This topic provides example Process Search query strings and their results.
| Example Query Strings |
Result |
|---|---|
| domain:www.carbonblack.com |
Returns all processes with network connections to or from domains matching the given FQDN. |
| domain:.com |
Returns all processes with network connections to or from domains matching *.com |
| domain:.com. |
Returns all processes with network connections to or from domains matching the form *.com.* |
| domain:www. |
Returns all processes with network connections to or from domains matching the form www.* |
| domain:microsoft |
Returns all processes with network connections to or from domains matching *.microsoft OR *.microsoft.* OR microsoft.* |
| ipaddr:127.0.0.1 |
Returns all processes with network connections to or from IP address 127.0.0.1 |
| ipaddr:192.168.1.0/24 |
Returns all processes with network connections to or from IP addresses in the network subnet 192.168.1.0/24 |
| ipv6addr:fe00:b9:266:2011:28dc:43d4:3298:12e2 |
Returns all processes with network connections to or from IPv6 address |
| ipv6addr:fe00:b9:266:2011::0/50 |
Returns all processes with network connections to or from IPv6 addresses in the range of network subnet |
| modload:kernel32.dll |
Returns all processes that loaded a module kernel32.dll (accepts path hierarchies). |
| modload:c:\windows\system32\sxs.dll |
Returns all processes that loaded a module matching path and file sxs.dll (accepts path hierarchies). |
| path:c:\windows\system32\notepad. exe |
Also returns all processes with the matching path (accepts path hierarchies). |
| regmod:\registry\machine\system\ currentcontrolset\control\deviceclasses* Notes: Substitute “controlset001” or “controlset002” with “currentcontrolset”, as shown in this example query string. The regmod event in the process document still uses the original string, but searches must always use "currentcontrolset". regmod searches must include the complete path string or use wildcards. Searches for partial regmod paths without wildcards never yield results. |
Returns all processes that modified a registry entry with the matching path (accepts path hierarchies). |
| path:excel.exe |
Returns all processes with the matching path (accepts path hierarchies). |
| cmdline:backup |
Returns all processes with matching command line arguments. |
| hostname:win-5ikqdnf9go1 |
Returns all processes executed on the host with matching hostname. |
| group:"default group" |
Returns all processes executed on hosts with matching group name (use of quotes are required when submitting two-word group names). |
| host_type:workstation |
Returns all processes executed on hosts with matching type (use of quotes are required when submitting two-word host types). |
| username:system |
Returns all processes executed with the matching user context. |
| process_name:java.exe |
Returns all processes with matching names. |
| parent_name:explorer.exe |
Returns all processes executed by a parent process with matching names. |
| childproc_name:cmd.exe |
Returns all processes that executed a child process with matching names. |
| md5:5a18f00ab9330ac7539675f3f326cf11 |
Returns all processes, modified files, or loaded modules with matching MD5 hash values. |
| process_md5:5a18f00ab9330ac7539675f3f326cf11 |
Returns all processes with matching MD5 hash values. |
| parent_md5:5a18f00ab9330ac7539675f3f326cf11 |
Returns all processes that have a parent process with the given MD5 hash value. |
| filewrite_md5:5a18f00ab9330ac7539675f3f326cf11 |
Returns all processes that modified a file or module with matching MD5 hash values. |
| childproc_md5:5a18f00ab9330ac7539675f3f326cf11 |
Returns all processes that executed a child process with matching MD5 hash values. |
| <type>_count:* |
Returns all processes that have xxx_count field > 0, where type is one of modload, filemod, regmod, netconn, or childproc. |
| <type>_count:10 |
Returns all processes that have xxx_count field = 10, where type is one of modload, filemod, regmod, netconn, or childproc. |
| <type>_count:[10 TO 20] |
Returns all processes that have xxx_count field >= 10 and <= 20, where type is one of modload, filemod, regmod, netconn, or childproc. |
| <type>_count:[10 TO *] |
Returns all processes that have xxx_count field >= 10, where type is one of modload, filemod, regmod, netconn, or childproc. |
| <type>_count:[* TO 10] |
Returns all processes that have xxx_count field < 10, where type is one of modload, filemod, regmod, netconn, or childproc. |
| start:2011-12-31 |
Returns all processes with a start date of 2011-12-31 (as observed on the host). |
| start:[* TO 2011-12-31] |
Returns all processes with a start date earlier than or equal to 2011-12-31 (as observed on the host). |
| start:[* TO 2011-12-31T22:15:00] |
Returns all processes with a start date earlier than or equal to 2011-12-31 at 22:15:00 (as observed on the host). |
| start:[2011-12-31 TO *] |
Returns all processes with a start date later than or equal to 2011-12-31 (as observed on the host). |
| start:[2011-12-31T09:45:00 TO *] |
Returns all processes with a start date later than or equal to 2011-12-31 at 09:45:00 (as observed on the host). |
| start:* |
Returns processes with any start date (as observed on the host). |
| start:[* TO *] |
Returns processes with any start date (as observed on the host). |
| start:-10h |
Returns all processes with a start time between NOW-10h and NOW. Units supported are, h: hours, m: minutes, s: seconds (as observed on the host). |
| last_update:2011-12-31 |
Returns all processes last updated on date 2011-12-31 (as observed on the host). |
| last_update:[* TO 2011-12-31] |
Returns all processes last updated on a date earlier than or equal to 2011-12-31 (as observed on the host). |
| last_update:[* TO 2011-12-31T22:15:00] |
Returns all processes last updated on a date earlier than or equal to 2011-12-31 at 22:15:00 (as observed on the host). |
| last_update:[2011-12-31 TO *] |
Returns all processes last updated on a date later than or equal to 2011-12-31 (as observed on the host). |
| last_server_update:[2011-12-31T09:45:00 TO *] |
Returns all processes last updated on a date later than or equal to 2011-12-31 at 09:45:00 (as observed at the server). |
| last_server_update:* |
Returns processes with any update date (as observed on the server). |
| last_server_update:[* TO *] |
Returns processes with any update date (as observed on the server) within the range provided. |
| last_server_update:-10h |
Returns all processes last updated between NOW-10h and NOW. Units supported are h: hours, m: minutes, s: seconds (as observed on the server). |
| process_id:<guid> |
Returns the process with the given process id, where |
| parent_id:<guid> |
Returns the process with the given parent process id, where |
| sensor_id:<guid> |
Returns processes executed on host with given sensor id, where |
