Comodo Help
Find the desired product help
Xcitium EDR

Xcitium EDR

Comodo EDR Quick Start Guide

English

Print Help Download Help
Comodo EDR - Quick Start > Step 6 - Analyze Events
  • Comodo EDR - Quick Start
    • Step 1 - Login To EDR
    • Step 2 - Add Endpoints To EDR
    • Step 3 - Manage EDR Policies
    • Step 4 - View Events Details On Endpoints
    • Step 5 - View Alerts
    • Step 6 - Analyze Events
    • Step 7 - Investigate Events On Computers
    • Step 8 - Analyze Files By Their Hash Values
    • Step 9 - View Process Timeline Of Events

Step 6 - Analyze Events

 

  • The 'Event Search' interface lets you find specific events using built-in queries.
  • cWatch ships with some useful sample queries, and you can construct your own queries.
  • You have to create conditions for a search and configure the results table accordingly.
  • You can also use the search results to construct another query.
  • Click 'Investigation' on the left then 'Event Search' to open the interface:




  • By default, no custom queries are defined, allowing you search for all events that occurred during the last 3 days.
  • Use the 'Query Fields' and 'Operator' links on the upper-left to build a custom event query.
  • The first query field you add will automatically have the '=' operator appended to it (you can change this if required). You will need to enter the criteria after the operator.
  • Any subsequent fields you add will automatically be prefixed with the 'AND' operator.
  • All queries that you save will be listed under 'My Queries'
  • 'Sample Queries' are pre-defined, example queries. These can be used as standalones, or adapted to produce a more complex search.
  • 'Select Fields' on the right lets you configure the columns of the results table.
  • You can change the date range using the link 2nd from the right.

The interface allows you to:

  • Run a general event search
  • Configure and run a custom query search
  • Use sample queries
  • View query results
  • Configure results table column headers for a query


Run General Event Search


 

A general search returns all events recorded from all enrolled endpoints.


To run a general event search:

  • Make sure the 'Search Box' field is blank.
  • Use the time-range drop-down to pick a specific date or date range.




  • Click 'Custom range' to choose specific dates:
  • Click 'Apply' then 'Search'.




The results for the selected period will be displayed. See 'View Query Results' for more information.


Configure and Run a Custom Query Search


You can search for particular events by building custom queries.

  • Click 'Query Fields' then select an event type to begin constructing a custom event query:



  • Alternatively, click in the search box and use short cut keys 'Ctrl + space'. Select an event field from the list.
  • Repeat the process to add more event fields for the query. The 'AND' operator will be automatically added to any subsequent fields you add.
  • Click 'Operators' link and select the operator from the drop-down. You can also enter the operator manually.




  • Enter the relevant details of the event fields.

 

The following example shows a search for 'Adaptive Event Name' = 'Run Untrusted Executable' AND 'Device Name' = 'DESKTOP-7J8UVDU':




  • Next, select the time period for the custom query and click 'Search'

The search results for the custom query will be displayed:




Please note the results for the query will also display details for other fields also. See 'View Query Results' for more information.


You can also build custom queries using the search results. See the topic 'Event Search' for more information.


Use Sample Queries


EDR ships with built-in sample queries that are often used. This also serves as examples for you to create more complex queries.

  • Click 'Sample Queries' link below the search box




The sample query will be automatically updated in the 'Search Box'.




  • Select the time-period and click 'Search'

Events matching the sample query will be displayed. See 'View Query Results' for more information.


View Query Results


EDR stores the generated events on the cloud and these can be fetched anytime from anywhere using an internet browser. You can use these events for data analysis and take remedial actions on endpoints. The query results will be displayed depending on the type of query search.


 

A summary of the search results is shown on separate tiles at the top. Results for each event are displayed below.




Summary Search Results



 

  • The number beside each event detail indicates the total number of events recorded for that item.
  • Clicking an event detail under an event field will display only the results pertaining to those items.

Event List


 

The lower section below the tiles displays the results for each event.




  • Clicking an event row will display all the event fields for that event type. The number of event fields displayed depends on the event type.
  • Clicking an event detail beside an event field will display only the results pertaining to those items.
  • Clicking the  icon in the 'Show' column for an event will display its timeline.

Configure Results Table Column Headers for a Query


You can configure the results table to show columns which are important to your custom query. You can also view all the event fields pertaining to your search by clicking the '+' sign beside a query result.

  • Click 'Select Fields' on the right to configure the result table columns:




A check-mark is shown next to currently enabled fields. A 'field' in this sense is a column in the results table.

  • Click the checkbox beside an individual field to enable or disable it.
  • To display all fields, click  at the top
  • To hide all fields, click  at the top.
  • All enabled fields are shown on the right, with field # 1 being the first column on the left. Click and drag a particular field to re-position it in the table.
  • Click 'Ok' when done.

Your selected fields will be shown as columns in the query search results. The same fields will also be shown for the results summary tiles above the 'Event List' results table. The results summary will not display the 'Event Time' field since this available beside 'Search Results' by default.




Tip. You can still view all event fields for a result by clicking the number beside a event result row:




The number of event fields displayed in the detailed results depends on the event type.


See 'Event Search' topic if you need more help with this.

Our Products
  • Free Antivirus
  • Free Internet Security
  • Website Malware Removal
  • Free Anti-Malware
  • Anti-Spam (Free Trial)
  • Windows Antivirus
  • Antivirus for Windows 7
  • Antivirus for Windows 8
  • Antivirus for Windows 10
  • Antivirus for MAC
  • Antivirus for Linux
  • Free Endpoint Security
  • Free ModSecurity
  • Free RMM
  • Free Website Malware Scanner
  • Free Device Manager for Android
  • Free Demo
  • Network Security
  • Endpoint Protection
  • Antivirus for Android
  • Comodo Antivirus
  • Wordpress Security
Cheap CDN
  • Bootstrap CDN
  • Semantic UI CDN
  • Jquery CDN
  • CDN Plans
  • CDN
  • Free CDN
Enterprise
  • Patch Management Software
  • Patch Manager
  • Service Desk
  • Website Down
  • Endpoint Protection Solutions
  • Website Security Check
  • Remote Monitoring and Management
  • Website Security
  • Device Manager
  • ITSM
  • CRM
  • MSP
  • Android Device Manager
  • MDR Services
  • Ransomware Prevention
  • Managed IT Support Services
  • Free EDR
Free SSL Certificate
Support Partners Terms and Conditions Privacy Policy

© Comodo Group, Inc. 2024. All rights reserved.