Select the Threat Hunting section, Builder tab in the program web interface window.
This opens the event search form.
In the drop-down list, select the criterion for searching for events in one of the following groups:
General details.
TAA properties.
File properties.
Process started.
Remote connection.
Registry modified.
Windows Log event.
Host name changed.
Detect and processing result.
Console interactive input.
In the drop-down list, select one of the following comparison operators:
=
!=
CONTAINS
!CONTAINS
STARTS
!STARTS
ENDS
!ENDS
>
<
Each type of value of the field has its own relevant set of comparison operators. For example, when the EventType field value type is selected, the = and != operators will be available.
Depending on the selected type of field value, perform one of the following actions:
In the field, specify one or several characters by which you want to perform an event search.
In the drop-down list, select the field value option by which you want to perform an event search.
For example, to search for a full match based on a user name, enter the user name.
If you want to add a new condition, use the AND or OR logical operator and repeat the necessary actions for adding a condition.
If you want to add a group of conditions, click the Group button and repeat the actions necessary for adding conditions.
If you want to delete a group of conditions, click the Remove group button.
If you want to search events that occurred during a specific period, in the Any time drop-down list select one of the following event search periods:
Any time, if you want the table to display events found for any period of time.
Last hour, if you want the table to display events that were found during the last hour.
Last day, if you want the table to display events found during the last day.
Custom range, if you want the table to display events found during the period you specify.
If you have selected the Custom range display period for found events:
In the calendar that opens, specify the start and end dates of the event display range.
Click Apply.
The calendar closes.
Click Search.
The table of events that satisfy the search criteria is displayed.