🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Advanced Search Builder

search queries advanced search builder


Secureworks® Taegis™ XDR’s Advanced Search Builder enables you to search for alerts and events according to queries that you define by choosing operators and defining fields to refine your search.

To access Builder:

  1. Navigate to Advanced Search from the left navigation bar.

  2. Select Use Builder from the top right of the page.

  3. Builder is now your default search preference until you toggle back to Query Language.

Access Advanced Search Builder

Access Advanced Search Builder

Note

The advanced search interface you most recently chose is saved as your default search preference. Use the button at the top right of either Advanced Search option to toggle between them. For example, if you most recently used the Advanced Search Query Language, you may need to select Use Builder from the top right.

Build Search Queries

Secureworks® Taegis™ XDR’s search grammar allows you to add a term to filter your search query. You can then add definitions to that term as you need to, to further refine and limit the scope of your search. When you add new terms and operators, a visual representation of the query is updated in the gray text below the query builder. You can also add as many terms as you need.

Note

Text entered in search queries is case insensitive.

Advanced Search

Search for alerts and events

Advanced Search currently allows you to search for one datatype at a time. When you create an Advanced search, you must select the alert or event type that you want. Available types are:

Data Types

Event Types

Note

Alerts may be searched for any time period.

However, event data is treated differently and can be searched for any period of 31 days or less in duration. Event data can be queried either from Advanced Search by choosing any non-Alert Type or from Quick Search. When using either of these ways to query event data, a custom date picker allows you to specify a search time range. From this custom date picker, you can select any start date for which the account may have retained data. But when selecting the end date for the search time range, note that the number of days in the range (the difference between the start and end date) must be less than or equal to 31 days.

Search Rules

Each search rule is a query composed of one or more terms. If a search rule is composed of multiple terms, then AND logic is applied to them — i.e. all of the specified term matches must occur to return results.

Logical Types

Logical types are special fields that map to field names under the appropriate data schemas for that particular field category. The logical types are designed to alleviate the need to remember and specify each individual field name for each pertinent schema. Logical types are denoted with the @ prefix. A logical type, specified with @<logical type name>, automatically queries all relevant event fields.

Logical Type Mappings

The following are the latest logical type mappings:

@command - Command line
@domain - Domain name
@hash - Hash/digest
@host - Host name
@ip - IP v4/6 address
@mac - MAC address
@path - File path
@port - TCP/UDP port
@raw - Raw log/message data
@url - URL
@user - User name

Nested Queries

Nested queries allow you to create more complex searches by grouping together multiple search rules. To construct one, select Add Nested Query and build your group of rules.

Nested Queries and Match (AND/OR)

Select OR if you want the search to match Any of your nested queries, or AND to match All of them.

Note

Be sure to apply the AND/OR selection to the intended nesting level of the query, as indicated by the dotted lines in the rule builder.

Using a Nested Query

Using a Nested Query

Share Search Results

You can share a link to the results of an advanced search to provide to other users in your tenant. Select the share ( Copy Link ) icon above the search results table and the link to the results copies to your clipboard.

Share Search Results

Share Search Results

Note

Anyone you share the results link with must be a Taegis™ XDR user and have an account in the tenant the search is from.

Add a Saved Search to an Investigation

To add a saved search to an investigation:

  1. Select Advanced Search from the Taegis™ XDR left navigation menu. Advanced Search displays.
  2. Select Saved Searches and find the saved search you want to add to an investigation from My Queries or My Organization’s.
  3. Select the overflow menu icon for the desired query and then choose Add to Investigation.
  4. The Add a Search Query to an Investigation dialog displays.

Add a Search Query to an Investigation

Add a Search Query to an Investigation

You can add the search query to an existing investigation or to a new investigation.

  1. Follow the prompts for the desired option and select OK to add the search query.

Add a Query to an Investigation

Add a Query to an Investigation

Note

When you do this, the investigation will include a link to the original search query. Please note that this does not make a copy of the search results. It also does not make a copy of the original alert or event data and does not alter the retention policy for alerts and events.

Data Retention Policy

Secureworks retains event and alert data for 12 months from the date the data is received. All other data concerns are covered in the Secureworks© Cloud Services Interface Privacy Statement.

For more information on this feature, see Add Search Queries to an Investigation.

Examples

The following search examples can be used in Advanced Search Builder in Secureworks® Taegis™ XDR. These are a few examples of how you can search and filter your data. They use sensor types along with their supported detectors.

Netflow Searches

To query network traffic events for a device type (known as sensor_type in Secureworks® Taegis™ XDR) of interest, use type netflow and the desired sensor_type.

Netflow

[Type: netflow AND sensor_type: is: PALOALTO_FIREWALL]

Netflow logs for a specific Cisco ASA

[Type: netflow AND sensor_type: is: CISCO_FIREWALL_ASA AND sensor_id: is: 10.207.32.7]

NIDS Searches

To query Network Intrusion Detection events for a device type (known as sensor_type in Secureworks® Taegis™ XDR) of interest, use type nids and the desired sens or_type.

NIDS

[Type: nids AND sensor_type: is: Watchguard Firewall]

Search for nids from Palo Alto Devices with Specific Threat ID

[Type: nids AND sensor_type: is: PALOALTO_FIREWALL] AND [signature_id: > 10000 AND signature_id: < 30000]

Authentication (Auth) Searches

To query authentication events for a device type (known as sensor_type in Secureworks® Taegis™ XDR) of interest, use type auth and the desired sensor_type.

Auth

[Type: auth AND sensor_type: is: CISCO_FIREWALL_ASA]

Search for auth Logs from Specific Cisco ASA (WebVPN Activity)

[Type: auth AND sensor_type: is: CISCO_FIREWALL_ASA AND sensor_id: is: 192.168.2.98]

Search for Authentication Events from a Specific Windows Host (sensor_id)

[Type: auth AND sensor_id: is: CALSDC01]

Search for Azure Authentication Events

Add Sensor tenant to table detail to see the Azure subscription ID.

[Type: auth AND auth_system: is: AzureActiveDirectory]
[Type: auth AND auth_system: is: AzureAD]

For both use:

[Type: auth AND auth_system: starts with: AzureA]

Search for Authentication for a Specific User

[Type: auth AND target_user_name: is: John.Brown]

Search for Authentication Failure for a Specific User

[Type: auth AND target_user_name: is: John.Brown AND action: is: FAILURE]

Search for Auth Events from Linux Hosts

Type: auth AND [sensor_type: is: sshd OR sensor_type: is: sudo]

Search for Authentication from MS Cloud Services

auth + normalizer contains microsoft

[Type: auth AND normalizer: contains: microsoft]
Last 7 Days

Process Commmandline Search

Authentications from MS Cloud Services

HTTP Searches

To query web events for a device type (known as sensor_type in Secureworks® Taegis™ XDR) of interest, use type http and the desired sensor_type.

HTTP

[Type: http AND sensor_type: is: 'Watchguard Firewall']

DNSquery Searches

To query DNS events for a device type (known as sensor_type in Secureworks® Taegis™ XDR) of interest, use type dnsquery and the desired sensor_type.

DNSquery

[Type: dnsquery AND sensor_type: is: MSDNS]

Search for Named DNS Query/Response Events

[Type: dnsquery AND sensor_type: is: named]

Process Events Searches

The following are search examples using Secureworks® Taegis™ XDR’s Advanced Search panel for alerts and events.

process + host_id contains {specified ID} for [selected date range]

[Type: process AND host_id: contains: abc123]
Last 72 Hours

This search is looking for process events tied to a particular host ID that occurred in a very tight time window.

You can also increase the specificity of a process event search. This search looks for cmd.exe:

process + host_id contains {specified ID} + parent_image_path contains cmd.exe for [selected date range]

[Type: process AND host_id: contains: abc123] AND parent_image_path: contains: cmd.exe
Last 7 Days

process commandline contains echo +commandline contains cmd + commandline contains [string]

[Type: process AND commandline: contains: echo] AND [commandline: contains: cmd AND commandline: contains: test]
Last 7 Days

Process Commmand Line Search

Process Commmand Line Search

Alerts Searches

alert + [selected date range]

Type: alert
Last 72 Hours

Search For Alerts In Time Range

Search For Alerts In Time Range

Search Alerts by Severity

You can search by alert severity by selecting the severity term and entering a value between zero and one that aligns to the desired severity percentage. This search looks for alerts that are high or critical severity:

alert + severity >= .6 for [selected date range]

[Type: alert AND severity: >=: .6]
Last 72 Hours

Search For Alerts by Severity

Search For Alerts by Severity

Search Alerts by Integration

To query alerts for an integration of interest, use type alert and the desired app, alertType, etc.

Search for Kerberoasting Alerts

[Type: alert AND creator: is: app:detect:kerberoasting-detector]

Search for Alerts from Amazon GuardDuty

[Type: alert AND alertType: is: aws_guard_duty]

 

On this page: