Network Detections Advanced Search Filter

Use the advanced search filter to create and apply customized searches.

For details, see the following:

To view specific data, select from the following optional attributes and operators, and type an associated value.

Table 1. Search Criteria: Network Detections

Attribute

Operator

Action

Host Name

Contains/Does not contain/Starts with/Equals

Type a value

Interested Host

Contains/Does not contain/Starts with/Equals

Type a value

Peer Host

Contains/Does not contain/Starts with/Equals

Type a value

IP Address

Contains/Does not contain/Equals

Type a value

In range/Not in range

Type a range

Interested IP Address

Contains/Does not contain/Equals

Type a value

In range/Not in range

Type a range

Peer IP Address

Contains/Does not contain/Equals

Type a value

In range/Not in range

Type a range

Peer IP Country

In/Not in

Select one or more peer IP countries

MAC Address

In/Not in

Type a value

Network Group

Contains/Does not contain/Equals

Type a value

User Account

Has user account/No user account

 

Contains/Does not contain

Type a value

Protocol

In/Not in

Select one or more protocols

Transport Layer Security (TLS)

Equals

Select one of the following:

  • Over SSL/TLS

  • Not over SSL/TLS

Direction

Equals

Select one of the following:

  • Internal

  • External

Threat/Detection/Reference

Contains/Does not contain/Equals

Type a value

Detection Rule ID

In/Not in

Type a range

Correlation Rule ID (ICID)

In/Not in

Type a value

Detection Type

In/Not in

Select one or more of the following:

  • Malicious Content

  • Malicious Behavior

  • Suspicious Behavior

  • Exploit

  • Grayware

  • Malicious URL

  • Disruptive Application

  • Correlated Incident

Attack Phase

In/Not in

Select one or more of the following:

  • Intelligence Gathering

  • Point of Entry

  • C&C Communication

  • Lateral Movement

  • Asset/Data Discovery

  • Data Exfiltration

  • Unknown Attack Phase

URL Category

In/Not in

Select one or more URL categories

C&C List Source

In/Not in

Select one or more of the following:

  • Global Intelligence

  • Virtual Analyzer

  • User-defined

  • Relevance Rule

C&C Callback Address

Contains/Does not contain

Type a value

C&C Risk Level

In/Not in

Select one or more of the following:

  • Low

  • Medium

  • High

  • Unknown

Virtual Analyzer Result

Has analysis results/No analysis results

 

PCAP File

Has PCAP file/No PCAP file

 

Is Targeted Attack Related

Equals

Select one of the following:

  • Yes

  • No

File Detection Type

In

Select one or more of the following:

  • Highly Suspicious File

  • Heuristic Detection

  • Known Malware

File Name

Has file name/No file name

 

Contains/Does not contain/Equals

Type a value

File SHA-1

Has file SHA-1/No file SHA-1/

 

Contains/Does not contain

Type a value

File SHA-256

Has file SHA-256/No file SHA-256

 

Contains/Does not contain

Type a value

Domain/URL

Contains/Does not contain/Equals

Type a value

Suspicious Object/Deny List Entity/User-Defined SO

Contains/Does not contain/Starts with/Equals

Type a value

Sender (Email)

Has sender/No sender

 

Equals/Contains/Does not contain

Type a value

Recipient (Email)

Has recipient/No recipient

 

Equals/Contains/Does not contain

Type a value

Message ID (Email)

Has message ID/No message ID

 

Contains/Does not contain

Type a value

Subject (Email)

Has subject/No subject

 

Contains/Does not contain

Type a value