Using Searches
Running Searches
To begin a search, enter what you are looking for in the search box. For example, start with an user name, a network share path, a computer name or a phrase to look for in event fields.
A search involves all available item types (events, users, files, computers and so on) at once, no matter which item type is currently highlighted.
To display events from only a specific time period, use the time range filter options in Search and Filter section of Dashboards, Browser or Investigations modules.
Simple searches produce results where the term you specify is contained anywhere in the discovered data. To make your searches less broad and more relevant, you can use hints --- for example, by prefixing the field names to look in. For details, see Search Term Sintax below.
Automating Complex Search Scenarios
To begin searching, enter what you are looking for in the search box. For example, start with a user name, a network share path, a computer name or a phrase to look for in event fields.
Some search workflow ideas are best expressed as multi-stage search queries where data produced by a search is automatically streamed into the next search in a chain. The pipe operator (|) helps you achieve this, and field names in curly braces specify which fields to analyze in that data.
Example 1:
Find the managers of all users who have created or deleted files on the \\FILESRV1\Software network share
"\\FILESRV1\Software" OR Description:{SharePath} AND (What="File
Created" OR What="File Deleted") OR Who={Who} OR
DisplayName="{ManagedByDisplayName}"
Example 2:
Find events by users from the Milwaukee office on computer FILESRV1
Office="Milwaukee" OR Who:{SAMAccountName} AND Where:filesrv1
Example 3:
Find computers where members of the Accounting group have logged in
"Accounting" OR Who:{SAMAccountName} AND What:logon OR Where={Where}
Example 4:
Find all users from the same office as user dshaw
Who="dshaw" OR Office="{Office}"
Search Term Syntax
Use the following syntax for search terms in the search box. Searches are case-insensitive.
Single-Word Terms
This is known as full-text search. The search involves all available fields and uses the Contains operator.
| Meaning | Syntax | Details |
|---|---|---|
| Look for a single-word term in any attribute | Word without spaces Example: john |
john matches John or john in any attribute, but does not match stjohn in any attribute |
| Look for a single-word term with the specified beginning in any attribute | Word ending in an asterisk () without spaces Example: john* |
john matches John or Johnson* in any attribute |
| Find attributes where a specific single word term is not contained in any attributes | Word without spaces with a leading hyphen Example: -john | -john may match entries that contain stjohn, but does not match entries that contain john in any attribute |
| Find entries where a specific single word term with the specified beginning is not contained in any attributes | Word ending in an asterisk () without spaces with a leading hyphen Example: -john* * |
-john may match entries that contain stjohn, but does not match entries that contain john or johnson* in any attribute |
| Term Combinations | ||
| Meaning | Syntax | Details |
| Look for entries with specific single-word terms in any attributes | Word separated by spaces Example: john glen* |
john glen matches john and glen, or john and glenda, or john and glen and glenda*, wherever they are found |
| Look for entries that do not contain specific single-word terms in any attribute | Word without spaces Examples: • -john -glen • John -glen* |
• -john -glen matches entries that do not contain johnor glen anywhere • john -glen matches entries that contain john in any attribute and at the same time do not contain glen or glenda* anywhere |
| Look for entries with a specific multiple-word phrase in any attribute | Phrase in quotation marks Example: “Account Logon” |
“Account Logon” matches entries that contain the exact phrase Account Logon in any attribute |
| Look for entries that do not contain a specific multiple-word phrase in any attribute | Phrase in quotation marks Example: logon server01 -“Account Logon” |
logon server01 –“Account logon” matches entries that contain the words Logon and server01 anywhere but do not contain the exact phrase Account Logon in any attribute |
| Meet one of the specified terms (or sets of terms) | Terms (single words or phrases) separated by the OR operator; this operator has the following specifics: • it is case-sensitive: it must always be specified as OR • it denotes a choice between everything to the left of it and everything to the right of it • you can use multiple OR operators in a query; the boundary of an OR clause is the beginning of the query, the end of the query, or another OR Examples: • - paul john OR Thomas • -“logon/logoff” server01 OR stjohn |
• paul john OR Thomas matches entries that contain either both John and Paul, or Thomas anywhere • -“logon/logoff” server01 OR stjohn matches either entries without the phrase Logon/Logoff that contains server01, or entries with stjohn (no matter whether they contain the phrase Logon/Logoff) |
| Explicitly mark an AND operation for visual clarity | Terms (single words or phrases) separated by the AND operator; this operator has the following specifics: • It is case-sensitive: it must always be specified as AND • It can be omitted wherever it occurs Examples: • Paul AND john • Paul john |
paul AND john and paul john are identical in meaning: look for entries where both paul and john occur |
| Group and nest terms for logical operations on them | Parentheses enclosing the terms you want to group Example: (homer marge) OR (peter lois) |
(homer marge OR (peter lois) matches either entries with both homer and marge, or entries with both peter and lois. It does not match entries with both peter and homer that do not contain lois or marge |
Searching in Specific Attributes
To apply your search term only to a particular attribute, prepend the name of the attribute with a colon (:) or equals sign (=) to your search term, as shown in the table below. If the attribute name is made up of multiple words, enclose it in brackets (as in [log name]:security). All the syntax conventions described above also apply.
The following distinction is important:
-
Labels unambiguously mapped to entry attributes; for example, Path:\"Documents and Settings\" in file access entries. In this case, the search involves the specified field and uses the
Containsoperator. -
Labels mapped to different attributes in different contexts (known as normalized attributes); for example, Where:primrose would mean the primrose domain for users or groups, the primrose computer for files or shares, and so on. In this case, the search involves the associated fields as necessary and may even modify the search terms.
Specifying Quotation Marks
If your search term must include double quotes, then for each double quote you need supply an additional double quote as an escape character. See the following examples:
| To find this string | Specify this term |
|---|---|
| the "Cancel" button | "the " "Cancel" " button" |
| computer "kltest16" | "computer " "kltest16" |
This requirement does not apply to apostrophes, which are frequently used as quotes. Single quotes of this kind do not need escaping and should be specified in a plain string, as in "local 'Administrator' user".
Filter Syntax
Select one of the operators (explained in the following table) and enter your filter terms.
| Operator | Syntax | Example | Meaning |
|---|---|---|---|
| Contains | [FieldName]: |
Name:Paul | The attribute contains all of the specified terms at once in any combination |
| Does not contain | NOT [FieldName]: |
NOT Name:John | The attribute contains none of the specified terms anywhere |
| Equals | [FieldName]: |
Name:"John Paul" | The attribute contents are identical to the specified phrase; do not enclose the phrase in quotation marks for this operator |
| Does not equal | NOT [FieldName]: |
NOT SamAccountName:paul | The attribute contents are not identical to the specified phrase; |
Do not enclose the phrase in quotation marks for this operator.
The following search syntax rules described above also apply to filter terms:
-
Terms are case-insensitive
-
The term can be a single word, multiple words, or a phrase in quotation marks.
-
In single-word terms, a trailing asterisk is treated as a wildcard character
-
In exact phrases, an asterisk is treated as a regular character.
Making Multi-Stage Searches
You have the option to run a search on the results of another search. It is a way to automate your established search practices, and it may provide a clearer and more convenient representation of your intentions.
This is similar to how the output of a command is redirected into another command as its input in PowerShell and Unix shell languages. Accordingly, search result redirection is provided by the familiar pipe (|) operator.
To indicate a field whose value should be carried over from the left query to the right through the pipe, enclose the field name in curly braces, as in {Where} or {EventID}. Example:
Example:
"rd.itsearch" | What:Logon AND Who:"{SAMAccountName}" |
Name="{Where}"
In this three-stage search, the initial results are refined twice. First, it finds all users that are members of the rd.itsearch group. For these users, it finds such events that the users SAM account names are in the Who field, and the What field contains Logon. From the resulting events, pick only those that have any of the discovered computer names in the Where field.