Searching for Events

The Search feature enables you to look for and investigate events that meet specified criteria so you can detect anomalies that point to security threats. You can view the results in tabular and timeline formats, as well as view the raw event data. Each search consists of specifying query input, search result fields, and the criteria for which you want to search events.

Queries are case sensitive. The query input determines the search type (full text, natural language, or contextual). As you specify the criteria for a search query, Search suggests items and operators based on a schema data dictionary. You can also choose from predefined search queries. When running a search, you can specify a fixed time or have the search results update in real-time.