1 of 1 people found this helpful
I talked with Support about this and their suggestions were as follows...
Start with Event Group/Any Alert
Use Tool Alias and Detection or Insertion IP
These will help you narrow your search; from here you can target in on more specific fields.
Yeah, effectively, it's just really helpful to have an example to start from, otherwise you kind of feel "chicken and egg" on what you're doing. As you learn the taxonomy you can begin to figure out how events get normalized in a pretty standard way, but there's still 300 of them to choose from, plus all of their fields.
We also have the "combined" fields in nDepth that might help - User Name and IP Address. These fields search across those value in any field they might appear in - for example, with IP Address, it will search source, destination, insertion IP, detection IP, across any events where those might occur.
You can also do a basic text search (not with fields) but it'll generally be a slower operation since it has to search the entire index.