Skip to main content

Threat CenterThreat Center Guide

Table of Contents

Build a Search in Threat Center

Use a point-and-click interface to quickly define complex searches for cases or alerts in Exabeam Query Language. To construct a search from scratch, type a search in Exabeam Query Language syntax. To search without needing to know query syntax or attribute names, type a search in natural language.

Build a Search for Cases

To build a search for cases, navigate to the Cases tab, then click the search bar to specify your criteria. You only need to specify the criteria relevant to your search; there are no mandatory search criteria.

  1. Navigate to the Cases tab, then in the Search mode menu, select Basic.

  2. Click the search bar, then specify your search criteria:

    • Under VENDORS & PRODUCTS, select the vendors or products associated with the case and their related detections.

    • Under TOP USE CASES, select the use cases associated with the case and their related detections.

    • Under TOP TAGS, select the tags with which the related detections are tagged.

    • Under QUICK SEARCH, specify whether the cases are assigned to you or other users or contain any attachments:

      • To search for cases assigned to you, select Assigned to me. To search for cases not assigned to you, select Not assigned to me.

      • To search for cases assigned to your queue, select Assigned to my queue.

      • To search for cases that have any attachments, select With attachment.

    • Under CASE FIELDS, specify any attribute values the cases or their related detections contain or exclude:

      1. Select a case or detection attribute.

      2. Select whether the cases or their related detections contain or exclude the attribute value:

        • To search for alerts or related detections containing a specific attribute value, select IS.

        • To search for alerts or related detections without a specific attribute value, select IS NOT.

      3. In the text box, enter a value.

      4. Click Add to Query.

    • By default, the operator is AND. To change the operator, click the operator, then select another operator.

    • To specify when the cases were created, click the time range menu, then select a time range:

      The time range menu with the Quick tab selected.

      • To select a time in the last few hours, days, months, or years, navigate to the Quick tab, then select a period.

      • To specify a range, navigate to the Absolute tab, enter specific dates and times, then click Apply.

  3. Click Search.

Build a Search for Alerts

To build a search for alerts, navigate to the Alerts tab, then click the search bar to specify your search criteria. You only need to specify the criteria relevant to your search; there are no mandatory search criteria.

  1. Navigate to the Alerts tab, then in the Search mode menu, select Basic.

  2. Click the search bar, then specify your search criteria:

    • Under VENDORS & PRODUCTS, select the vendors or products associated with the alert and their related detections.

    • Under TOP USE CASES, select the use cases associated with the alert and their related detections.

    • Under TOP TAGS, select the tags with which related detections are tagged.

    • Under QUICK SEARCH, specify whether the alerts are associated with a case:

      • To search for alerts that have an associated case, select With case.

      • To search for alerts that don't have an associated case, select Without case.

    • Under ALERT FIELDS, specify any attribute values the alerts or their related detections contain or exclude:

      1. Select an alert or detection attribute.

      2. Select whether the alerts or their related detections contain or exclude the attribute value:

        • To search for alerts or related detections containing a specific attribute value, select IS.

        • To search for alerts or related detections without a specific attribute value, select IS NOT.

      3. In the text box, enter a value.

      4. Click Add to Query.

    • By default, the operator is AND. To change the operator, click the operator, then select another operator.

    • To specify when the alerts were created, click the time range menu, then select a time range:

      The time range menu with the Quick tab selected.

      • To select a range in the last few hours, days, months, or years, click the Quick tab, then select a predefined range.

      • To specify a custom range, click the Absolute tab, enter specific dates and times, then click Apply.

  3. Click Search.