You can use search tokens to search information on the Incidents tab.
Example
Show file created events on certain date and asset name
asset.agentId:"d9440962-f4ff-4d53-b518-060d0f3137fc"
and asset.score: 8
Example
Show events that are not on a certain asset name
not asset.hostName: `WIN-BU2-5555`
Example
Show events on files created by jsmith or kwang
file.creator: jsmith or file.creator: kwang
Example
Show incidents for malware family, Trickbot
incident.malware.family: Trickbot
Show incidents for malware family, bscope
incident.malware.family: "bscope"
Examples
Show incident with this malware category
incident.malware.category: trojan
Show any incident that contain parts of malware category
incident.malware.category: "trojan"
Show incident that match exact name
incident.malware.category: `adware`
Example
Show incidents with this unique id
incident.id: 59835863-7587-4dad-b61a-c35ed98959c0
Example
Show incidents with this agent id
incident.asset.agentid: 81b16451-f33f-4a13-88be-f2fa99faef1e
Examples
Show incidents with files events greater than 2
incident.files > 2
Show incidents with 5 files events
incident.files: 5
Examples
Show incidents with registry events greater than 3
incident.registry > 3
Show incidents with 5 registry events
incident.registry: 5
Examples
Show incidents with process events greater than 3
incident.process > 3
Show incidents with 5 process events
incident.process: 5
Examples
Show incidents with mutex events greater than 3
incident.mutex > 3
Show incidents with 5 mutex events
incident.mutex: 5
Examples
Show incidents with network events greater than 3
incident.network > 3
Show incidents with 5 network events
incident.network: 5
Examples
Show incidents with risk score greater than 3
incident.riskscore > 3
Show incidents with riskscore 5
incident.riskscore: 5
Example
Show incidents detected in this time range
incident.detectedon: [‘2017-04-05T05:33:34’ … ‘2017-04-05T05:33:34’]
Example
Show incidents of the event type File
incident.eventtype: FILE
Show incidents of the event types File and Network
incident.eventtype: ["FILE", "NETWORK"]
Examples
Show incidents with hostname WIN-189
incident.asset.hostname: "WIN-189"
Examples
incident.yara.rulename: `HttpBrowser_RAT_Gen`
Examples
incident.mite.attack.rule.name: `T1033_5`