Start a new search

  • Updated on Apr 3, 2025
  • Published on Nov 19, 2024

The Search tool is designed to help you investigate and analyze your raw data effectively. It provides a user-friendly interface for running queries, exploring datasets, and uncovering valuable insights. With built-in filters and intuitive guidance, the tool simplifies the process of building both basic and advanced searches, enabling you to quickly narrow down results and focus on the data that matters most. Whether you're investigating specific events or analyzing patterns across multiple data sources, the Search tool is your gateway to actionable information.

📘 About the query builder

The search query builder includes the following elements:

  1. Filters

  2. Query

  3. Scope

Click to enlarge

Filters

Search Filters

The Filters section includes 3 filters -

  • Time range - select the timeframe on which to run your query. You can select from a list of relative time frames, like Last 24 hours, Last 3 days, etc, or specify a custom range of dates and times.

  • Data source - a list of logs you can run your search on. This list shows only data sources connected to your environment that include information within the supported event classes.

  • Event class - a list of OCSF event classes you want to include in your search. This list shows currently supported OCSF event classes.

    Supported event classes

    Hunters currently supports the below event classes:

    Event class

    What is it?

    Why is it important?

    1001 - File Activity

    Creation, modification, deletion, or access of files on a system.

    Tracks potential malicious activity, such as unauthorized file access, malware installation, or data exfiltration.

    1004 - Memory Activity

    Reads, writes, or executions within system memory.

    Helps identify suspicious in-memory operations, like code injection or exploitation attempts.

    1006 - Scheduled Job Activity

    Creation, modification, or execution of scheduled tasks or cron jobs.

    Detects malicious persistence mechanisms often used by attackers to execute malware periodically.

    1007 - Process Activity

    Creation, modification, termination, or other operations on system processes.

    Monitors for rogue or suspicious processes, such as those initiated by malware or unauthorized scripts.

    2002 - Vulnerability Finding

    Discovery of system vulnerabilities or weaknesses.

    Identifies and prioritizes risks that could be exploited by attackers, enabling timely remediation.

    201001 - Win Registry Key Activity

    Creation, deletion, or modification of Windows registry keys.

    Detects potential persistence mechanisms or configuration changes made by malware.

    201002 - Win Registry Value Activity

    Changes to specific values within Windows registry keys.

    Tracks detailed registry changes often tied to malware behaviors or system misconfigurations.

    3001 - Account Change

    Creation, deletion, or modification of user accounts.

    Identifies unauthorized account creation or privilege escalation, crucial for detecting insider threats or compromised accounts.

    3002 - Authentication

    Login attempts, successful authentications, or failures.

    Detects brute-force attacks, credential theft, or unauthorized access.

    3005 - User Access

    Access attempts to systems or applications by users.

    Tracks user behavior for anomalies, helping identify potential insider threats or compromised accounts.

    3006 - Group Management

    Creation, modification, or deletion of user groups.

    Monitors privilege escalation or unauthorized group changes, which can weaken security policies.

    4001 - Network Activity

    Network connections, data transfers, or communications between systems.

    Identifies anomalous traffic, such as data exfiltration, lateral movement, or communication with malicious servers.

    4002 - HTTP Activity

    HTTP requests and responses.

    Tracks web-based threats, including phishing, command-and-control (C2) communication, or data leakage.

    4003 - DNS Activity

    DNS queries and responses.

    Detects domain abuse, including lookups to known malicious domains or DNS tunneling.

    4009 - Email Activity

    Sending, receiving, or interacting with emails.

    Monitors phishing attempts, unauthorized email access, or malicious attachments.

    4011 - Email File Activity

    File attachments in email communications.

    Detects potentially harmful files, such as malware-laden attachments.

    4012 - Email URL Activity

    URLs embedded in email content.

    Identifies phishing links or malicious websites targeting users.

    5001 - Inventory Info

    Information about hardware or software inventory.

    Assists in asset tracking, ensuring all devices and software are accounted for and secure.

    5003 - User Inventory

    Details about user accounts and related information.

    Provides visibility into user accounts, helping detect unauthorized or orphaned accounts.

    6003 - API Activity

    Interaction with APIs, including calls, responses, and errors.

    Tracks misuse of APIs, such as unauthorized access or data breaches through poorly secured endpoints.

    6005 - Datastore Activity

    Operations on databases or data storage systems.

    Identifies unauthorized data access, modifications, or exfiltration attempts.

    6006 - File Hosting

    Activity on file hosting services or platforms.

    Detects potential data leaks or unauthorized usage of cloud storage for malicious purposes.

💡About data sources and event classes

Each data source has a unique set of event classes available to it and not all event classes exist in every data source. For instance, when selecting okta-users logs, you will not be able to search for API activity.


Hover over an event class from the list to display the the data sources it can be found in.

Query

Search Query

The Search tool features a flexible query builder designed to adapt to both straightforward and advanced investigative needs. It allows you to construct queries ranging from simple filters to highly complex, layered conditions for more granular data exploration.

Key capabilities include:

  • OCSF Attributes: Select from a list of OCSF attributes (or Observables) to find the specific information you need.

  • Advanced Operators: Use a variety of operators, such as equals (=), not equals (!=), like, not like, and more, to define precise search parameters.

  • AND/OR Logic: Combine search clauses using AND or OR relationships to refine your results.

Available operators

Operator

Function

Example

EQUALS

Return only results that are equal to the specified value.

Equivalent to the SQL = symbol.

To find events in which the Notepad instance was run, use:

process.name EQUALS Notepad++

NOT EQUALS

Return only results that are different than the specified value.

Equivalent to the SQL <> or != symbols.

To find events including all processes other than Notepad, use:

process.name NOT EQUALS Notepad++

LIKE

Return only results that are similar to the specified value.

Allows searching for patterns instead of full equality using the symbol %.

Equivalent to the SQL LIKE function.

To find events where the file path includes the term 'audit', use:

file.path LIKE %audit%

NOT LIKE

Return only results that are not similar to the specified value.

Opposite of the LIKE statement.

To find events where the file path does not include the term 'audit', use:

file.path NOT LIKE %audit%

CS LIKE

Case sensitive LIKE.

To find events where the file path includes the term 'Audit', use:

file.path LIKE %Audit%

Note that while this will display results including 'Audit', it will not display results including 'audit', as this is case-sensitive.

CS NOT LIKE

Case sensitive NOT LIKE.

To find events where the file path does not include the term 'audit', use:

file.path NOT LIKE %Audit%

Note that while this will not display results including 'Audit', it will display results including 'audit', as this is case-sensitive.

IN

Return only results that are equal to a value from a list.

Similar to creating multiple equal queries with an OR relation.

To find events where the file owner’s email address is one of the specified email addresses, use:

file.owner.email_addr IN john@acme.com,stan@acme.com,lee@acme.com

NOTIN

Return only results that are not equal to a value from a list.

Similar to creating multiple not equal queries with an OR relation.

To find events where the file owner’s email address is NOT one of the specified email addresses, use:

file.owner.email_addr NOTIN john@acme.com,stan@acme.com,lee@acme.com

Scope

As you are building your search query, the scope panel displays which data sources and events will be queried based on your selected parameters. The scope panel updates live based on the changes you make to the search filters and query sections, showing a summary of the expected search. This will provide you with a general overview of the origins of the expected search results, even before running the search itself.

If more than one clause exists in the search query, the panel will show a separate scope for each clause upon hovering over the clause, or an aggregated scope of the entire query when hovering over an empty space in the Query field.

In the video below, notice how the scope panel changes based on the cursor location.

💡Build a search query

To build and run a search query:

  1. Navigate to Investigation > Search.

  2. From the filters section, select a time range, data sources and event classes. Learn more here.

  3. In the Query field, search for and select the required attribute. Then select the operator and then enter the required value.

  4. To add another statement, click the + sign and select AND to add a statement to the existing clause, or OR to start a new clause.


    💡Tip

    You can easily duplicate a clause or remove it using these shortcuts:

  5. Review the scope of the search on the right-side scope panel.

  6. Click Run query.