Searching events in source code mode

To define event search conditions in source code mode:

1. Select the Threat Hunting section, Source code tab in the program web interface window.

   This opens a form containing the field for entering event search conditions in source code mode.

2. Enter the event search conditions using commands, the logical operators OR and AND, and parentheses for creating groups of conditions.

   Commands must match the following syntax: <field type> <comparison operator> <field value>.

   Example: EventType = "filechange" AND ( FileName CONTAINS "example" OR UserName = "example" )

3. If you want to search events that occurred during a specific period, click the Any time button and select one of the following event search periods:
   • Any time, if you want the table to display events found for any period of time.
   • Last hour, if you want the table to display events that were found during the last hour.
   • Last day, if you want the table to display events found during the last day.
   • Custom range, if you want the table to display events found during the period you specify.
4. If you have selected the Custom range display period for found events:
   1. In the calendar that opens, specify the start and end dates of the event display range.
   2. Click Apply.

   The calendar closes.

5. Click Search.

The table of events that satisfy the search criteria is displayed.

See also Events database threat hunting Searching events in design mode Changing the event search conditions Searching events by processing results in EPP programs Uploading an IOC file and searching for events based on conditions defined in the IOC file Creating a user-defined TAA (IOA) rule based on event search conditions

Page top