🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Pivot Search

search queries alerts events


A Pivot Search allows you to quickly search across alerts and events in Secureworks® Taegis™ XDR for particular search terms. It then returns results for alerts and multiple types of events.

Start a Pivot Search Start a Pivot Search

Note

Alerts may be searched for any time period.

However, event data is treated differently and can be searched for any period of 31 days or less in duration. Event data can be queried either from Advanced Search by choosing any non-Alert Type or from Quick Search. When using either of these ways to query event data, a custom date picker allows you to specify a search time range. From this custom date picker, you can select any start date for which the account may have retained data. But when selecting the end date for the search time range, note that the number of days in the range (the difference between the start and end date) must be less than or equal to 31 days.

Pivot searches are designed to query data before and after the timestamp of an event or alert. By default a pivot search looks for results within 24 hours from the original timestamp —that is, it looks 24 hours before and 24 hours after the timestamp of the event or alert, or a 48 hour search window in total.

Tip

To bring up a pivot search, hover over various alert details throughout XDR, like source IPs and usernames, and select the magnifying glass next to them.

To run a pivot search, hover over various alert details throughout XDR, such as source IPs and usernames, and select the magnifying glass.

This pulls up a pivot search form with the results in a table. Click through the search result tabs, such as Process Events and Auth Events, to view results for each initiated search.

Once on a pivot search page, you can further edit the search query by choosing different fields and time frames to search.

Tip

Want to view the source alert that spawned the pivot search? Beneath the Pivot Search title, select View Details next to the source alert title and timestamp.

Source Alert for a Pivot Search

Source Alert for a Pivot Search

In each tab, you can open and edit the same underlying query in Advanced Search, where you have more options to customize your query.

To do so, select the external link icon above the search results table. A pre-populated Advanced Search query builder opens in a new tab, where you can further tweak the parameters and save a name for the search if desired.

Running an Advanced Search from a Pivot Search

Running an Advanced Search from a Pivot Search

 

On this page: