Overview
After running your search, results will appear below the query section, in a dedicated results section. This section displays all events that answered your search query, in a table form, aggregated by the relevant OCSF Event Class, and sorted by time (ascending).
The Results section contains the following sections, among others:
Event class tab - This section displays the different OCSF Event Classes identified as part of your search. You can view all events, regardless of their class, under the All Events tab or events from only one class, by selecting the relevant tab.
Event class filter - When using the All Events tab, you can filter the list of events by OCSF Event Classes as the first sorting layer.
Attributes - Below the OCSF Event Classes filter, you can filter results based on attributes and their values.
Click to open
Explore results
You can further investigate search results and improve the visibility of the information you are interested in by performing one or more of the following actions. These actions are repetitive across all of the tabs under the results section.
Organize tabs
Click more… next to the tabs to display a list of all available tabs. You can reorder the tabs by clicking the :: icon to grab and drag the tab up or down the list. Tabs above the line will be seen in view.
.png?sv=2022-11-02&spr=https&st=2025-04-20T02%3A57%3A50Z&se=2025-04-20T03%3A09%3A50Z&sr=c&sp=r&sig=ux%2FnKJaWNapRu5mPIeezCWALkYNgy3PcXWLr%2F41KF7Y%3D)
Filter results
Use the Filters panel, on the left side of the table, to include or exclude specific attributes and their values. Each tab will show a different set of filters. To exclude all values but one, hover over the desired value and click Only.
Shift to another event class
To investigate across event classes you can use the Shift to option. When investigating events of a specific class, you can pivot to a different event class to view events that happened at the same time, or close to it, under a different class. Clicking the Shift to option will place you in the selected tab at the nearest time to the event you’re pivoting from.
For instance, if you are inspecting Authentication events and want to learn which Network Activity events happened at the same time, click Shift to another event type and then select the event class you wish to view.
Upon selecting the desired event class, the relevant tab will open and a marker will be placed in the adjacent time.
Open event details
Click the Event details icon to open a side panel with more details about the event.
Share results
📘Note
This function will allow you to share search results. To learn how to share queries, click here.
Click the link icon next to the RESULTS title to copy a shareable link to your search results.
Group results by column
Drag a column title to the row above the grid to group your results by column.
