When managing the application web interface, you can generate search queries and use IOC and YAML files to search the events database for threats, for tenants to whose data you have access.
To form search queries through the events database, you can use builder mode or source code mode.
In builder mode, you can create and modify search queries using drop-down lists with options for the type of field value and operators.
In source code mode, you can create and modify search queries using text commands.
You can upload an IOC file or a YAML file with a Sigma rule and search for events in accordance with the conditions specified in this file.
Users with the Senior security officer, Security officer roles can also create TAA (IOA) rules based on event search conditions.