A logical first step when looking for a suspected event In Security Analytics is using the Timespan filtering capability. The reason for this is that by reducing searches down to a specific window of time, you can focus on a smaller time frame. Narrower timespans result in smaller data sets, thereby producing quicker results than larger timespans. This is most effective if you have a good idea of when the traffic you are looking for was captured by Security Analytics. If you do not know when an event occurred, you can filter first using a primary filter to narrow down to specific criteria, such as a known IP address or responder. Once this initial filtering has been completed, then a timespan filter can be used to shrink the window of time until the specific event has been found.
More information on filtering can be found the Security Analytics Web Guide.