Introduction

Quick Start

To get started, you can run this simple example search for process events from the last 24 hours:

FROM process earliest =-24h

Next, you could substitute process with any of the other event types (see the Build With Me section below). You can even query multiple event types, as in this example:

FROM process, auth earliest =-12h

Query Language Fundamentals

To specify strings in the query language, use single quotes (and note that the WHERE is always optional):

FROM process WHERE image_path CONTAINS 'powershell.exe'

To search for string values that themselves include single quotes, escape with an e before the first single quote and with a backslash before any single quote(s) in the string:

from process where commandline contains e'echo \'mimikatz\''

Operators and any values specified are case-insensitive. In the examples, we've capitalized the operators only for emphasis.

A search cannot query alerts and events simultaneously and two independent queries must be run.

When running a multi-event search using field names independent to individual event types, individual queries are run and the results returned are a union of those queries.

To see more complex query options and examples, including boolean logic, regex matching, and more, see the Operators section.

Querying Common Fields and Logical Types

It is also possible to make queries without specifying any schema(s) and query all relevant schemas automatically.

Common Fields exist in the schemas for multiple event types. For example, sensor_type = 'ENDPOINT_REDCLOAK' would return all events that come from the Red Cloak™ Endpoint Agent, for all relevant schemas.

Logical Types can be used if you don’t know which schema(s) or specific field(s) to query. Logical types are preceded by the @ symbol. These automatically query the relevant schemas. For example, you could query:

@ip='8.8.8.8'
@user CONTAINS 'system'

For more information and examples on logical types, see the Logical Types section.

Querying Alerts

Alerts can be queried by fields that are specific to the alert schema as well as fields from the event schemas. Querying by event schemas provides greater flexibility to search, using a much larger set of fields instead of being constrained to the more limited fields within the alert. It also allows for querying fields that have a certain relationship which have been generalized within the alert. An example of this use case is, searching for the fields process.image_path and process.parent_image_path, both of which are normalized as the fileName entity within the alert schema.

To query for alerts, the ’alert’ data type must be specified by using the from alert clause at the beginning of the query. Specifiying just event fields without explicitly asking for the alert data type will run an events search. When running an alert search using event fields, the event type must be prepended to the field name. E.g. To search alerts using the process image path, you must specify the fields as process.image_path.

Alert queries can also use logical types as outlined above.

Query for an alert using the title field within the alert schema:

from alert where title contains 'Powershell'

Query for an alert using the commandline field within the event schema:

from alert where process.commandline contains 'powershell.exe'

Query for an alert using logical field types:

from alert where @ip = 10.1.1.10
sensor_type CONTAINS 'ENDPOINT'  EARLIEST=-7d | AGGREGATE COUNT BY sensor_type See more examples
Hide Query
Viewing 61 of 61 Results
*Filtering only on loaded results.  Newly loaded results may appear in the table outside of the visible scroll area, including earlier in the sorted list.