How can an event search be performed from a detection?

Performing an event search from a detection in the Falcon platform is accomplished by utilizing the spyglass icon after clicking on the detection itself. This functionality is designed to provide direct access to relevant events associated with a specific detection, streamlining the investigation process.

When a user clicks on the detection, they are brought to a more detailed view that highlights the context surrounding the alert. The spyglass icon acts as an intuitive tool for initiating an event search that allows responders to analyze related activities directly linked to the detection. This integration is essential for effectively tying together alerts with corresponding events, making it easier to assess the impact and potential remediation steps.

While there are other avenues to filter or analyze events, such as manually filtering events on the dashboard or executing predefined queries, these methods do not provide the contextual link that the spyglass icon does when starting from a detection. The act of exporting event data, while useful for in-depth analysis in external tools, steps away from the immediate need to inspect events that are directly related to an ongoing incident. Thus, the spyglass icon serves as the most direct and efficient means to achieve the goal of searching for events linked to a specific detection.