CB ThreatHunter: How to search based on event_timestamp
search cancel

CB ThreatHunter: How to search based on event_timestamp


Article ID: 289661


Updated On:


Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)


Filter events on the Process Analysis page using the event_timestamp search field


  • CB ThreatHunter Web Console: All Versions
  • CB PSC Sensor: 3.4.x.x and higher
  • Microsoft Windows: All Supported Versions


  1. Navigate to the Investigate page
  2. Select the desired process name hyperlink or select the Process Analysis icon
  3. Within the Process Analysis page scroll down to the search bar
  4. Enter the event_timestamp search field in the search bar utilizing the following syntax
    • event_timestamp:[YYYY-MM-DDTHH:MM:SS TO YYYY-MM-DDTHH:MM:SS]

Additional Information

  • Specifying a timezone for the event_timestamp search field is currently not possible
  • Times that are entered in the event_timestamp search field will need to account for the UTC timezone. For example:
    • A user based in the EDT timezone filtering for events that happened at 6:00 a.m. will need to enter 10:00 a.m. for the time range in the above event_timestamp syntax example