Search syntax | Trend Micro Service Central

Views:

The Search app allows you to query data and detections.

To search both the endpoint activity data and detections, select the General search method.
Select either Endpoint activity data or Detections to search a specific set of data.
Ensure that the characters you type exactly match the results that you want.
Some search fields display substituted text for ID values and you cannot search for the text value. For example, eventID stores the numerical value 1 in the database but displays TELEMETRY_PROCESS in the search results. You cannot search for TELEMETRY_PROCESS.

The following tables describe the search syntax and provide example strings:

Field-based Search Syntax
Free Search Syntax
Logical Operators and Special Characters
Token-based Search Syntax (Partial Match)
Wildcard Search
Search Filters
Logical Operator Precedence
Escape Operators and Characters

Field-based search syntax

Search Target

Description

Supported Field Type

Search Syntax

Example

Partial match

Provides all results for the specified field that contain the search string

String
Dynamic
Int
Long

Note

The int and long field types always use full match.

<field_name>: <search_string>
<field_name>: "*<search_string>*"

Note

To search or escape a special character, type


                                                   "*<search_string>*"

endpointName: windows

Returns all results that contain "windows" in the endpoint name

endpointName: *windows\/app*

Returns all results that contain "windows/app" in the endpoint name

Full match

Provides all results for the specified field that contain the exact search string specified

String
Dynamic
Int
Long
Bool

Note

The dynamic field type partially matches to every element.

<field_name>: "<search_string>"

endpointName: "john_doe"

Only returns results in which the endpoint name is "john_doe"

Wildcard search

Provides results that match the field values substituting for the following wildcard characters:

*: Used as a substitute for one or more characters in the specified location

Important

Wildcard Search is not supported for Network Activity Data IP addresses.

String
Dynamic

Note

The dynamic field type transforms the whole object to string before doing wildcard search. Using wildcard search in dynamic type yields fewer results and decreases the query performance.

<field_name>: <search_string>*

endpointName: "john*"

Returns all results that contain "john" as the first 4 characters in the endpoint name

Example results: "john", "john_doe", "johndoe", "johnd"

Range operator

Provides all results that match the requirements specified for multiple fields using the following operators:

Int
Long

<field_name> <range_operator> <number>

"dpt >= 80" AND "dpt <= 443"

Only returns results in which the log data contains integers in a range from greater than or equal to 80 to less than or equal to 443

Regex

Returns all entries where the regular expression matches any part (beginning, middle, or end) of the field's content.

For more information, go to Use regex in Search queries.

String

<field_name>: /<search_string>/

endpointHostName: /\\w*(trend|trendmicro)\.com/

Free Search Syntax

Search Target

Description

Search Syntax

Example

Partial match

Provides all results that contain the search string in any data field.

Note

Free Search does not support Network Activity Data.

"search_string"
search_string

Note

Use Field-based Search to search for numbers and bool field type.

"john"

Returns all results that contain the string john in any data field

Full match

Not available

Logical Operators and Special Characters

Operator Type

Description

Supported Search Types

Search Syntax

Example

Multiple fields

Provides all results that match the requirements specified for multiple fields using the following operators:

Note

The search performance decreases when using multiple logical operators.

Field-based Search
Free Search

<field_name>: <search_string1> OPERATOR
                                    <field_name>:<search_string2>

Note

Escape special characters using a backslash (\) for partial match, full match, and wildcard search:

Without double quotation marks: \():<>"{}
Within double quotation marks: "\", "\\"
"*" is not supported and is escaped

endpointName: "john_doe" AND fileName: "credit"

Only returns results in which the log data contains both "john_doe" and "credit" in any field (example: objectUser=john_doe2; fileName=creditcard.txt)

"john_doe" AND NOT "home"

Only returns results in which the log data contains "john_doe" but does not contain "home" in any field

Multiple values

Provides all results that match the requirements specified for multiple values using the following operators:

Field-based Search
Free Search

<field_name>: <search_string1> OPERATOR
                                    <search_string2>

endpointName:"john_doe" OR "jane_doe"

Returns results in which the endpoint name is "john_doe" or "jane_doe"

Nested value match

Provides all results that match a JSON object containing another JSON object as a nested structure.

Important

Nested values must be a string, number, or object to return search results.

Dynamic field (new Search)

<outer_field>.<nested_field_1>.<nested_field_2>....<nested_field_n>: <search_value>

vendorParsed.act: *

vendorParsed.foo: "bar"

Returns results in which third-party logs are flattened to one layer in the vendorParsed field

Nested array value search

Provides all results that match a nested array value.

Dynamic field (new Search)

<search_field>[<number>]

vendorParsed.act[0]: foo

Returns results with third-party logs that match a nested array value

Token-based search syntax (partial match)

Search Criteria

(Example: "Trend_Micro-Vision-One: fa73ad07-ef36-48e6-8bb3-e91fedaf4a04 john_doe@trendmicro.com john\trend\project\abc.txt")

Returns Search Results

<field_name>: Trend

Note

Token-based search uses partial match. By default, Search breaks each string value into sequences of alphanumeric characters called tokens. Tokens comprise three or more alphanumeric characters. You can use partial matches in both field-based search and free search.

Yes

<field_name>: TREND

Yes

<field_name>: "*Trend*"

Yes

<field_name>: Tre

Note

The search result only compares the complete token. A token in query criteria with less than three characters reduces performance.

<field_name>: Trend_Mic

<field_name>: Micro

Yes

<field_name>: Trend_Micro

Yes

<field_name>: TREND_MICRO

Yes

<field_name>: Trend_

Yes

<field_name>: e91fe

<field_name>: fa73ad07

Yes

<field_name>: fa73ad07-ef36-48e6-8bb3-e91fedaf4a04

Yes

<field_name>: john_doe@trendmicro.com

Yes

<field_name>: Trend_Micro-Vision-One\:
                                    fa73ad07-ef36-48e6-8bb3-e91fedaf4a04 john_doe@trendmicro.com
                                    john\\trend\\project\\abc.txt

Yes

<field_name>: Trend_Micro-Vision-One:
                                    fa73ad07-ef36-48e6-8bb3-e91fedaf4a04 john_doe@trendmicro.com
                                    john\trend\project\abc.txt

<field_name>: "*Trend_Micro-Vision-One\:
                                    fa73ad07-ef36-48e6-8bb3-e91fedaf4a04 john_doe@trendmicro.com
                                    john\\trend\\project\\abc.txt*"

<field_name>: "*Trend_Micro-Vision-One:
                                    fa73ad07-ef36-48e6-8bb3-e91fedaf4a04 john_doe@trendmicro.com
                                    john\\trend\\project\\abc.txt*"

Yes

<field_name>: "*john\\trend\\project\\abc.txt*"

Yes

Wildcard search

Note

Wildcard search for the categories Start with, End with and MISC in dynamic fields decreases query performance.

An asterisk (*) is at the end of the string.

Trend*

End with

An asterisk (*) is at the beginning of the string.

*Micro

Contain

An asterisk (*) is at the beginning and the end of the string.

Note

Contain category wildcard search uses partial match.

*Vision*

Yes

MISC.

There are one or several asterisks (*) in the middle of the string.

Note

The match pattern can be in the middle of the string value: "Tre*d" matches the value "HelloTrendMicro".

Tr*nd
**Micro
*Vis*ion*
One**

Yes

Query Criteria (Example: "Trend_Micro-Vision-One: fa73ad07-ef36-48e6-8bb3-e91fedaf4a04 john_doe@trendmicro.com")	Category	Description	Returns Search Results
`<field_name>: "Trend*"`	`Start with`	Finds the values that start with "Trend".	Yes
`<field_name>: "trend*"`	`Start with`	Finds the values that start with "trend".	Yes
`<field_name>: "*trendmicro.com"`	`End with`	Finds the values that end with "trendmicro.com".	Yes
`<field_name>: "*TRENDMICRO.COM"`	`End with`	Finds the values that end with "TRENDMICRO.COM".	Yes
`<field_name>: "Trend_Micro"`	`Contain`	Finds the values that contain "Trend_Micro".	Yes
`<field_name>: "trend_micro"`	`Contain`	Finds the values that contain "trend_micro".	Yes
`<field_name>: "Trend*com"`	`MISC.`	Finds the values that have "Trend" as the beginning and "com" as the end of the string.	Yes
`<field_name>: "Tre*"`	`Start with`	Finds the values that start with "Tre".	Yes
`<field_name>: "*micro.com"`	`End with`	Finds the values that end with "micro.com".	Yes
`<field_name>: "fa73ad07e91fedaf4a04*"`	`MISC.`	Finds the values that match "fa73ad07e91fedaf4a04*".	Yes
`<field_name>: "fa73ad07*e91fedaf4a04"`	`MISC.`	Finds the values that match "fa73ad07*e91fedaf4a04".	Yes
`<field_name>: "fa73ad07*"`	`Start with`	Finds the values that start with "fa73ad07". "fa73ad07" is the start of a token but not the start of the whole string, so the result does not match.	No
`<field_name>: "fa73ad07**"`	`MISC.`	Finds the values that match "fa73ad07*". Since there is a "" in the middle of the string, this is a MISC. wildcard search. The MISC. wildcard searches for results even in the middle of the string.	Yes
`<field_name>: "*Vision-One"`	`End with`	Finds the values that end with "Vision-One". "Vision-One" is the end of a token but not the end of the whole string, so the result does not match.	No
`<field_name>: "**Vision-One"`	`MISC.`	Finds the values that match "*Vision-One". Since there is a "" in the middle of the string, this is a MISC. wildcard search. The MISC. wildcard searches for results even in the middle of the string.	Yes
`<field_name>: "**vision-one"`	`MISC.`	Finds the values that match "**vision-one". MISC. wildcard search is case-sensitive, so "vision-one" does not match "Vision-One".	No
`<field_name>: "Visio"`	`Contain`	Finds the values that contain "Visio". "Visio" is not a token in the string, so the result does not match.	No
`<field_name>: "VISION*COM"`	`MISC.`	Finds the values that have "VISION" in the beginning and "COM" in the end of the string. MISC. wildcard search is case-sensitive, so "vision" does not match "Vision".	No

Search Filters

Action

Description

Supported Field Types

Add Filter: field IS value

Adds the selected value as search criteria to the existing search query.

String
Dynamic
Int
Long

Note

The dynamic type partially matches to every element.

Add Filter: field IS NOT value

Adds the selected value as an exception to the existing search query.

String
Dynamic
Int
Long

Note

The dynamic type removes all results that only have partial match results.

Add Filter: field IS EMPTY

Adds the selected field with no value as search criteria to the existing search query.

String
Dynamic
Int
Long

Add Filter: field EXISTS

Adds the selected field with any value as search criteria to the existing search query.

String
Dynamic
Int
Long

Add Filter: field DOES NOT EXIST

Adds the selected field with no value as search criteria to the existing search query.

String
Dynamic
Int
Long

Logical Operator Precedence

Precedence

Operator

Description

Example

( )

Group logical expressions

Return events that include port 80, 81, or 82

port: (80 OR 81 OR 82)

NOT

Logical NOT

Return events that do not include port 80

NOT port: 80

AND

Logical AND

Note

The AND operator has a higher precedence than OR, but the precedence can be overridden by grouping the operators in parentheses. The following two queries are equal:

port: 80 OR port: 81 AND endpointHostname: "john"
port: 80 OR (port: 81 AND endpointHostname: "john")

Logical OR

Escape Operators and Characters

Category	Operator or Character	Match Type and Example
Keyword	AND OR NOT	Partial match `ruleName: Engine \AND analyzed`
Special character	\ ( ) : < > " * { }	Partial match `processCmd: C\:`
Full match keyword	" \	Full match `objectCmd: "*hang\""`
Regex keyword	\ /	Regex match `filePath: /\/etc\/pwd\/config\/aaa/`
White space	\t \r \n	Partial match `objectRegistryData: \\t*` Regex match `filePath: /\windows\system\\temp/`