Skip to content

Quick Search🔗

Quickly search for single term items using Quick Search at the top of the Taegis Menu. By default, your search will be performed against All Data Types. This is equivalent to running a search against the @raw logical type within the query language. Searches can also be performed against other specified logical types using a custom time range up to 31 days.

Performing a Quick Search

Tip

Quick Search supports the following keyboard shortcuts:

  • Ctrl + / opens the search menu.
  • Shift + Enter submits a search query.

To perform a quick search:

  1. Select Quick Search from the Taegis Menu or use Ctrl + /. Quick Search displays.
  2. Enter the data you want to search for.

  3. Choose a data type from the drop-down menu:

    Data Type Equivalent Logical Type Description
    All Data Types @raw Search all event types and alerts
    Asset Name @host Search for a hostname as captured and normalized from ingested raw data into alerts and event fields
    Command Line @command Events and alerts that contain a specified command line
    Domain Name @domain Events and alerts that contain a specified web address
    Host Name @host Search for events and alerts from the endpoint agent that has the specified hostname. Hostname will be translated to host_id and the search will run using the host_id found in the XDR endpoint database.
    IP Address (v4/6) @ip Events and alerts that contain traffic between an IP address
    Mac @mac Search for any mac address in a field
    Path @path Events and alerts that contain a path to a program or a file
    Port @port Search for any port in a field
    Program Hash @hash Events and alerts that contain a SHA1, SHA256, SHA512, and MD5
    Sensor ID Not Applicable Events and alerts for the specified sensor ID
    URL @url Search for any URL in a field
    User @user Search for any user in a field

  4. Modify the time range if necessary.

  5. Click Search or hit Shift + Enter. The search results are displayed.

Note

Alerts may be searched for any time period.

However, event data is treated differently and can be searched for any period of 31 days or less in duration. Event data can be queried either from Advanced Search by choosing any non-Alert Type or from Quick Search. When using either of these ways to query event data, a custom date picker allows you to specify a search time range. From this custom date picker, you can select any start date for which the account may have retained data. But when selecting the end date for the search time range, note that the number of days in the range (the difference between the start and end date) must be less than or equal to 31 days.