Documentation forThreat Monitor

Create search queries and views

On the Event Logs page, you can create, edit, and save full-text custom queries to monitor log messages for specific groups or event activity, such as Active Directory logins, file integrity monitoring, antivirus, etc.

Follow this example to construct your query:

  1. To remove existing query data from the search field, click Clear Form.
  2. Use one or more of the following search parameters:
    • Key words (Administrator)
    • Wildcards (Admin*)
    • Specific data fields (username:administrator)
    • IP addresses and ranges (src_net:192.168.0.0/2)
    • Any (for free-text search)
    • Use a dash (-) for Does Not Contain a particular field
    • Spaces are treated as implicit AND operands
    • Exists: and Missing: are valid prefixes for data fields
  3. Select your time frame or enter a custom time range.
  4. To save the search and add it to your views, click Add Search Criteria to My Views.
  5. Enter a name for your query view.

  6. Select the time frame type.
  7. To make this your default Event Logs view, select the Is default check box.
  8. Select facets and fields to display specific data points in your view.
  9. Click Add View. The new view tab is added to the Event Logs page.

  10. To view the high-level query facets and associated data, click Analyze Results.

  11. To turn on the facet graphs, click the associated image icon .
  12. To enable search within a facet, click the associated search icon .
  13. To modify your query, edit the parameters in the search field, and then click Update.
  14. To share the query view with another user in your network, click the gear icon .
  15. On the editable tab, click the Share tab icon.

  16. Select one or more available users, and then click Export.
  17. To move the tab, drag it to another position in the tab rows.

  18. To remove the query from your view and search history, click the delete icon.