Versions Compared

Old Version 15

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version 16

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
typeflat

...

  • In the Hunting area, click the Add to investigation button after performing a search. In this case, elements will be also added to the Investigation list. Learn more about this in the Threat Hunting article.     

...

Filter investigations

You can use the filters at the top of the Investigations area to filter specific investigations.

Rw ui steps macro
Rw step

First, choose the time range you want to apply to your search by clicking the time selector at the top of the area. You can either choose an absolute time range selecting the start and end dates in the calendar or select a preset interval. You can also select a start date and activate the Now toggle to set the ending date to the current time. Click OK after choosing the time range. 

Image RemovedImage Added
Info

You can click the arrow icon next to the OK button and click OK and filter to filter your data directly with the selected time range.

After applying a specific time range, you can click the play button next to the selector to activate real-time. This will allow new results to keep appearing as time passes.

Rw step

Then, set the conditions you want to filter by. These are the available options:

Importance

Choose the importance of the filtered investigations (Low, Medium and/or High).

Investigation name

Filter investigations by name.

Assigned to

Select the user(s) assigned to the investigation(s).

Entity / Filter value

Choose the required type of entity from the drop-down list and enter the value you want to filter by. For example, if you want to get elements related to IP addresses that contain the value 10, choose ip from the Entity drop-down and enter the value 10 in the Filter value box. Click the + button to add the required entity/filter value pairs.

Status

Select the status of the investigations (Active state, Closed, False positive, Open and/or Under review).

Rw step

You can also select the Advanced Filters button to filter by the following criteria:

Labels

Enter the labels you want to filter by.

Keywords

Enter the keywords you want to filter by.

ATT&CK Tactic

Filter by one or several ATT&CK Tactics.

Rw step

Click Filter.

...

If you start defining a new filter or start defining a new filter, you can click Reset filters to  to set your favorite filter.

...