Searching Watson for multiple indicator types

Search Watson™ to view information and find evidence on multiple indicator types and reference sets.

Before you begin

You must have QRadar® administrator privileges to search in all domains and to create other user roles and assign domains.

Click Search Watson to start a search.
Tip: The Search Watson icon is located next to the QRadar Assistant icon Global search icon on menu bar.
Tip: In the dark theme UI (QRadar Advisor with Watson 2.6.0 and QRadar Analyst Workflow 1.2.0), the Search Watson button is on the Watson Investigations page.
Search button in dark theme UI 2.6.0

About this task

You can initiate a multiple indicator search by adding multiple indicators and selecting reference sets. To initiate a single indicator quick search, see Searching Watson for single indicator types.

Procedure

  1. Click Search Watson to open the Search Watson pane.
  2. To initiate a multiple indicator search with specific indicators or by using reference sets, click Specify Indicators.
    Specify Indicators
  3. In the Search title field, enter a name for the search so that you can identify the search on the Watson Investigations page.
  4. Set the local context time frame date and time to investigate observables in your local QRadar that were discovered during the selected time frame.
  5. Select one or more domains. If you select more than one domain, the investigation is limited to the events that are coming from the selected domains. Each domain that you select creates a separate investigation on the Incident Overview page. Each domain that you select for investigation counts against your daily quota.
    Tip:

    To use the multitenant aspect of search, you must create different domains with user roles and tenants to occupy that domain in QRadar. For more information, see Multitenant Management.

    After you create domains, you can assign other users access to QRadar Advisor with Watson in User Roles in QRadar. The assigned users can then run searches by logging in to a different domain.

  6. In the Select Search Type section, you can select from the following search types:
    • Click Reference Set, select reference sets from the list, and then click Add. You can add as many reference sets as you want.
    • Click Multiple Indicators, enter an indicator type and then click Add. You can enter multiple indicators as comma-separated or space-separated values or you can copy and paste multiple lines of text from a text editor. You can add as many indicators as you want.
  7. Click Start to run the investigation. The investigation can take several minutes to return results.
    Reference Set multiple indicator search
  8. Click the completed investigation on the Watson Investigations page to view the results of the analysis.
  9. Click Graph Relationships to see the results on the knowledge graph.
  10. If something changed, click Reinvestigate to start another investigation.
    Reinvestigating counts against your daily quota.