Quick Search
Quickly search for single term items in the search toolbar at the top of Secureworks® Taegis™ XDR. By default, your search will be performed against All Data Types. This is equivalent to running a search against the @raw logical type within the query language. Searches can also be performed against other specified logical types using a custom time range up to 31 days.
Performing a Quick Search
Tip
Quick Search supports the following keyboard shortcuts:
Ctrl + /opens the search menu.Shift + Entersubmits a search query.
To perform a quick search:
- Select the search box from the right-hand of the XDR top menubar or use Ctrl + /. The Quick Search menu displays.
- Enter the data you want to search for.
- Choose a data type from the drop-down menu:
| Data Type | Equivalent Logical Type | Description |
|---|---|---|
| All Data Types | @raw | Search all event types and alerts |
| Asset Name | @host | Search for a hostname as captured and normalized from ingested raw data into alerts and event fields |
| Command Line | @command | Events and alerts that contain a specified command line |
| Domain Name | @domain | Events and alerts that contain a specified web address |
| Host Name | @host | Search for events and alerts from the endpoint agent that has the specified hostname. Hostname will be translated to host_id and the search will run using the host_id found in the XDR endpoint database. |
| IP Address (v4/6) | @ip | Events and alerts that contain traffic between an IP address |
| Mac | @mac | Search for any mac address in a field |
| Path | @path | Events and alerts that contain a path to a program or a file |
| Port | @port | Search for any port in a field |
| Program Hash | @hash | Events and alerts that contain a SHA1, SHA256, SHA512, and MD5 |
| Sensor ID | Not Applicable | Events and alerts for the specified sensor id |
| URL | @url | Search for any URL in a field |
| User | @user | Search for any user in a field |
- Modify the time range if necessary.
- Click Search or hit Shift + Enter. The search results are displayed.
Note
Alerts may be searched for any time period.
However, event data is treated differently and can be searched for any period of 31 days or less in duration. Event data can be queried either from Advanced Search by choosing any non-Alert Type or from Quick Search. When using either of these ways to query event data, a custom date picker allows you to specify a search time range. From this custom date picker, you can select any start date for which the account may have retained data. But when selecting the end date for the search time range, note that the number of days in the range (the difference between the start and end date) must be less than or equal to 31 days.
Notes
If you want to search for other event types, use Advanced Search. From any tab, you can click the 'View in Advanced Search' button to edit and add criteria to that query.