You can use the following methodologies when using the search field:
Value Search
Use complete values when searching (for example, powershell) or a trailing wildcard (for example, power*).
Search Fields
Form queries like this when including search fields: field:term
parent_name:powershell.exe
Wildcards
Expand queries using wildcards. * ? Matches a single character. For example, te?t
will return results for "test" and "text" * * Matches zero or more sequential characters. For example, tes*
will return results for "test," "testing," and "tester"
Leading wildcards are assumed in file extension searches.
For example: process_name:.exe
Wildcards can be used in a path if you don't quote the value and escape the following special characters with a backslash: + - && || ! ( ) { } [ ] ^ " ~ * ? : /
For example: to search for (1+1):2, type: \(1\+1\)\:2
Operators
Refine queries using operators. Operators must be uppercase.
- AND returns results when both terms are present
- OR returns results when either term is present
- NOT returns results when a term is not present
Escaping
Slashes, colons, and spaces must be manually escaped except when using suggestions and filters.
Date/Time Ranges
Refine queries using date/time ranges, when applicable.
For example: device_timestamp: [2018-10-25T14:00:00Z TO 2018-10-26T15:00:00Z]
Count Searches
Refine queries that include counts with ranges and wildcards.
-
[3 TO *] Returns count results starting with a value of 3.
-
[* TO 10] Returns counts results up to a value of 10.
Observed Alert data are no longer available on the Alerts page and are now classified as Observations
You can find the Observed Alerts data in the Observations page by filtering on CB Analytics.
- On the left navigation pane, click .
- Under Filters, select .
Old Observed Alerts are not marked as alerts on the Observations page.
For help creating complex queries, see Advanced Search Techniques in the user guide.