During your investigation, you can save relevant fragments from logs and IP addresses as evidence for later use in the Evidence lists section. With the evidence lists, you can build filters for your query. For details, see Filter by evidence.
You can add
A field value or a selected part of the value from the results table to the built-in IoC evidence list or to a custom evidence list created by you.
IP addresses (IPv4 and IPv6, also in CIDR notation) to the built-in IP evidence lists (Suspicious or Safe) or to custom IP evidence lists created by you.
There are two ways to add evidence, from the Evidence lists section and from the query results table.
There is no limitation on the number of items (strings or IPs) you can add to a list in your evidence list.
For example, to add an IP address to an IP evidence list, right-click on an ip_address
field or select the IP address from a string
-type field with your mouse.
You can also add multiple items at once to an evidence list or create a new list from the selection.
You can create custom evidence lists from the Evidence lists section and from the query results table.
There is no limitation on the number of lists you can create.
Select .
Select the evidence type, enter the details, then select Confirm.
Right-click on a field.
In the Add to evidence list section, select New evidence list.
Select the evidence type, enter the details, then select Confirm.
You can delete items in your evidence list individually or in bulk.
In the Evidence lists section, select next to the evidence list where you want to delete evidence.
Select Manage.
Select the items you want to delete.
Select Delete.
In Evidence lists you can
Rename preset and custom evidence lists
Delete custom lists