Searching events in source code mode
8 November 2023
ID 247637
To define event search conditions in source code mode:
- Select the Threat Hunting section, Source code tab in the application web interface window.
This opens a form containing the field for entering event search conditions in source code mode.
- Enter the event search conditions using commands, the logical operators
OR
andAND
, and parentheses for creating groups of conditions.Commands must match the following syntax:
<field type> <comparison operator> <field value>
.Example:
EventType = "filechange"
AND (
FileName CONTAINS "example"
OR UserName = "example"
)
- If you want to search events that occurred during a specific period, click the Any time button and select one of the following event search periods:
- Any time if you want the table to display events found as far back as the records go.
- Last hour if you want the table to display events that were found during the last hour.
- Last day if you want the table to display events found during the last day.
- Custom range if you want the table to display events found during the period you specify.
- If you selected Custom range:
- In the calendar that opens, specify the start and end dates of the event display range.
- Click Apply.
The calendar closes.
- Click Search.
The table of events that satisfy the search criteria is displayed.
If you are using the distributed solution and multitenancy mode, found events are grouped in tiers: Server – Tenant names – Server names.
- Click the name of the server for which you want to view events.
The host table of the selected server is displayed. Event grouping levels are displayed above the table.