Search Watson™ to view information and find
evidence on a single indicator
type.
Before you begin
You must have QRadar®
administrator privileges to search in all domains and to create other user roles and assign
domains.
Click
Search Watson to start a search.
Tip: The
Search Watson icon is located next to the
QRadar
Assistant icon
.
Tip: In the dark theme UI (2.6.0), the
Search
Watson button is on the
Watson Investigations page.
About this task
In addition to running a single indicator quick search, you can
initiate a multiple indicator search by adding multiple indicators and selecting reference sets. For
more information, see Searching Watson for multiple indicator types.
Procedure
-
Click Search Watson to open the Search Watson pane.
-
To initiate a quick search, you can enter one of the following indicator types in the
Single Indicator Quick Search field:
- URL
- Domain
- IP address - IP addresses in the private IP range, Google DNS, and openDNS IP addresses are
not supported.
- Hash - Supported hash types include MD5, SHA1, SHA256, and ssdeep.
Tip: To restrict your search to a URL, type url: and the URL you
want to search as in the following example: url:ibm.com. To restrict your
search to a domain, type domain: and the domain you want to search as in the
following example, domain:ibm.com.
Your search returns information that was found about the indicator type.
-
To continue with an in-depth search in your local QRadar instance and Watson, click Create
Investigation.
- Set the local context time frame date and time to investigate observables in your local
QRadar that were discovered
during the selected time frame.
-
Select one or more domains. If you select more than one domain, the investigation is limited to
the events that are coming from the selected domains. Each domain that you select creates a separate
investigation on the Incident Overview page. Each domain that you select for
investigation counts against your daily quota.
Tip:
To use the multitenant aspect of search, you must create different domains with user roles and
tenants to occupy that domain in QRadar. For more information, see Multitenant Management.
After you create domains, you can assign other users access to QRadar Advisor with Watson in
User Roles in QRadar. The assigned users can then run searches by logging in
to a different domain.
-
Click Start to run the investigation. The investigation can take several
minutes to return results.
-
Click the completed investigation on the Watson Investigations page to
view the results of the analysis.
-
Click Graph Relationships to see the results on the relationship
graph.
-
If something changed, click Reinvestigate to start another
investigation.
Reinvestigating counts against your daily quota.