{{ secondMenu.name }}
{{ language }}
Suppose you have known or obtained new threat intelligence from external sources. In that case, you can search for relevant information using simple combined conditions, such as IP address, domain name, and behavior. This allows you to initiate threat hunting across all endpoints in your network and identify endpoints and processes with potential threats, thus helping you detect new threats or possible risks in the network.
Searches through a single condition include searches by domain name, network connection, executable file hash value, or file name.
Enter one or more domain names separated by commas (,) to search for devices and activities communicating with the specified domain names. Fuzzy search using the wildcard (*) is supported.
Example: Use the domain names related to the Emotet virus to query potentially infected endpoints and the processes communicating with the Emotet domain names.
Search statement: vidriodecoracion.com,varivoda.com,wakan-tanka.com,white-on-rice.com
The query result is shown below.
Enter one or more IP addresses separated by commas (,) to search for endpoints with the network connection to/from the specified IP addresses and the corresponding processes.
Example: Use the IP addresses related to the Emotet virus to query potentially infected endpoints and the processes communicating with the IP addresses.
Search statement: 216.10.40.16,91.121.54.71,209.236.123.42,77.55.211.77
The query result is shown below.
Enter one or more MD5 or SHA256 values of suspicious files separated by commas (,) to search process operation and module loading activities for endpoints matching the specified hash values and the corresponding processes.
Example: Use the SHA256 value of the file related to the Emotet virus to query potentially infected endpoints.
Search Statement: a7f38b8959c668d02ced78306917fe8f7740cb199129db5f9408fb728a66cc5f
The query result is shown below.
Enter one or more suspicious file names separated by commas (,) to search for related endpoints and events. Fuzzy search using the wildcard (*) is supported.
Example: Use malicious Emotet file names to query potentially infected endpoints.
Search Statement: setupcln*,4256cd.dll
The query result is shown below.
Multiple search conditions:
A search statement consists of the following elements: search object, field name, value, comparison operator, and logical operator, as shown in the following figure.
Example: Mining virus detection
Search Statement: (DNSEvents.domain = "*xmr*" AND DNSEvents.domain = "*pool*") OR (NetworkEvents.dst_port = "4444" OR NetworkEvents.dst_port = "5555" OR NetworkEvents.dst_port = "6666") OR (ProcessEvents.process_commandline = "stratum://" OR ProcessEvents.process_commandline = "cpu-priority")
The search query is not case-sensitive.
The query result is shown below.
Objects and fields
You can include the following objects in a set of conditions: Domain Name Access, Connection, Process Operation, File Operation, Loaded Module, and Device Information. For details, see the following description:
Domain name access fields:
Connection fields:
File operation fields:
Process operation fields:
Loaded Module fields:
Device information fields:
Values
The value of a field must be enclosed in a pair of quotation marks (" "). Wildcards are supported: You can use a wildcard to represent one or more characters in a value. You can use an asterisk (*) to substitute zero, one, or multiple characters. The wildcard * can only be used together with the comparison operators "=" (equal) and "!=" (not equal).
Example: You can use mon* to represent the word "mongodb" or "mondodb".
Comparison operators:
Logical operators:
The log lookup system supports three operators: AND, OR, and NOT.
1. AND: AND means that both fields must be matched.
2. OR: OR means that at least one field must be matched.
3. NOT: NOT excludes the records containing a single item or phrase following the NOT operator.
{{ $t('index.defaultHeader.chromeBrowserTip') }}