Uploading an IOC file and searching for events based on conditions defined in the IOC file

To upload an IOC file and search for events based on conditions defined in the IOC file:

1. Select the Threat Hunting section in the program web interface window.

   The event search form opens.

2. Click the Upload button.

   The file selection window opens.

3. Select the IOC file that you want to upload and click the Open button.

   The IOC file will be uploaded.

   On the Source code tab, the form containing event search conditions will display the conditions defined in the uploaded IOC file.

   You can search for events that match these conditions. You can also change the conditions defined in an uploaded IOC file, or add event search conditions in source code mode.

4. If you want to search events that occurred during a specific period, click the Any time button and select one of the following event search periods:
   • Any time, if you want the table to display events found for any period of time.
   • Last hour, if you want the table to display events that were found during the last hour.
   • Last day, if you want the table to display events found during the last day.
   • Custom range, if you want the table to display events found during the period you specify.
5. If you have selected the Custom range display period for found events:
   1. In the calendar that opens, specify the start and end dates of the event display range.
   2. Click the Apply button.

   The calendar closes.

6. Click the Search button.

   Grouping levels of found events are displayed: All hosts – Organization names – Server names.

7. Click the name of the server for which you want to view events.

   The host table of the selected server opens. Event grouping levels are displayed above the table. The host table contains the following information:

   • Host is the name of the host on which the event was detected.
   • Number of events is the number of events that were detected on the host.
   • First event is the detection date and time of the first event on this host.
   • All hosts is the detection date and time of the latest event on this host.
8. Select the host for which you want to view events.

   This opens a table of events matching the search conditions you specified. Event grouping levels are displayed above the table.

   You can return to the host selection window by clicking the link with the organization name and the server name, or return to organization and server selection by clicking the All hosts link.

See also Events database threat hunting Searching events using design mode Searching events using source code mode Changing the event search conditions Creating an IOA rule based on event search conditions

Page top