You can use the following methodologies when using the search field:

Value Search

Use complete values when searching (for example, powershell) or a trailing wildcard (for example, power*).

Search Fields

Form queries like this when including search fields: field:term

For example:
parent_name:powershell.exe

Wildcards

Expand queries using wildcards. * ? Matches a single character. For example, te?t will return results for "test" and "text" * * Matches zero or more sequential characters. For example, tes* will return results for "test," "testing," and "tester"

Leading wildcards are assumed in file extension searches.

For example: process_name:.exe

Wildcards can be used in a path if you don't quote the value and escape the following special characters with a backslash: + - && || ! ( ) { } [ ] ^ " ~ * ? : /

For example: to search for (1+1):2, type: \(1\+1\)\:2

Operators

Refine queries using operators. Operators must be uppercase.

  • AND returns results when both terms are present
  • OR returns results when either term is present
  • NOT returns results when a term is not present

Escaping

Slashes, colons, and spaces must be manually escaped except when using suggestions and filters.

Date/Time Ranges

Refine queries using date/time ranges, when applicable.

For example: device_timestamp: [2018-10-25T14:00:00Z TO 2018-10-26T15:00:00Z]

Count Searches

Refine queries that include counts with ranges and wildcards.

  • [3 TO *] Returns count results starting with a value of 3.

  • [* TO 10] Returns counts results up to a value of 10.

Observed Alert data are no longer available on the Alerts page and are now classified as Observations

You can find the Observed Alerts data in the Observations page by filtering on CB Analytics.

  1. On the left navigation pane, click Investigate > Observations.
  2. Under Filters, select Type > CB Analytics.

Old Observed Alerts are not marked as alerts on the Observations page.

Note:

For help creating complex queries, see Advanced Search Techniques in the user guide.