Searching Watson for single indicator types

Search Watson™ to view information and find evidence on a single indicator type.

Before you begin

You must have QRadar® administrator privileges to search in all domains and to create other user roles and assign domains.

Click Search Watson to start a search.
Tip: The Search Watson icon is located next to the QRadar Assistant icon Global search icon on menu bar.
Tip: In the dark theme UI (2.6.0), the Search Watson button is on the Watson Investigations page.
Search button in dark theme UI 2.6.0

About this task

In addition to running a single indicator quick search, you can initiate a multiple indicator search by adding multiple indicators and selecting reference sets. For more information, see Searching Watson for multiple indicator types.


  1. Click Search Watson to open the Search Watson pane.
  2. To initiate a quick search, you can enter one of the following indicator types in the Single Indicator Quick Search field:
    • URL
    • Domain
    • IP address - IP addresses in the private IP range, Google DNS, and openDNS IP addresses are not supported.
    • Hash - Supported hash types include MD5, SHA1, SHA256, and ssdeep.
    Tip: To restrict your search to a URL, type url: and the URL you want to search as in the following example: To restrict your search to a domain, type domain: and the domain you want to search as in the following example,
    Your search returns information that was found about the indicator type.
  3. To continue with an in-depth search in your local QRadar instance and Watson, click Create Investigation.
    Watson Search results
  4. Set the local context time frame date and time to investigate observables in your local QRadar that were discovered during the selected time frame.
  5. Select one or more domains. If you select more than one domain, the investigation is limited to the events that are coming from the selected domains. Each domain that you select creates a separate investigation on the Incident Overview page. Each domain that you select for investigation counts against your daily quota.

    To use the multitenant aspect of search, you must create different domains with user roles and tenants to occupy that domain in QRadar. For more information, see Multitenant Management.

    After you create domains, you can assign other users access to QRadar Advisor with Watson in User Roles in QRadar. The assigned users can then run searches by logging in to a different domain.

  6. Click Start to run the investigation. The investigation can take several minutes to return results.
    Investigate screen
  7. Click the completed investigation on the Watson Investigations page to view the results of the analysis.
  8. Click Graph Relationships to see the results on the relationship graph.
  9. If something changed, click Reinvestigate to start another investigation.
    Reinvestigating counts against your daily quota.