Searching Watson for single indicator types
Search Watson™ to view information and find evidence on a single indicator type.
Before you begin
You must have QRadar® administrator privileges to search in all domains and to create other user roles and assign domains.
Click Search Watson to start a search.
Tip: The Search Watson icon is located next to the QRadar Assistant icon .
Tip: In the dark theme UI (2.6.0), the Search Watson button is on the Watson Investigations page.
In addition to running a single indicator quick search, you can initiate a multiple indicator search by adding multiple indicators and selecting reference sets. For more information, see Searching Watson for multiple indicator types.
About this task
- Click Search Watson to open the Search Watson pane.
To initiate a quick search, you can enter one of the following indicator types in the
Single Indicator Quick Search field:
Tip: To restrict your search to a URL, type url: and the URL you want to search as in the following example: url:ibm.com. To restrict your search to a domain, type domain: and the domain you want to search as in the following example, domain:ibm.com.Your search returns information that was found about the indicator type.
- IP address - IP addresses in the private IP range, Google DNS, and openDNS IP addresses are not supported.
- Hash - Supported hash types include MD5, SHA1, SHA256, and ssdeep.
To continue with an in-depth search in your local QRadar instance and Watson, click Create
- Set the local context time frame date and time to investigate observables in your local QRadar that were discovered during the selected time frame.
Select one or more domains. If you select more than one domain, the investigation is limited to
the events that are coming from the selected domains. Each domain that you select creates a separate
investigation on the Incident Overview page. Each domain that you select for
investigation counts against your daily quota.
To use the multitenant aspect of search, you must create different domains with user roles and tenants to occupy that domain in QRadar. For more information, see Multitenant Management.
After you create domains, you can assign other users access to QRadar Advisor with Watson in User Roles in QRadar. The assigned users can then run searches by logging in to a different domain.
Click Start to run the investigation. The investigation can take several
minutes to return results.
- Click the completed investigation on the Watson Investigations page to view the results of the analysis.
- Click Graph Relationships to see the results on the relationship graph.
If something changed, click Reinvestigate to start another
Reinvestigating counts against your daily quota.