Some useful searches include:

  • Searching by subject name.
  • Searching for events by event title.
  • Searching for keywords contained within the event's data.

To search by text string:

  1. From an open workspace, at the top of an Events Explorer widget, click the magnifying glass icon (🔍).
  2. Type a keyword into the search field.
  3. Wait a moment for Workstation to return results. Any data fields that matched your search term are displayed.
note

Workstation datasets are usually extremely large. Broad keyword matching can take a moment to compile a full list of events.

More detailed search facets applied to the events stream can help hone results faster.