Events database threat hunting

When managing the application web interface, you can generate search queries and use IOC and YAML files to search the events database for threats, for tenants to whose data you have access.

To form search queries through the events database, you can use builder mode or source code mode.

In builder mode, you can create and modify search queries using drop-down lists with options for the type of field value and operators.

In source code mode, you can create and modify search queries using text commands.

You can upload an IOC file or a YAML file with a Sigma rule and search for events in accordance with the conditions specified in this file.

Users with the Senior security officer, Security officer roles can also create TAA (IOA) rules based on event search conditions.

In this section Searching events in design mode Searching for events in source code mode Conversion to a query to search events in source code mode Event search criteria Operators Sorting events in the table Changing the event search conditions Searching for events by processing results in EPP applications Searching for events using conditions specified in an IOC or YAML file Creating a TAA (IOA) rule based on event search conditions

Page top