Views:

The Search app allows you to query your data and detections.

Tip
Tip
  • To search both the Endpoint Activity Data and Detections, select the General search method. Select either Endpoint Activity Data or Detections to search a specific set of data.
  • Ensure that the use of the space character exactly matches the results that you want. One double space within the search string omits any results that only include one space character in the same location.
  • Some search fields display substituted text for ID values and you cannot search for the text value. For example, "eventID" stores the numerical value "1" in the database but displays "TELEMETRY_PROCESS" in the search results. You cannot search for "TELEMETRY_PROCESS".
The following tables outline different search syntax and provide example strings:

Field-based Search Syntax

Search Target
Description
Supported Field Type
Search Syntax
Example
Partial match
Provides all results for the specified field that contain the search string
  • String
  • Dynamic
  • Int
  • Long
Note
Note
The int and long field types always use full match.
  • <field_name>: <search_string>
  • <field_name>: "*<search_string>*"
Note
Note
To search or escape a special character, type "*<search_string>*".
endpointName: windows
Returns all results that contain "windows" in the endpoint name
endpointName: *windows\/app*
Returns all results that contain "windows/app" in the endpoint name
Full match
Provides all results for the specified field that contain the exact search string specified
  • String
  • Dynamic
  • Int
  • Long
  • Bool
Note
Note
The dynamic field type partially matches to every element.
<field_name>: "<search_string>"
endpointName: "john_doe"
Only returns results in which the endpoint name is "john_doe"
Wildcard search
Provides results that match the field values substituting for the following wildcard characters:
  • *: Used as a substitute for one or more characters in the specified location
Important
Important
Wildcard Search is not supported for Network Activity Data IP addresses.
  • String
  • Dynamic
Note
Note
The dynamic field type transforms the whole object to string before doing wildcard search. Using wildcard search in dynamic type yields fewer results and decreases the query performance.
<field_name>: <search_string>*
endpointName: "john*"
Returns all results that contain "john" as the first 4 characters in the endpoint name
Example results: "john", "john_doe", "johndoe", "johnd"
Range operator
Provides all results that match the requirements specified for multiple fields using the following operators:
  • >
  • <
  • >=
  • <=
  • Int
  • Long
<field_name> <range_operator> <number>
"dpt >= 80" AND "dpt <= 443"
Only returns results in which the log data contains integers in a range from greater than or equal to 80 to less than or equal to 443
Regex
Provides all results that match the regular expression, such that the value is matched anywhere in the field.
For more information, go to Using regex in Search queries.
  • String
<field_name>: /<search_string>/
endpointHostName: /\\w*(trend|trendmicro)\.com/

Free Search Syntax

Search Target
Description
Search Syntax
Example
Partial match
Provides all results that contain the search string in any data field.
Note
Note
Free Search does not support Network Activity Data.
  • "search_string"
  • search_string
Note
Note
Use Field-based Search to search for numbers and bool field type.
"john"
Returns all results that contain the string john in any data field
Full match
Not available
-
-

Logical Operators and Special Characters

Operator Type
Description
Supported Search Types
Search Syntax
Example
Multiple fields
Provides all results that match the requirements specified for multiple fields using the following operators:
  • AND
  • OR
  • NOT
Note
Note
The search performance decreases when using multiple logical operators.
  • Field-based Search
  • Free Search
<field_name>: <search_string1> OPERATOR <field_name>:<search_string2>
Note
Note
Special characters must be escaped by a slash (\) for partial match, full match, and wildcard search:
  • Without double quotation marks: \():<>"{}
  • Within double quotation marks: "\", "\\"
  • "*" is not supported and is escaped
endpointName: "john_doe" AND fileName: "credit"
Only returns results in which the log data contains both "john_doe" and "credit" in any field (example: objectUser=john_doe2; fileName=creditcard.txt)
"john_doe" AND NOT "home"
Only returns results in which the log data contains "john_doe" but does not contain "home" in any field
Multiple values
Provides all results that match the requirements specified for multiple values using the following operators:
  • AND
  • OR
  • NOT
  • Field-based Search
  • Free Search
<field_name>: <search_string1> OPERATOR <search_string2>
endpointName:"john_doe" OR "jane_doe"
Returns results in which the endpoint name is "john_doe" or "jane_doe"
Nested value match
Provides all results that match a JSON object containing another JSON object as a nested structure.
Important
Important
Nested values must be a string, number, or object to return search results.
Dynamic field (new Search)
<outer_field>.<nested_field_1>.<nested_field_2>....<nested_field_n>: <search_value>
vendorParsed.act: *
vendorParsed.foo: "bar"
Returns results in which third-party logs are flattened to one layer in the vendorParsed field
Nested array value search
Provides all results that match a nested array value.
Dynamic field (new Search)
<search_field>[<number>]
vendorParsed.act[0]: foo
Returns results with third-party logs that match a nested array value

Token-based Search Syntax (Partial Match)

Search Criteria
(Example: "Trend_Micro-Vision-One: fa73ad07-ef36-48e6-8bb3-e91fedaf4a04 john_doe@trendmicro.com john\trend\project\abc.txt")
Returns Search Results
<field_name>: Trend
Note
Note
Token-based search uses partial match. By default, each string value is broken into sequences of alphanumeric characters called tokens, which comprise of three or more alphanumeric characters. Partial matches can be used in both field-based search and free search.
Yes
<field_name>: TREND
Yes
<field_name>: "*Trend*"
Yes
<field_name>: Tre
Note
Note
The search result only compares the complete token. When the token in query criteria contains less than three characters, the query performance is reduced.
No
<field_name>: Trend_Mic
No
<field_name>: Micro
Yes
<field_name>: Trend_Micro
Yes
<field_name>: TREND_MICRO
Yes
<field_name>: Trend_
Yes
<field_name>: e91fe
No
<field_name>: fa73ad07
Yes
<field_name>: fa73ad07-ef36-48e6-8bb3-e91fedaf4a04
Yes
<field_name>: john_doe@trendmicro.com
Yes
<field_name>: Trend_Micro-Vision-One\: fa73ad07-ef36-48e6-8bb3-e91fedaf4a04 john_doe@trendmicro.com john\\trend\\project\\abc.txt
Yes
<field_name>: Trend_Micro-Vision-One: fa73ad07-ef36-48e6-8bb3-e91fedaf4a04 john_doe@trendmicro.com john\trend\project\abc.txt
No
<field_name>: "*Trend_Micro-Vision-One\: fa73ad07-ef36-48e6-8bb3-e91fedaf4a04 john_doe@trendmicro.com john\\trend\\project\\abc.txt*"
No
<field_name>: "*Trend_Micro-Vision-One: fa73ad07-ef36-48e6-8bb3-e91fedaf4a04 john_doe@trendmicro.com john\\trend\\project\\abc.txt*"
Yes
<field_name>: "*john\\trend\\project\\abc.txt*"
Yes

Wildcard Search

Category
Description
Example
Token-based Search
Case-sensitive
Start with
WARNING
WARNING
Wildcard search (for the categories "Start with", "End with" and "MISC.") in dynamic fields decreases query performance.
An asterisk (*) is at the end of the string.
Trend*
No
No
End with
An asterisk (*) is at the beginning of the string.
*Micro
No
No
Contain
An asterisk (*) is at the beginning and the end of the string.
Note
Note
"Contain" category wildcard search uses partial match.
*Vision*
Yes
No
MISC.
There are one or several asterisks (*) in the middle of the string.
Note
Note
  • The match pattern can be in the middle of the string value: "Tre*d" matches the value "HelloTrendMicro".
  • Tr*nd
  • **Micro
  • *Vis*ion*
  • One**
No
Yes
Query Criteria
(Example: "Trend_Micro-Vision-One: fa73ad07-ef36-48e6-8bb3-e91fedaf4a04 john_doe@trendmicro.com")
Category
Description
Returns Search Results
<field_name>: "Trend*"
Start with
Finds the values that start with "Trend".
Yes
<field_name>: "trend*"
Start with
Finds the values that start with "trend".
Yes
<field_name>: "*trendmicro.com"
End with
Finds the values that end with "trendmicro.com".
Yes
<field_name>: "*TRENDMICRO.COM"
End with
Finds the values that end with "TRENDMICRO.COM".
Yes
<field_name>: "*Trend_Micro*"
Contain
Finds the values that contain "Trend_Micro".
Yes
<field_name>: "*trend_micro*"
Contain
Finds the values that contain "trend_micro".
Yes
<field_name>: "Trend*com"
MISC.
Finds the values that have "Trend" as the beginning and "com" as the end of the string.
Yes
<field_name>: "Tre*"
Start with
Finds the values that start with "Tre".
Yes
<field_name>: "*micro.com"
End with
Finds the values that end with "micro.com".
Yes
<field_name>: "*fa73ad07*e91fedaf4a04*"
MISC.
Finds the values that match "*fa73ad07*e91fedaf4a04*".
Yes
<field_name>: "fa73ad07*e91fedaf4a04"
MISC.
Finds the values that match "fa73ad07*e91fedaf4a04".
Yes
<field_name>: "fa73ad07*"
Start with
Finds the values that start with "fa73ad07".
"fa73ad07" is the start of a token but not the start of the whole string, so the result does not match.
No
<field_name>: "fa73ad07**"
MISC.
Finds the values that match "fa73ad07**".
Since there is a "*" in the middle of the string, this is a MISC. wildcard search.
The MISC. wildcard searches for results even in the middle of the string.
Yes
<field_name>: "*Vision-One"
End with
Finds the values that end with "Vision-One".
"Vision-One" is the end of a token but not the end of the whole string, so the result does not match.
No
<field_name>: "**Vision-One"
MISC.
Finds the values that match "**Vision-One".
Since there is a "*" in the middle of the string, this is a MISC. wildcard search.
The MISC. wildcard searches for results even in the middle of the string.
Yes
<field_name>: "**vision-one"
MISC.
Finds the values that match "**vision-one".
MISC. wildcard search is case-sensitive, so "vision-one" does not match "Vision-One".
No
<field_name>: "*Visio*"
Contain
Finds the values that contain "Visio".
"Visio" is not a token in the string, so the result does not match.
No
<field_name>: "VISION*COM"
MISC.
Finds the values that have "VISION" in the beginning and "COM" in the end of the string.
MISC. wildcard search is case-sensitive, so "vision" does not match "Vision".
No

Search Filters

Action
Description
Supported Field Types
Add Filter: field IS value
Adds the selected value as search criteria to the existing search query.
  • String
  • Dynamic
  • Int
  • Long
Note
Note
The dynamic type partially matches to every element.
Add Filter: field IS NOT value
Adds the selected value as an exception to the existing search query.
  • String
  • Dynamic
  • Int
  • Long
Note
Note
The dynamic type removes all results that only have partial match results.
Add Filter: field IS EMPTY
Adds the selected field with no value as search criteria to the existing search query.
  • String
  • Dynamic
  • Int
  • Long
Add Filter: field EXISTS
Adds the selected field with any value as search criteria to the existing search query.
  • String
  • Dynamic
  • Int
  • Long
Add Filter: field DOES NOT EXIST
Adds the selected field with no value as search criteria to the existing search query.
  • String
  • Dynamic
  • Int
  • Long

Logical Operator Precedence

Precedence
Operator
Description
Example
1
( )
Group logical expressions
Return events that include port 80, 81, or 82
port: (80 OR 81 OR 82)
2
NOT
Logical NOT
Return events that don't include port 80
NOT port: 80
3
AND
Logical AND
Note
Note
The AND operator has a higher precedence than OR, but the precedence can be overridden by grouping the operators in parentheses. The following two queries are equal:
  • port: 80 OR port: 81 AND endpointHostname: "john"
  • port: 80 OR (port: 81 AND endpointHostname: "john")
4
OR
Logical OR

Escape Operators and Characters

Category Operator or Character Match Type and Example
Keyword
  • AND
  • OR
  • NOT
Partial match
  • ruleName: Engine \AND analyzed
Special character
  • \
  • (
  • )
  • :
  • <
  • >
  • "
  • *
  • {
  • }
Partial match
  • processCmd: C\:
Full match keyword
  • "
  • \
Full match
  • objectCmd: "*hang\""
Regex keyword
  • \
  • /
Regex match
  • filePath: /\/etc\/pwd\/config\/aaa/
White space
  • \t
  • \r
  • \n
Partial match
  • objectRegistryData: *\\t**
Regex match
  • filePath: /\windows\system\\temp/