The event list contains details about the events. You can also open an event details window. The event details window provides all the information about the event.
To open event details:
In the main menu, go to MONITORING & REPORTING→THREAT HUNTING,and then run a query.
Click the table row with the event.
A window with details about the event opens.
Clicking a value in the event details or in the event table opens a context menu with a list of actions. For each value, the following actions are available:
Copy the value to the clipboard.
Add/remove the column to/from the event list.
Add the value to the query.
The event list will be filtered by this value.
Delete the value from the query.
Events will not be filtered by this field.
Create a new query with the value.
In addition, for the SID, UserName, IP, MD5, URL, and Domain object types, the following actions are available:
Clicking the link opens a list of incidents that are related to the value of the selected event field. The list of incidents opens in the Incidents section.
To view a list of related incidents:
Go to MONITORING & REPORTING→THREAT HUNTING and run a query.
Open event details and click the value to open the context menu.
You can also open the context menu by clicking the value in the event table.
In the context menu of the selected value, click Go to related incidents button.
A list of related incidents is displayed.
Viewing related incident is available only for the objects of SID, UserName, IP, md5, URL, Domain data types.
The enrich.hunts.names field contains the names of the IOA rules that were triggered by the event. Clicking a link in this field opens a window with details about the triggered custom rule.
A rule containing the description of a suspicious activity in the system that could be a sign of a targeted attack.
From the event details, you can view a tree of events by clicking the corresponding button.
The tree of events is a graph that presents information about events that are connected with this event.