The Flight Recorder page allows you to search for the stored data types using any combination of operators to create a compound search query. Once a search is performed, you can click the Reset option to revert all selected search parameters or click Copy Search to share the search results.
NOTICE - By default, Flight Recorder data retention is disabled. Enable this feature by selecting Flight Recorder Search checkboxes for each supported OS in Endpoint Detection and Response policy settings.
Search parameters
Select all or specific sites on the top right to search with using Flight Recorder. To add or remove additional search parameters, click the add or delete
icons.
See parameters below:
- PC Hostname
- User Account
- Process Name
- Process Path
- Process ID
- Command Line
- Contacted IP Address
- Contacted Domains
- Contacted Remote Port
- Written Files
- Process MD5
- Process SHA1
- Process SHA256
- Process SHA512
- IP address or domain. Network Events toggle must be enabled under Policy Settings to search on these data types. To enable this setting, see Configure Scan Settings options in OneView.
Flight Recorder Search operators include:
- Equals To
- Not Equals To
- Contains
- Not Contains
- Starts With
- Ends With
Flight Recorder Search can choose to filter how far back historically to apply the search query. This filter lets you choose the following time ranges:
- Last 24 hours
- Last 12 hours
- Last 6 hours
- Last hour
- Last 30 minutes
- Custom (up to a maximum of 30-days per query)
Watch this video to learn how to search with Flight Recorder:
Return to the Malwarebytes OneView User Guide.