Chris is right; essentially that search is looking at threat lists that you subscribe to (in this case one from Mandiant) and looking for cases where identified threat indicators exist in your data, thus potentially indicating that there is a threat in your environment. Next step would be to investigate whether or not it is a false positive—is there really a threat to your network / is there actually malicious behavior occurring. And as Chris points out, you can test whether or not the search is functioning by creating the data.
In this case it sounds like you did a bit of investigation and identified a user downloading something that could be malicious, but could also be useful for them to do their job. Then it's up to you/the security team at your organization to decide if that's "bad".
... View more