Searching events in source code mode

To define event search conditions in source code mode:

Select the Threat Hunting section, Source code tab in the program web interface window.
This opens a form containing the field for entering event search conditions in source code mode.
Enter the event search conditions using commands, the logical operators OR and AND, and parentheses for creating groups of conditions.
Commands must match the following syntax: <field type> <comparison operator> <field value>.

Example:

EventType = "filechange"

AND (

FileName CONTAINS "example"

OR UserName = "example"

)
If you want to search events that occurred during a specific period, click the Any time button and select one of the following event search periods:
- Any time, if you want the table to display events found for any period of time.
- Last hour, if you want the table to display events that were found during the last hour.
- Last day, if you want the table to display events found during the last day.
- Custom range, if you want the table to display events found during the period you specify.
If you selected Custom range:
1. In the calendar that opens, specify the start and end dates of the event display range.
2. Click Apply.
The calendar closes.
Click Search.
The table of events that satisfy the search criteria is displayed.

If you are using the distributed solution mode, grouping tiers of found events are displayed: Server – Organization names – Server names.
Click the name of the server for which you want to view events.

The host table of the selected server is displayed. Event grouping levels are displayed above the table.