Searching collected events

About this task

Tips:
  • Start with a broad search query and refine it by adding more filters to remove unwanted events from the results.
  • File Operations and Registry Operations events are collected only if they belong to an alert.
  • It is not possible to create nested queries.

Procedure

  1. Click Threat Hunt > Proactive Hunt.
  2. Create a query by adding query parameters to the OR, AND, or NOT fields.
    Tips:
    • Use the * wildcard operator in the OR field to retrieve all events. You can't use * in query parameters.
    • Enter parameters manually, or click Plus to select from the list of available parameters.
    • Executable file names, hashes, and IP addresses are automatically associated with the corresponding parameter when you paste them into the OR, AND, or NOT fields.
    1. If you want to filter your query by date, enter values in the From or To fields.
      Tip: Choose a preset date filter instead of specifying values manually. Click Presets, then Last 24 Hours, Last 7 days, or Last 30 days.
    2. If you want to filter your query by event, choose events from the list. To exclude events, click + Exclude Events and then choose events from the list.
    3. If you want to filter your query by endpoint, choose events from the list. To exclude endpoints, click + Exclude Endpoints and then choose events from the list.
    4. If you want to filter your query by group, choose groups from the list. To exclude groups, click + Exclude Groups and then choose events from the list.
  3. Click Search.
  4. To export a .json file of the search results, click Export Results.

Creating an alert from a query result

Procedure

  1. Click Threat Hunt > Proactive Hunt.
  2. Search your collected events.
  3. Click an event in the search results, and then click Create Alert.
  4. Enter a title for the alert, any notes or tags, and set the severity.

Results

The QRadar® EDR QRadar EDR Brain correlates events and displays the alert for further analysis.

For more information about alerts, see Reviewing alerts.