To create a query, follow these steps:
- On the Seqrite EDR portal, click the Threat Hunting page in the left navigation pane. The Threat Hunting tab is highlighted with a yellow square. You can directly search using appropriate search parameters or create a new query using the query builder.
- Click the Add + button to add the filter values. The Filters dialog box is displayed.
- In the Search textbox, click and select from the filters that are displayed.
- Enter the value of the filter that you want to use in the search query. For example, Name. The filter is selected and displayed in the Search box, enter a value for the indicator. For example, we shall add Name: Powershell.exe
- Click Add+ to add the selected IOC and the search value. The value is selected and displayed under Selected Filters.
- Click in the Search box and repeat above steps to add other IOC values for the search query. For example, and IP address IP:”202.145.202.114”.
- Add more IOC as required. To remove a particular filter, click the corresponding x mark for that value.
- Click Apply to apply the search criteria.
- Once you are done with adding the filters and their values, click Save Query. The query is saved with time stamp and moved to the Saved Queries tab.
- Enter a name for the query in the Query Name column (highlighted in the yellow box). For example, Powershell+IP, and click Save. A confirmation message is displayed and the query is saved.