Searching events in source code mode
To define event search conditions in source code mode:
- In the application web interface window, select the Threat Hunting section, Source code tab.
This opens a form containing the field for entering event search conditions in source code mode.
- Enter the event search conditions using criteria, operators, logical operators
ORandAND, and parentheses to group conditions.A search condition must conform to the following syntax:
<criterion> <operator> <criterion value>.Example:
EventType == 'filechange' AND((FileName == '*example*' ORDllName == '*example*' ORDroppedName == '*example*' ORBlockedName == '*example*' ORInterpretedFileName == '*example*' ORInterpretedFiles.FileName == '*example*' ORTargetName == '*example*' ORHandleSourceName == '*example*' ORHandleTargetName == '*example*') ORUserName == '*example*')You can use the autocomplete feature. To do so, place the cursor in the query line and press Ctrl+Space.
- If you want to search events that occurred during a specific period, click the Any time button and select one of the following event search periods:
- Any time if you want the table to display events found as far back as the records go.
- Last hour if you want the table to display events that were found during the last hour.
- Last day if you want the table to display events found during the last day.
- Custom range if you want the table to display events found during the period you specify.
- If you selected Custom range:
- In the calendar that opens, specify the start and end dates of the event display range.
- Click Apply.
The calendar closes.
- Click Search.
The table of events that satisfy the search criteria is displayed.
If you are using the
and mode, found events are grouped in tiers: Server – Tenant names – Server names. - Click the name of the server for which you want to view events.
The host table of the selected server is displayed. Event grouping levels are displayed above the table.
