Searching for events using conditions specified in an IOC or YAML file
When creating an IOC file, review the list of IOC terms that you can use to search for events in the Threat Hunting section. You can view the list of supported IOC terms by downloading the file from the link below.
IOC terms for searching events in the Threat Hunting section
To search for events using conditions specified in an IOC or YAML file:
- Select the Threat Hunting section in the application web interface window.
This opens the event search form.
- Click Import.
This opens the file selection window.
- Select the file that you want to upload and click Open.
The file is uploaded.
On the Source code tab, the form containing event search conditions will display the conditions defined in the uploaded file.
You can search for events that match these conditions. You can also change the conditions defined in an uploaded file, or add event search conditions in source code mode.
- If you want to search events that occurred during a specific period, click the Any time button and select one of the following event search periods:
- Any time if you want the table to display events found as far back as the records go.
- Last hour if you want the table to display events that were found during the last hour.
- Last day if you want the table to display events found during the last day.
- Custom range if you want the table to display events found during the period you specify.
- If you have selected the Custom range display period for found events:
- In the calendar that opens, specify the start and end dates of the event display range.
- Click Apply.
The calendar closes.
- Click Search.
An event table is displayed that corresponds to criteria specified in the uploaded file.