Building and running queries for threat hunting

You can build queries to search event database for threats. A simple query is a search condition that consists of an event field, condition, and value. A query can contain one or several search conditions.

Building queries

You can choose one of the following ways to build a query:

• Enter the event search conditions in the query search box.
• Click the event fields from the suggested list of event fields in the Help tab, and then add conditions and values. Selected event fields automatically appear in the query search box.

Certain syntax is used to build search queries. For example, you can add several conditions by using the logical operators OR and AND, and parentheses for creating groups of conditions.

Running queries

To run a query:

1. Set the time range if you want to search for events that occurred during a specific period. By default, the table contains events that have occurred during the last hour.

   To change the time range, click the Last hour button, and then select one of the following time ranges:

   • Last hour, if you want to view events that were found during the last hour.
   • Last day, if you want to view events found during the last day.
   • All the time, if you want to view events found for any period of time.
   • Custom range, if you want to view events found during a specific time range.
2. If you selected Custom range:
   1. In the calendars that open, specify the start and end date and time of the event display range.
   2. Click the Apply button.

   The calendars close.

3. Click the Apply time range button to save the specified time range.

   The window for specifying the time range closes.

4. Click the Run query button.

The list of events that satisfy the search criteria is displayed. You are automatically switched to the Events tab. You can modify the query or save the query as a custom IOA rule.