Search syntax | Trend Micro Service Central

Views:

The Search app allows you to query your data and detections.

Tip

To search both the Endpoint Activity Data and Detections, select the General search method. Select either Endpoint Activity Data or Detections to search a specific set of data.
Ensure that the use of the space character exactly matches the results that you want. One double space within the search string omits any results that only include one space character in the same location.
Some search fields display substituted text for ID values and you cannot search for the text value. For example, "eventID" stores the numerical value "1" in the database but displays "TELEMETRY_PROCESS" in the search results. You cannot search for "TELEMETRY_PROCESS".

The following tables outline different search syntax and provide example strings:

Field-based Search Syntax
Free Search Syntax
Logical Operators and Special Characters
Token-based Search Syntax (Partial Match)
Wildcard Search
Search Filters
Logical Operator Precedence
Escape Operators and Characters

Field-based Search Syntax

Search Target

Description

Supported Field Type

Search Syntax

Example

Partial match

Provides all results for the specified field that contain the search string

String
Dynamic
Int
Long

Note

The int and long field types always use full match.

<field_name>: <search_string>
<field_name>: "*<search_string>*"

Note

To search or escape a special character, type


                                                   "*<search_string>*"

endpointName: windows

Returns all results that contain "windows" in the endpoint name

endpointName: *windows\/app*

Returns all results that contain "windows/app" in the endpoint name

Full match

Provides all results for the specified field that contain the exact search string specified

String
Dynamic
Int
Long
Bool

Note

The dynamic field type partially matches to every element.

<field_name>: "<search_string>"

endpointName: "john_doe"

Only returns results in which the endpoint name is "john_doe"

Wildcard search

Provides results that match the field values substituting for the following wildcard characters:

*: Used as a substitute for one or more characters in the specified location

Important

Wildcard Search is not supported for Network Activity Data IP addresses.

String
Dynamic

Note

The dynamic field type transforms the whole object to string before doing wildcard search. Using wildcard search in dynamic type yields fewer results and decreases the query performance.

<field_name>: <search_string>*

endpointName: "john*"

Returns all results that contain "john" as the first 4 characters in the endpoint name

Example results: "john", "john_doe", "johndoe", "johnd"

Range operator

Provides all results that match the requirements specified for multiple fields using the following operators:

Int
Long

<field_name> <range_operator> <number>

"dpt >= 80" AND "dpt <= 443"

Only returns results in which the log data contains integers in a range from greater than or equal to 80 to less than or equal to 443

Regex

Provides all results that match the regular expression, such that the value is matched anywhere in the field.

For more information, go to Using regex in Search queries.

String

<field_name>: /<search_string>/

endpointHostName: /\\w*(trend|trendmicro)\.com/

Free Search Syntax

Search Target

Description

Search Syntax

Example

Partial match

Provides all results that contain the search string in any data field.

Note

Free Search does not support Network Activity Data.

"search_string"
search_string

Note

Use Field-based Search to search for numbers and bool field type.

"john"

Returns all results that contain the string john in any data field

Full match

Not available

Logical Operators and Special Characters

Operator Type

Description

Supported Search Types

Search Syntax

Example

Multiple fields

Provides all results that match the requirements specified for multiple fields using the following operators:

Note

The search performance decreases when using multiple logical operators.

Field-based Search
Free Search

<field_name>: <search_string1> OPERATOR
                                    <field_name>:<search_string2>

Note

Special characters must be escaped by a slash (\) for partial match, full match, and wildcard search:

Without double quotation marks: \():<>"{}
Within double quotation marks: "\", "\\"
"*" is not supported and is escaped

endpointName: "john_doe" AND fileName: "credit"

Only returns results in which the log data contains both "john_doe" and "credit" in any field (example: objectUser=john_doe2; fileName=creditcard.txt)

"john_doe" AND NOT "home"

Only returns results in which the log data contains "john_doe" but does not contain "home" in any field

Multiple values

Provides all results that match the requirements specified for multiple values using the following operators:

Field-based Search
Free Search

<field_name>: <search_string1> OPERATOR
                                    <search_string2>

endpointName:"john_doe" OR "jane_doe"

Returns results in which the endpoint name is "john_doe" or "jane_doe"

Token-based Search Syntax (Partial Match)

Search Criteria

(Example: "Trend_Micro-Vision-One: fa73ad07-ef36-48e6-8bb3-e91fedaf4a04 john_doe@trendmicro.com john\trend\project\abc.txt")

Returns Search Results

<field_name>: Trend

Note

Token-based search uses partial match. By default, each string value is broken into sequences of alphanumeric characters called tokens, which comprise of three or more alphanumeric characters. Partial matches can be used in both field-based search and free search.

Yes

<field_name>: TREND

Yes

<field_name>: "*Trend*"

Yes

<field_name>: Tre

Note

The search result only compares the complete token. When the token in query criteria contains less than three characters, the query performance is reduced.

<field_name>: Trend_Mic

<field_name>: Micro

Yes

<field_name>: Trend_Micro

Yes

<field_name>: TREND_MICRO

Yes

<field_name>: Trend_

Yes

<field_name>: e91fe

<field_name>: fa73ad07

Yes

<field_name>: fa73ad07-ef36-48e6-8bb3-e91fedaf4a04

Yes

<field_name>: john_doe@trendmicro.com

Yes

<field_name>: Trend_Micro-Vision-One\:
                                    fa73ad07-ef36-48e6-8bb3-e91fedaf4a04 john_doe@trendmicro.com
                                    john\\trend\\project\\abc.txt

Yes

<field_name>: Trend_Micro-Vision-One:
                                    fa73ad07-ef36-48e6-8bb3-e91fedaf4a04 john_doe@trendmicro.com
                                    john\trend\project\abc.txt

<field_name>: "*Trend_Micro-Vision-One\:
                                    fa73ad07-ef36-48e6-8bb3-e91fedaf4a04 john_doe@trendmicro.com
                                    john\\trend\\project\\abc.txt*"

<field_name>: "*Trend_Micro-Vision-One:
                                    fa73ad07-ef36-48e6-8bb3-e91fedaf4a04 john_doe@trendmicro.com
                                    john\\trend\\project\\abc.txt*"

Yes

<field_name>: "*john\\trend\\project\\abc.txt*"

Yes

Wildcard Search

WARNING

Wildcard search (for the categories "Start with", "End with" and "MISC.") in dynamic fields decreases query performance.

An asterisk (*) is at the end of the string.

Trend*

End with

An asterisk (*) is at the beginning of the string.

*Micro

Contain

An asterisk (*) is at the beginning and the end of the string.

Note

"Contain" category wildcard search uses partial match.

*Vision*

Yes

MISC.

There are one or several asterisks (*) in the middle of the string.

Note

The match pattern can be in the middle of the string value: "Tre*d" matches the value "HelloTrendMicro".

Tr*nd
**Micro
*Vis*ion*
One**

Yes

Query Criteria (Example: "Trend_Micro-Vision-One: fa73ad07-ef36-48e6-8bb3-e91fedaf4a04 john_doe@trendmicro.com")	Category	Description	Returns Search Results
`<field_name>: "Trend*"`	`Start with`	Finds the values that start with "Trend".	Yes
`<field_name>: "trend*"`	`Start with`	Finds the values that start with "trend".	Yes
`<field_name>: "*trendmicro.com"`	`End with`	Finds the values that end with "trendmicro.com".	Yes
`<field_name>: "*TRENDMICRO.COM"`	`End with`	Finds the values that end with "TRENDMICRO.COM".	Yes
`<field_name>: "Trend_Micro"`	`Contain`	Finds the values that contain "Trend_Micro".	Yes
`<field_name>: "trend_micro"`	`Contain`	Finds the values that contain "trend_micro".	Yes
`<field_name>: "Trend*com"`	`MISC.`	Finds the values that have "Trend" as the beginning and "com" as the end of the string.	Yes
`<field_name>: "Tre*"`	`Start with`	Finds the values that start with "Tre".	Yes
`<field_name>: "*micro.com"`	`End with`	Finds the values that end with "micro.com".	Yes
`<field_name>: "fa73ad07e91fedaf4a04*"`	`MISC.`	Finds the values that match "fa73ad07e91fedaf4a04*".	Yes
`<field_name>: "fa73ad07*e91fedaf4a04"`	`MISC.`	Finds the values that match "fa73ad07*e91fedaf4a04".	Yes
`<field_name>: "fa73ad07*"`	`Start with`	Finds the values that start with "fa73ad07". "fa73ad07" is the start of a token but not the start of the whole string, so the result does not match.	No
`<field_name>: "fa73ad07**"`	`MISC.`	Finds the values that match "fa73ad07*". Since there is a "" in the middle of the string, this is a MISC. wildcard search. The MISC. wildcard searches for results even in the middle of the string.	Yes
`<field_name>: "*Vision-One"`	`End with`	Finds the values that end with "Vision-One". "Vision-One" is the end of a token but not the end of the whole string, so the result does not match.	No
`<field_name>: "**Vision-One"`	`MISC.`	Finds the values that match "*Vision-One". Since there is a "" in the middle of the string, this is a MISC. wildcard search. The MISC. wildcard searches for results even in the middle of the string.	Yes
`<field_name>: "**vision-one"`	`MISC.`	Finds the values that match "**vision-one". MISC. wildcard search is case-sensitive, so "vision-one" does not match "Vision-One".	No
`<field_name>: "Visio"`	`Contain`	Finds the values that contain "Visio". "Visio" is not a token in the string, so the result does not match.	No
`<field_name>: "VISION*COM"`	`MISC.`	Finds the values that have "VISION" in the beginning and "COM" in the end of the string. MISC. wildcard search is case-sensitive, so "vision" does not match "Vision".	No

Search Filters

Action

Description

Supported Field Types

Add Filter: field IS value

Adds the selected value as search criteria to the existing search query.

String
Dynamic
Int
Long

Note

The dynamic type partially matches to every element.

Add Filter: field IS NOT value

Adds the selected value as an exception to the existing search query.

String
Dynamic
Int
Long

Note

The dynamic type removes all results that only have partial match results.

Add Filter: field IS EMPTY

Adds the selected field with no value as search criteria to the existing search query.

String
Dynamic
Int
Long

Add Filter: field EXISTS

Adds the selected field with any value as search criteria to the existing search query.

String
Dynamic
Int
Long

Add Filter: field DOES NOT EXIST

Adds the selected field with no value as search criteria to the existing search query.

String
Dynamic
Int
Long

Logical Operator Precedence

Precedence

Operator

Description

Example

( )

Group logical expressions

Return events that include port 80, 81, or 82

port: (80 OR 81 OR 82)

NOT

Logical NOT

Return events that don't include port 80

NOT port: 80

AND

Logical AND

Note

The AND operator has a higher precedence than OR, but the precedence can be overridden by grouping the operators in parentheses. The following two queries are equal:

port: 80 OR port: 81 AND endpointHostname: "john"
port: 80 OR (port: 81 AND endpointHostname: "john")

Logical OR

Escape Operators and Characters

Category	Operator or Character	Match Type and Example
Keyword	AND OR NOT	Partial match `ruleName: Engine \AND analyzed`
Special character	\ ( ) : < > " * { }	Partial match `processCmd: C\:`
Full match keyword	" \	Full match `objectCmd: "*hang\""`
Regex keyword	\ /	Regex match `filePath: /\/etc\/pwd\/config\/aaa/`
White space	\t \r \n	Partial match `objectRegistryData: \\t*` Regex match `filePath: /\windows\system\\temp/`