Search Syntax: Complex Queries
The Search app allows you to perform powerful queries to access your data across endpoint, messaging, and network products, or to focus solely on security detections.
The following table outlines different search syntax and provides example strings.
|
Search Target |
Description |
Syntax |
Example |
|---|---|---|---|
|
Partial match |
Provides all results for the specified field that contain the search string |
<field_name>: <search_string> |
endpointName: windows Returns all results that contain "windows" in the endpoint name |
|
Full match |
Provides all results for the specified field that contain the exact search string specified |
<field_name>: "<search_string>" |
endpointName: "john_doe" Only returns results in which the endpoint name is "john_doe" |
|
Logical operator: Multiple fields |
Provides all results that match the requirements specified for multiple fields using the following operators:
|
<field_name>: <search_string> OPERATOR <field_name>: <search_string> |
endpointName: "john_doe" AND fileName: credit Only returns results in which the endpoint name is "john_doe" and the file name related to the detection contains the text "credit" endpointName: "john_doe" AND NOT fileName: home Only returns results in which the endpoint name is "john_doe" and the file name related to the detection does not contain the text "home" |
|
Logical operator: Multiple values |
Provides all results that match the requirements specified for multiple values in the same field using the following operators:
|
<field_name>: (<search_string> OPERATOR <search_string>) |
endpointName: ("john_doe" OR "jane_doe") Returns results in which the endpoint name is "john_doe" or "jane_doe" |
|
Wildcard usage |
Provides results that match the field values substituting for the following wildcard characters:
Important:
Wildcard usage not supported with these data types:
|
<field_name>: <search_string>* |
endpointName: "john*" Returns all results that contain "john" as the first 4 characters in the endpoint name Example results: "john", "john_doe"", "johndoe", "johnd" |
|
Null values |
Provides results in which the corresponding field value is NULL |
<field_name>: null |
fileName: null Returns all results in which the fileName value does not exist |
|
Special characters / Escape character |
When a search string includes a double quote (") or backslash (\), you must use the backslash escape character "\" to indicate that the special character is part of the search criteria and not special markup. Important:
Partial matching not supported. |
<field_name>: "\<"or\><search_string>" |
fullFilePath: "C:\\notepad\\tmp.txt" Returns all results in which the fullFilePath value is exactly: C:\notepad\tmp.txt |
