Articles in this section

See more

Polygraph Diff Selector and Search

Diff Selector

You can use the Lacework Polygraph Diff filter mceclip0.png to compare events from two different hours.

  • The Diff filter is located in the upper right-hand corner of the Polygraph.
  • When the filter is in the default state, select the initial hour in the timeline at the bottom of the Polygraph by clicking the area above the hour. This highlights the area with a blue bar.
  • Mouse-over the Diff filter and select one of the following view types to display.
    • Show Graph Union—This option displays three things for the events. Blue lines represent the initial hour selected, purple lines represent the hour being compared, and gray shows the events the hours being compared had in common.
    • Show Graph Intersection—This option displays only the events the hours being compared had in common.
    • Show Graph Difference—This option only displays the events respective to the hours being compared. The blue lines represent the initial hour selected and purple lines represent the hour being compared.

When viewing one of these filters, you can click another hour in the timeline at the bottom of the Polygraph to change the hour being compared. This highlights the area with a purple bar.

Search

The event names highlighted in purple are those that match your search criteria.

The Polygraph search function supports the following types of queries:

Always capitalize operators such as AND and OR.

  • alice Must contain "alice"
  • -alice Must not contain "alice"
  • (alice) Must contain "alice"
  • (-alice) Must not contain "alice"
  • alice bob Must contain both "alice" and "bob"
  • ((alice bob) OR (charlie david)) Must contain both "alice" and "bob" or must contain both "charlie" and "david"
  • ((alice AND bob) OR (charlie AND david)) Must contain both "alice" and "bob" or must contain both "charlie" and "david"
  • (alice AND bob) OR (-charlie) Must contain both "alice" and "bob" or must not contain "charlie"

A not expression may hide nodes, but a not expression with another expression shows the node, but not highlight it if it is connected to a highlighted node. See the following examples:

-api hides the "api" nodes

-api AND python highlights a "python" node and the "api" nodes that are connected to it remain visible