Skip to content

Advanced Search Builder๐Ÿ”—

Note

The terms Alerts and Investigations have recently been changed to Detections and Cases in Taegis XDR. You may still see references to the old terms while we continue to work towards platform convergence of Sophos and Taegis technologies. For more information, see Taegis Terminology Updates.

Secureworksยฎ Taegisโ„ข XDRโ€™s Advanced Search Builder enables you to search for detections and events according to queries that you define by choosing operators and defining fields to refine your search.

To access Builder:

  1. Navigate to Advanced Search from the Taegis Menu.

  2. Select Use Builder from the top right of the page.

  3. Builder is now your default search preference until you toggle back to Query Language.

Access Advanced Search Builder

Note

The advanced search interface you most recently chose is saved as your default search preference. Use the button at the top right of either Advanced Search option to toggle between them. For example, if you most recently used the Advanced Search Query Language, you may need to select Use Builder from the top right.

Build Search Queries๐Ÿ”—

XDRโ€™s search grammar allows you to add criteria to filter your search query. For event queries, XDR allows you to select multiple event types. You can then add definitions to that criteria as you need to, to further refine and limit the scope of your search.

When you add new criteria and operators, a visual representation of the query is updated in the gray text below the query builder. Toggle the representation to view it in Builder or Query Language format. You can also add as many terms as you need.

Note

Text entered in search queries is case insensitive.

Advanced Search

Advanced Search currently allows you to search for one datatype at a timeโ€”either detections or events. When you create an Advanced search, you must select either Detections or one or more Event Types using the checkboxes in the Datasource drop-down menu. Available types are:

Data Types๐Ÿ”—

  • Detections โ€” Output from detectors based on events or event sets that trigger XDR detections.

  • Events โ€” Security telemetry from a single point in time.

Event Types๐Ÿ”—

  • Antivirus Events โ€” Events related to malware activity on hosts and networks.

  • API Call Events โ€” Instances in which a process attempted (successfully or not) to call an operating system API.

  • Auth Events โ€” Activities including login successes & failures, logoffs, etc.

  • Cloud Audit Events โ€” Audit events from cloud-based applications and cloud-hosted infrastructure.

  • Detection Finding Events โ€” Detections generated by endpoint agents, or other sources external to XDR.

  • DHCP Events โ€” Records of client and server DHCP activity, such as IP address assignments.

  • DNS Events โ€” Records of domain name resolution requests by hosts.

  • Email Events โ€” Events from email security services related to techniques such as phishing and spam.

  • Encrypt Events โ€” Events related to SSL/TLS connection and X.509 certificate metadata.

  • File Modification Events โ€” Instances in which a process attempted to create, modify, write, or delete a file.

  • Generic Events โ€” Stores all raw log messages from syslog and some other ingestion sources. Note that generic events may also get normalized into other event types.

  • HTTP Events โ€” Details on HTTP connections. For example, from proxy server logs.

  • Management Events โ€” Instances in which management information has been accessed from hosts in an enterprise environment, for example, via WMI for Windows.

  • Netflow Events โ€” Network traffic information from in and out of the box communications, including source/destination IPs and ports.

  • NIDS Events โ€” Events from network intrusion detection and/or prevention systems.

  • Persistence Events โ€” Events related to techniques such as Run keys, Scheduled Tasks, or Services, commonly used by attackers to maintain persistence in a compromised system.

  • Process Events โ€” Arbitrary code execution in other live processes. Process events may have information about program launches and their associated command lines, parent/child relationships, and other information about programs and commands executed on the host, including target programs launched by main parent executablesโ€”for example, by PowerShell in Windows.

  • Process Module Events โ€” Events generated when libraries have been loaded by different processes.

  • Registry Events โ€” Properties of certain Windows registry entries, which may help to detect attacks.

  • Script Block Events โ€” Executions of blocks of code (scripts) on a remote endpoint by an attacker or other entity.

  • Taegis Agent Events โ€” Detections reported by the Taegis Agent

  • Technique Finding Events โ€” Indicators of potentially malicious behavior observed by endpoint agents, or other sources external to XDR.

  • Third Party Alert Events โ€” The event record of alerts produced on sources external to XDR

  • Thread Injection Events โ€” Instances in which a thread has inserted and run code within the memory address space of a different target process.

Note

Detections may be searched for any time period.

However, event data is treated differently and can be searched for any period of 31 days or less in duration. Event data can be queried either from Advanced Search by choosing any non-detection Type or from Quick Search. When using either of these ways to query event data, a custom date picker allows you to specify a search time range. From this custom date picker, you can select any start date for which the account may have retained data. But when selecting the end date for the search time range, note that the number of days in the range (the difference between the start and end date) must be less than or equal to 31 days.

Search Rules๐Ÿ”—

Each search rule is a query composed of one or more terms. If a search rule is composed of multiple terms, then AND logic is applied to them โ€” i.e., all of the specified term matches must occur to return results.

Logical Types๐Ÿ”—

Logical types are special fields that map to field names under the appropriate data schemas for that particular field category. The logical types are designed to alleviate the need to remember and specify each individual field name for each pertinent schema. Logical types are denoted with the @ prefix. A logical type, specified with @<logical type name>, automatically queries all relevant event fields.

Logical Type Mappings๐Ÿ”—

The following are the latest logical type mappings:

@command - Command line๐Ÿ”—
  • apicall: commandline
  • auth: commandline
  • filemod: commandline
  • process: commandline, commandline_decoded
  • threadinjection: commandline
@domain - Domain name๐Ÿ”—
  • detection: entities prefix - ipDomain, targetAuthDomainName, sourceAuthDomainName, authDomainName
  • auth: target_domain_name, source_domain_name, extra_targetoutbounddomainname
  • dnsquery: query_name
@hash - Hash/digest๐Ÿ”—
  • detection: entities prefix - fileMd5, fileSha1, fileSha256, programMd5, programSha1, programSha256, programSha512
  • auth: process_file_hash, process_file_hash.md5, process_file_hash.sha1, process_file_hash.sha256, process_file_hash.sha512
  • filemod: file_hash,parent_process_file_hash.md5, parent_process_file_hash.sha1, parent_process_file_hash.sha256, parent_process_file_hash.sha512, process_file_hash.md5, process_file_hash.sha1, process_file_hash.sha256, process_file_hash.sha512, file_hash.md5, file_hash.sha1, file_hash.sha256, file_hash.sha512
  • process: program_hash.md5, program_hash.sha1, program_hash.sha256, program_hash.sha512, target_program.sha1_hash, host_program.sha1_hash
@host - Host name๐Ÿ”—
  • detection: entities prefix - hostName
  • auth: target_host_name, extra_targetservername, extra_workstationname
  • managementevent: client_hostname, client_hostname_fqdn, target_hostname, target_hostname_fqdn
  • process: process, computer_name
@ip - IP v4/6 address๐Ÿ”—
  • detection: entities prefix - destIpAddress, destIpGeo, ipAddress, sourceIpAddress, sourceIpGeo
  • auth: target_address, source_address
  • cloudaudit: source_address
  • dnsquery: source_address, destination_address
  • http: source_address, destination_address, true_source_address
  • netflow: source_address, destination_address, source_nat_address, destination_nat_address
  • nids: source_address, destination_address
@mac - MAC address๐Ÿ”—
  • http: source_mac, destination_mac
  • netflow: source_mac, destination_mac
@path - File path๐Ÿ”—
  • detection: entities prefix - fileName
  • auth: process_filename
  • command: host_program.path, host_program.user_path, host_program.native_path, program.path, program.user_path, program.native_path
  • fileinfo: path, user_path, native_path
  • filemod: file_name
  • managementevent: script_file_path
  • memoryallocation: file.path, file.user_path, file.native_path
  • persistence: file.path, file.user_path, file.native_path, command.host_program.path, command.host_program.user_path, command.host_program.native_path, command.program.path, command.program.user_path, command.program.native_path, service.image_path, scheduled_task.action.path, shortcut.relative_path, shortcut.working_directory, shortcut.target_path, shortcut.file.path, shortcut.file.user_path, shortcut.file.native_path
  • process: image_path, parent_image_path, allocations.file.path, allocations.file.user_path, allocations.file.native_path, modules.file.path, modules.file.user_path, modules.file.native_path, host_program.path, target_program.path, host_module.file.path, host_module.file.user_path, host_module.file.native_path
  • processmodule: file.path, file.user_path, file.native_path
  • scheduledtask: action.path
  • scriptblock: interpreter_path
  • service: image_path
  • shortcut: relative_path, working_directory, target_path, file.path, file.user_path, file.native_path
  • threadinjection: source_process_name, target_process_name
@port - TCP/UDP port๐Ÿ”—
  • auth: target_port, source_port
  • http: source_port, destination_port
  • netflow: source_port, destination_port, source_nat_port, destination_nat_port
  • nids: source_port, destination_port
@raw - Raw log/message data๐Ÿ”—
  • Searches the original_data field for all available/applicable event types
@url - URL๐Ÿ”—
  • cloudaudit: resources.resource_id
@user - User name๐Ÿ”—
  • detection: entities prefix - userName
  • auth: target_user_name, source_user_name, extra_targetoutboundusername, extra_userprincipalname, extra_virtualaccount, extra_subject_domain_user_id, extra_target_domain_user_id
  • cloudaudit: user_name
  • managementevent: username
  • process: username

Nested Queries๐Ÿ”—

Nested queries allow you to create more complex searches by grouping together multiple search rules. To construct one, select + Add Group and build your group of rules.

Nested Queries and Match (AND/OR)๐Ÿ”—

Select OR if you want the search to match Any of your nested queries, or AND to match All of them.

Note

Be sure to apply the AND/OR selection to the intended nesting level of the query, as indicated by the colored lines in the rule builder.

Using a Nested Query

Filter Event Searches by Detections๐Ÿ”—

Filter event searches based on the presence of detections using the detection.resource_id field to identify events that have triggered detections. The detection.resource_id field supports the following operators:

  • is
  • is not null
  • in
  • contains

Searches using detection.resource_id with these operators will return only the events that have resulted in detections, facilitating the identification of security-relevant events.

Filtering Event Searches by Detections

Use the example searches below to efficiently filter and identify events of security interest that have generated detections, enhancing your ability to monitor and respond to potential threats.

Share Search Results๐Ÿ”—

You can share a link to the results of an advanced search to provide to other users in your tenant. Select the share ( ) icon above the search results table and the link to the results copies to your clipboard.

Share Search Results

Note

Anyone you share the results link with must be an XDR user and have an account in the tenant the search is from.

Add a Saved Search to a Case๐Ÿ”—

To add a saved search to a case:

  1. Select Advanced Search from the Taegis XDR menu. Advanced Search displays.
  2. Select Saved Searches and find the saved search you want to add to a case from My Queries or My Organizationโ€™s.

  3. Select the overflow menu icon for the desired query and then choose Create New Case to add the search query to a new empty case or Add to Case to add the search query to an existing case.

    Add a Query to a Case

  4. Follow the prompts for the desired option and select Submit to add the search query.

Note

When you do this, the case will include a link to the original search query. This does not make a copy of the search results. It also does not make a copy of the original detection or event data and does not alter the retention policy for detections and events.

For more information on this feature, see Link a Saved Search to a Case.

Data Retention Policy๐Ÿ”—

Secureworks retains event and detection data for 12 months from the date the data is received. All other data concerns are covered in the Secureworks Cloud Services Interface Privacy Statement.

Examples๐Ÿ”—

The following search examples can be used in Advanced Search Builder in XDR. These are a few examples of how you can search and filter your data. They use sensor types along with their supported detectors.

Netflow Searches๐Ÿ”—

To query network traffic events for a device type (known as sensor_type in XDR) of interest, use type netflow and the desired sensor_type.

Netflow๐Ÿ”—

[Type: netflow AND sensor_type: is: PALOALTO_FIREWALL]

Netflow Logs for a Specific Cisco ASA๐Ÿ”—

[Type: netflow AND sensor_type: is: CISCO_FIREWALL_ASA AND sensor_id: is: 10.207.32.7]

NIDS Searches๐Ÿ”—

To query Network Intrusion Detection events for a device type (known as sensor_type in XDR) of interest, use type nids and the desired sensor_type.

NIDS๐Ÿ”—

[Type: nids AND sensor_type: is: Watchguard Firewall]

Search for NIDS from Palo Alto Devices with Specific Threat ID๐Ÿ”—

[Type: nids AND sensor_type: is: PALOALTO_FIREWALL] AND [signature_id: > 10000 AND signature_id: < 30000]

Authentication (Auth) Searches๐Ÿ”—

To query authentication events for a device type (known as sensor_type in XDR) of interest, use type auth and the desired sensor_type.

Auth๐Ÿ”—

[Type: auth AND sensor_type: is: CISCO_FIREWALL_ASA]

Search for Auth Logs from Specific Cisco ASA (WebVPN Activity)๐Ÿ”—

[Type: auth AND sensor_type: is: CISCO_FIREWALL_ASA AND sensor_id: is: 192.168.2.98]

Search for Authentication Events from a Specific Windows Host (sensor_id)๐Ÿ”—

[Type: auth AND sensor_id: is: CALSDC01]

Search for Azure Authentication Events๐Ÿ”—

Add Sensor tenant to table details to see the Azure subscription ID.

[Type: auth AND auth_system: is: AzureActiveDirectory]

[Type: auth AND auth_system: is: AzureAD]

For both use:

[Type: auth AND auth_system: starts with: AzureA]

Search for Authentication for a Specific User๐Ÿ”—

[Type: auth AND target_user_name: is: John.Brown]

Search for Authentication Failure for a Specific User๐Ÿ”—

[Type: auth AND target_user_name: is: John.Brown AND action: is: FAILURE]

Search for Auth Events from Linux Hosts๐Ÿ”—

Type: auth AND [sensor_type: is: sshd OR sensor_type: is: sudo]

Search for Authentication from MS Cloud Services๐Ÿ”—

auth + normalizer contains microsoft

[Type: auth AND normalizer: contains: microsoft]
Last 7 Days
  • Looking for authentication data from MS Office 365 or Azure AD

Process Commmandline Search

HTTP Searches๐Ÿ”—

To query web events for a device type (known as sensor_type in XDR) of interest, use type http and the desired sensor_type.

HTTP๐Ÿ”—

[Type: http AND sensor_type: is: 'Watchguard Firewall']

DNSquery Searches๐Ÿ”—

To query DNS events for a device type (known as sensor_type in XDR) of interest, use type dnsquery and the desired sensor_type.

DNSquery๐Ÿ”—

[Type: dnsquery AND sensor_type: is: MSDNS]

Search for Named DNS Query/Response Events๐Ÿ”—

[Type: dnsquery AND sensor_type: is: named]

Process Events Searches๐Ÿ”—

The following are search examples using XDRโ€™s Advanced Search panel for process events.

process + host_id contains {specified ID} for [selected date range]

[Type: process AND host_id: contains: abc123]
Last 72 Hours

This search is looking for process events tied to a particular host ID that occurred in a very tight time window.

You can also increase the specificity of a process event search. This search looks for cmd.exe:

process + host_id contains {specified ID} + parent_image_path contains cmd.exe for [selected date range]

[Type: process AND host_id: contains: abc123] AND parent_image_path: contains: cmd.exe
Last 7 Days

process commandline contains echo + commandline contains cmd + commandline contains [string]

[Type: process AND commandline: contains: echo] AND [commandline: contains: cmd AND commandline: contains: test]
Last 7 Days
  • Looking for particular command line activity with a nested query.

Process Command Line Search

Multi-Event Searches๐Ÿ”—

To search for multiple event types at once, select the checkboxes at the left of the desired types from the Datasource drop-down menu.

Multi-Event Search

Search for Netflow and Auth Events for a Specific IP๐Ÿ”—

[ Type: auth,netflow AND @ip: is: 10.10.10.1 ]

Filter Event Searches by Detections Examples๐Ÿ”—

Use the following example searches to efficiently filter and identify events of security interest that have generated detections, enhancing your ability to monitor and respond to potential threats.

Note

You can locate detection resource IDs in the JSON view of detections.

Search for Auth Events that Resulted in Detections๐Ÿ”—

[ Type: auth AND detection.resource_id: is not: NULL ]

Search for Auth Events that Are Part of a Specific Detection with Complete Detection Resource ID๐Ÿ”—

[ Type: auth AND detection.resource_id: is: detection://priv:event-filter:12345:1733425433662:cf996f9a-54a2-5cc8-95af-fc438fd911ea ]

Search for Auth Events with Partial Detection Resource ID๐Ÿ”—

[ Type: auth AND detection.resource_id: contains: cf996f9a-54a2-5cc8-95af-fc438fd911ea ]

Search for Auth Events that Are Part of Multiple Specific Detections with Complete Detection Resource IDs๐Ÿ”—

[ Type: auth AND detection.resource_id: in: detection://priv:event-filter:12345:1733418217531:056862f0-c471-552a-8a5c-731433fbb78a,detection://priv:event-filter:12345:1733425433662:cf996f9a-54a2-5cc8-95af-fc438fd911ea ]

Detections Searches๐Ÿ”—

detection + [selected date range]

Type: detection
Last 72 Hours
  • Quite often youโ€™ll be searching for a detection in a time range.

Search For Detections In Time Range

Search Detections by Severity๐Ÿ”—

You can search by detection severity by selecting the severity term and entering a value between zero and one that aligns to the desired severity percentage. This search looks for detections that are high or critical severity:

detection + severity >= .6 for [selected date range]

[Type: detection AND severity: >=: .6]
Last 72 Hours

Search For Detections by Severity

Search Detections by Integration๐Ÿ”—

To query detections for an integration of interest, use type detection and the desired app, detectionType, etc.

Search for Kerberoasting Detections๐Ÿ”—

[Type: detection AND creator: is: app:detect:kerberoasting-detector]

Search for Detections from Amazon GuardDuty๐Ÿ”—

[Type: detection AND detectionType: is: aws_guard_duty]