This topic describes supported search syntax and content for process event searches on the Process Analysis page.

Process Analysis event search is a value-based search feature. Thus, enter the value you are searching for. In the context of a key:value pair, this means you should specify the value, without specifying the key. Search is not case-sensitive.

To clear your search criteria, delete the content in the search bar and press Enter.

The following sections provide an overview of the searchable values per event type.

Blocked

  • Time value (without GMT)
  • Values provided in the Description field from the API (not the pre-populated text that is presented in the console)
  • Values provided in the following fields in the Process Metadata section:
    • Activity
    • Username
    • MD5
    • SHA-256
    • Command line
    Note: Values contained in the Binary Info section are not searchable.

Child Process (childproc)

  • Time value (without GMT)
  • Values provided in the Description field from the API (not the pre-populated text that is presented in the console)
  • Values provided in the following fields in the Process Metadata section:
    • Activity
    • Username
    • MD5
    • SHA-256
    • Command line
    • Suppressed
    Note: Values contained in the Binary Info section are not searchable.

Cross Process (crossproc)

  • Time value (without GMT)
  • Values provided in the Description field from the API (not the pre-populated text that is presented in the console)
  • Values provided in the following fields in the Process Metadata section:
    • Activity
    • Username
    • MD5
    • SHA-256
    • Command line
    Note: Values contained in the Binary Info section are not searchable.

File Modification (filemod)

  • Time value (without GMT)
  • Values provided in the Description field from the API (not the pre-populated text that is presented in the console)

Fileless Scriptload

  • Time value (without GMT)
  • Values provided in the Description field from the API (not the pre-populated text that is presented in the console)
  • Values provided in the following fields in the Fileless Script Load Metadata section:
    • SHA-256
    • Command length
    • Command line

Fork

  • Time value (without GMT)
  • Values provided in the Description field from the API (not the pre-populated text that is presented in the console)

Module Load (modload)

  • Time value (without GMT)
  • Values provided in the Description field from the API (not the pre-populated text that is presented in the console)
    Note: Values contained in the Binary Info section are not searchable.

Network Connection (netconn)

  • Time value (without GMT)
  • Values provided in the Description field from the API (not the pre-populated text that is presented in the console)
  • Values provided in the following fields in the Connection Info section:
    • Local IP
    • Local port
    • Remote IP
    • Remote port
    • Remote domain
    • JA3 fingerprint

Posix_exec Process on macOS and Linux (posix exec)

  • Time value (without GMT)
  • Values provided in the Description field from the API (not the pre-populated text that is presented in the console)
  • Values provided in the following fields in the Process Metadata section:
    • Activity
    • Username
    • MD5
    • SHA-256
    • Command line
    Note: Values contained in the Binary Info and Alliance Info sections are not searchable.