Views:

XDR Data Explorer allows you to query telemetry data and detections.

  • Select data sources to search a specific set of data.
  • Ensure that the characters you type exactly match the results that you want.
  • Some fields display substituted text for ID values and you cannot search for the text value. For example, eventID stores the numerical value 1 in the database but displays TELEMETRY_PROCESS in results. You cannot query TELEMETRY_PROCESS.
The following tables describe query syntax and provide example strings:

Field-based syntax

Target
Description
Supported Field Type
Syntax
Example
Partial match
Provides all results for the specified field that contain the string
  • String
  • Dynamic
  • Int
  • Long
Note
Note
The int and long field types always use full match.
  • <field_name>: <search_string>
  • <field_name>: "*<search_string>*"
Note
Note
To search or escape a special character, type "*<search_string>*".
endpointName: windows
Returns all results that contain "windows" in the endpoint name
endpointName: *windows\/app*
Returns all results that contain "windows/app" in the endpoint name
Full match
Provides all results for the specified field that contain the exact string specified
  • String
  • Dynamic
  • Int
  • Long
  • Bool
Note
Note
The dynamic field type partially matches to every element.
<field_name>: "<search_string>"
endpointName: "john_doe"
Only returns results in which the endpoint name is "john_doe"
Wildcards
Provides results that match the field values substituting for the following wildcard characters:
  • *: Used as a substitute for one or more characters in the specified location
Important
Important
Wildcards are not supported for Network Activity Data IP addresses.
  • String
  • Dynamic
Note
Note
The dynamic field type transforms the whole object to string before doing wildcard search. Using wildcards in dynamic type yields fewer results and decreases the query performance.
<field_name>: <search_string>*
endpointName: "john*"
Returns all results that contain "john" as the first 4 characters in the endpoint name
Example results: "john", "john_doe", "johndoe", "johnd"
Range operator
Provides all results that match the requirements specified for multiple fields using the following operators:
  • >
  • <
  • >=
  • <=
  • Int
  • Long
<field_name> <range_operator> <number>
"dpt >= 80" AND "dpt <= 443"
Only returns results in which the log data contains integers in a range from greater than or equal to 80 to less than or equal to 443
Regex
Returns all entries where the regular expression matches any part (beginning, middle, or end) of the field's content.
For more information, go to Use regex in queries.
  • String
<field_name>: /<search_string>/
endpointHostName: /\\w*(trend|trendmicro)\.com/

Free query syntax

Target
Description
Syntax
Example
Partial match
Provides all results that contain the string in any data field.
Note
Note
Free queries are not supported for Network Activity Data.
  • "search_string"
  • search_string
Note
Note
Use field-based syntax to query numbers and bool field type.
"john"
Returns all results that contain the string john in any data field
Full match
Not available
-
-

Logical operators and special characters

Operator Type
Description
 Supported Types
Syntax
Example
Multiple fields
Provides all results that match the requirements specified for multiple fields using the following operators:
  • AND
  • OR
  • NOT
Note
Note
Query performance decreases when using multiple logical operators.
  • Field-based
  • Free query
<field_name>: <search_string1> OPERATOR <field_name>:<search_string2>
Note
Note
Escape special characters using a backslash (\) for partial match, full match, and wildcard search:
  • Without double quotation marks: \():<>"{}
  • Within double quotation marks: "\", "\\"
  • "*" is not supported and is escaped
endpointName: "john_doe" AND fileName: "credit"
Only returns results in which the log data contains both "john_doe" and "credit" in any field (example: objectUser=john_doe2; fileName=creditcard.txt)
"john_doe" AND NOT "home"
Only returns results in which the log data contains "john_doe" but does not contain "home" in any field
Multiple values
Provides all results that match the requirements specified for multiple values using the following operators:
  • AND
  • OR
  • NOT
  • Field-based
  • Free query
<field_name>: <search_string1> OPERATOR <search_string2>
endpointName:"john_doe" OR "jane_doe"
Returns results in which the endpoint name is "john_doe" or "jane_doe"
IN
Provides all results that contain certain values included in the query.
  • String
  • Number fields
<search_field> IN (<number1>, <number2>)
<search_field> IN ("<string1>", "<string2>")
port IN (80, 443, 5376)
endpointHostName IN (“endpoint-name-1“, “endpoint-name-2“, “endpoint-name-3“)
Nested value match
Provides all results that match a JSON object containing another JSON object as a nested structure.
Important
Important
Nested values must be a string, number, or object to return results.
Dynamic fields
<outer_field>.<nested_field_1>.<nested_field_2>....<nested_field_n>: <search_value>
vendorParsed.act: *
vendorParsed.foo: "bar"
Returns results in which third-party logs are flattened to one layer in the vendorParsed field

Token-based query syntax (partial match)

Criteria
(Example: "Trend_Micro-Vision-One: fa73ad07-ef36-48e6-8bb3-e91fedaf4a04 john_doe@trendmicro.com john\trend\project\abc.txt")
Returns Results
<field_name>: Trend
Note
Note
Token-based queries use partial match. By default, XDR Data Explorer breaks each string value into sequences of alphanumeric characters called tokens. Tokens comprise three or more alphanumeric characters. You can use partial matches in both field-based and free queries.
Yes
<field_name>: TREND
Yes
<field_name>: "*Trend*"
Yes
<field_name>: Tre
Note
Note
The result only compares the complete token. A token in query criteria with less than three characters reduces performance.
No
<field_name>: Trend_Mic
No
<field_name>: Micro
Yes
<field_name>: Trend_Micro
Yes
<field_name>: TREND_MICRO
Yes
<field_name>: Trend_
Yes
<field_name>: e91fe
No
<field_name>: fa73ad07
Yes
<field_name>: fa73ad07-ef36-48e6-8bb3-e91fedaf4a04
Yes
<field_name>: john_doe@trendmicro.com
Yes
<field_name>: Trend_Micro-Vision-One\: fa73ad07-ef36-48e6-8bb3-e91fedaf4a04 john_doe@trendmicro.com john\\trend\\project\\abc.txt
Yes
<field_name>: Trend_Micro-Vision-One: fa73ad07-ef36-48e6-8bb3-e91fedaf4a04 john_doe@trendmicro.com john\trend\project\abc.txt
No
<field_name>: "*Trend_Micro-Vision-One\: fa73ad07-ef36-48e6-8bb3-e91fedaf4a04 john_doe@trendmicro.com john\\trend\\project\\abc.txt*"
No
<field_name>: "*Trend_Micro-Vision-One: fa73ad07-ef36-48e6-8bb3-e91fedaf4a04 john_doe@trendmicro.com john\\trend\\project\\abc.txt*"
Yes
<field_name>: "*john\\trend\\project\\abc.txt*"
Yes

Wildcard queries

Category
Description
Example
Token-based query
Case-sensitive
Start with
Note
Note
Wildcard queries for the categories Start with, End with and MISC in dynamic fields decreases query performance.
An asterisk (*) is at the end of the string.
Trend*
No
No
End with
An asterisk (*) is at the beginning of the string.
*Micro
No
No
Contain
An asterisk (*) is at the beginning and the end of the string.
Note
Note
Contain category wildcard queries usepartial match.
*Vision*
Yes
No
MISC.
There are one or several asterisks (*) in the middle of the string.
Note
Note
  • The match pattern can be in the middle of the string value: "Tre*d" matches the value "HelloTrendMicro".
  • Tr*nd
  • **Micro
  • *Vis*ion*
  • One**
No
Yes
Query Criteria
(Example: "Trend_Micro-Vision-One: fa73ad07-ef36-48e6-8bb3-e91fedaf4a04 john_doe@trendmicro.com")
Category
Description
Returns Results
<field_name>: "Trend*"
Start with
Finds the values that start with "Trend".
Yes
<field_name>: "trend*"
Start with
Finds the values that start with "trend".
Yes
<field_name>: "*trendmicro.com"
End with
Finds the values that end with "trendmicro.com".
Yes
<field_name>: "*TRENDMICRO.COM"
End with
Finds the values that end with "TRENDMICRO.COM".
Yes
<field_name>: "*Trend_Micro*"
Contain
Finds the values that contain "Trend_Micro".
Yes
<field_name>: "*trend_micro*"
Contain
Finds the values that contain "trend_micro".
Yes
<field_name>: "Trend*com"
MISC.
Finds the values that have "Trend" as the beginning and "com" as the end of the string.
Yes
<field_name>: "Tre*"
Start with
Finds the values that start with "Tre".
Yes
<field_name>: "*micro.com"
End with
Finds the values that end with "micro.com".
Yes
<field_name>: "*fa73ad07*e91fedaf4a04*"
MISC.
Finds the values that match "*fa73ad07*e91fedaf4a04*".
Yes
<field_name>: "fa73ad07*e91fedaf4a04"
MISC.
Finds the values that match "fa73ad07*e91fedaf4a04".
Yes
<field_name>: "fa73ad07*"
Start with
Finds the values that start with "fa73ad07".
"fa73ad07" is the start of a token but not the start of the whole string, so the result does not match.
No
<field_name>: "fa73ad07**"
MISC.
Finds the values that match "fa73ad07**".
Since there is a "*" in the middle of the string, this is a MISC. wildcard search.
The MISC. wildcard searches for results even in the middle of the string.
Yes
<field_name>: "*Vision-One"
End with
Finds the values that end with "Vision-One".
"Vision-One" is the end of a token but not the end of the whole string, so the result does not match.
No
<field_name>: "**Vision-One"
MISC.
Finds the values that match "**Vision-One".
Since there is a "*" in the middle of the string, this is a MISC. wildcard search.
The MISC. wildcard searches for results even in the middle of the string.
Yes
<field_name>: "**vision-one"
MISC.
Finds the values that match "**vision-one".
MISC. wildcard search is case-sensitive, so "vision-one" does not match "Vision-One".
No
<field_name>: "*Visio*"
Contain
Finds the values that contain "Visio".
"Visio" is not a token in the string, so the result does not match.
No
<field_name>: "VISION*COM"
MISC.
Finds the values that have "VISION" in the beginning and "COM" in the end of the string.
MISC. wildcard search is case-sensitive, so "vision" does not match "Vision".
No

Query filters

Action
Description
Supported Field Types
Add Filter: field IS value
Adds the selected value as criteria to the existing query.
  • String
  • Dynamic
  • Int
  • Long
Note
Note
The dynamic type partially matches to every element.
Add Filter: field IS NOT value
Adds the selected value as an exception to the existing query.
  • String
  • Dynamic
  • Int
  • Long
Note
Note
The dynamic type removes all results that only have partial match results.
Add Filter: field IS EMPTY
Adds the selected field with no value as criteria to the existing query.
  • String
  • Dynamic
  • Int
  • Long
Add Filter: field EXISTS
Adds the selected field with any value as criteria to the existing query.
  • String
  • Dynamic
  • Int
  • Long
Add Filter: field DOES NOT EXIST
Adds the selected field with no value as criteria to the existing query.
  • String
  • Dynamic
  • Int
  • Long

Logical operator precedence

Precedence
Operator
Description
Example
1
( )
Group logical expressions
Return events that include port 80, 81, or 82
port: (80 OR 81 OR 82)
2
NOT
Logical NOT
Return events that do not include port 80
NOT port: 80
3
AND
Logical AND
Note
Note
The AND operator has a higher precedence than OR, but the precedence can be overridden by grouping the operators in parentheses. The following two queries are equal:
  • port: 80 OR port: 81 AND endpointHostname: "john"
  • port: 80 OR (port: 81 AND endpointHostname: "john")
4
OR
Logical OR

Escape operators and characters

Category Operator or Character Match Type and Example
Keyword
  • AND
  • OR
  • NOT
Partial match
  • ruleName: Engine \AND analyzed
Special character
  • \
  • (
  • )
  • :
  • <
  • >
  • "
  • *
  • {
  • }
Partial match
  • processCmd: C\:
Full match keyword
  • "
  • \
Full match
  • objectCmd: "*hang\""
Regex keyword
  • \
  • /
Regex match
  • filePath: /\/etc\/pwd\/config\/aaa/
White space
  • \t
  • \r
  • \n
Partial match
  • objectRegistryData: *\\t**
Regex match
  • filePath: /\windows\system\\temp/
Related information