Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Finding IOCs Quickly with Lazy Search

Lazy search returns the first 1000 events that are related to the search criterion. For example, if you need to search for a particular MD5 as part of a malware outbreak investigation, you do not need to review every related event. Do a lazy search to quickly return a limited result set.

To take advantage of the lazy search, you must have the Admin security profile, or a non-administrator security profile that is configured in the following way:

  • Permission precedence set to No Restrictions.

  • Access to all networks and log sources.

Lazy search cannot be used by users with non-administrator security profiles on networks where domains are configured.

You use the JSAlazy search to search for an indicator of compromise (IOC), such as unusual outbound network traffic or anomalies in privileged user account activity.

  1. To do a lazy search for quick filters, do these steps:

    1. On the Log Activity tab, in the Quick Filter field, enter a value.

    2. From the View list, select a time range.

  2. To do a lazy search for basic searches, do these steps:

    1. On the Log Activity tab, click Search >New Search.

    2. Select a Recent time range or set a Specific Interval.

    3. Ensure that Order by field value is set to Start Time and the Results Limit field value is 1000 or less. Aggregated columns must not be included in the search.

    4. Enter a value for the Quick Filter parameter and click Add Filter.

  3. To disable lazy search completely, do these steps:

    1. Click the System Settings on the Admin tab.

    2. In the System Settings window, remove any values from the Default Search Limit field.

Related Documentation