This topic describes how to search for dotted tokens.

A dot (.) followed by anything in the following fields gets special tokenization in case it is a file extension, domain, or double file extension:

  • crossproc_name
  • fileless_scriptload_cmdline
  • filemod_name
  • modload_name
  • parent_cmdline
  • parent_name
  • process_cmdline
  • process_name
  • regmod_name
  • scriptload_name

For any string w.x.y , you can search for three things:

  • w.x.y
  • .x.y
  • .y

Anything else requires wildcards or regex.

For example, if an endpoint has reported filemod_name:file.7z.tmp and you want to search for all filemod_name that include file.7z, you must search for file.7z*., .7z.tmp or .tmp .