CB ThreatHunter: How to search based on event_timestamp
Article ID: 289661
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Filter events on the Process Analysis page using the event_timestamp search field
Environment
- CB ThreatHunter Web Console: All Versions
- CB PSC Sensor: 3.4.x.x and higher
- Microsoft Windows: All Supported Versions
Resolution
- Navigate to the Investigate page
- Select the desired process name hyperlink or select the Process Analysis icon
- Within the Process Analysis page scroll down to the search bar
- Enter the event_timestamp search field in the search bar utilizing the following syntax
- event_timestamp:[YYYY-MM-DDTHH:MM:SS TO YYYY-MM-DDTHH:MM:SS]
Additional Information
- Specifying a timezone for the event_timestamp search field is currently not possible
- Times that are entered in the event_timestamp search field will need to account for the UTC timezone. For example:
- A user based in the EDT timezone filtering for events that happened at 6:00 a.m. will need to enter 10:00 a.m. for the time range in the above event_timestamp syntax example
Feedback
Yes
No
Powered by
