Searching events in source code mode
Searching events in source code mode
8 November 2023
ID 247637
To define event search conditions in source code mode:
- Select the Threat Hunting section, Source code tab in the application web interface window.
This opens a form containing the field for entering event search conditions in source code mode.
- Enter the event search conditions using commands, the logical operators
ORandAND, and parentheses for creating groups of conditions.Commands must match the following syntax:
<field type> <comparison operator> <field value>.Example:
EventType = "filechange"AND (FileName CONTAINS "example"OR UserName = "example") - If you want to search events that occurred during a specific period, click the Any time button and select one of the following event search periods:
- Any time if you want the table to display events found as far back as the records go.
- Last hour if you want the table to display events that were found during the last hour.
- Last day if you want the table to display events found during the last day.
- Custom range if you want the table to display events found during the period you specify.
- If you selected Custom range:
- In the calendar that opens, specify the start and end dates of the event display range.
- Click Apply.
The calendar closes.
- Click Search.
The table of events that satisfy the search criteria is displayed.
If you are using the distributed solution and multitenancy mode, found events are grouped in tiers: Server – Tenant names – Server names.
- Click the name of the server for which you want to view events.
The host table of the selected server is displayed. Event grouping levels are displayed above the table.
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.
