Database search and filtering methods

Symantec Endpoint Detection and Response
provides several methods to search for and filter data. Search and filtering methods lists and briefly describes each method. Click the method name to see the query syntax and examples for the method.
Do not use "=" in database queries. Use ":" instead.
Search and filtering methods
Method
Description
Access searches that have already been created and saved. 
Predefined filters for commonly sought data.
Returns or excludes data based solely on a value, regardless of the field(s) the value appears with.
Returns or excludes data matching the exact field names and their values.
Returns or excludes data falling between two specified values of a given field.
Returns or excludes data matching a regular expression.
Symantec EDR
uses a subset of the Perl regular expression features. See query-dsl-regexp-query.html#regexp-syntax for supported features.
Returns the data based on the presence or absence of a given field.
Returns or excludes data based on specific values for a given field.
Two or more of the preceding search methods that when combined can create queries of nearly any complexity.
Example data set
Three records are used for the examples in this section, each with the same fields but with different values. Examples data set lists the records and their data that are used in the examples.
A hyphen ("-") indicates that the field is not present in the record.
Examples data set
type_id
(integer)
email address
(keyword)
location
(text)
received_date
(date)
command_name
keyword)
4118
[email protected] someplace.com
Cambridge, MA
4125
Cambridge, CA
2018-03-23T00:00:01.  733Z
4128
somewhere.com
Cambridge, OH
get_file
Quick filters
Quick filters are predefined searches for commonly sought detections and data. The available quick filters depend on the type of search you perform; database, entities, endpoint, and so on. The available quick filters for a given search type appear in the
Add Filter
dialog. You can select quick filters from the pop-up dialog, or you can manually enter the name of a quick filter into the search-filter bar.
Quick filters are not supported for Internet Explorer. Use Firefox or Chrome to use quick filter functionality.
Syntax
quick:"<quick_filter_value>"
The value for the quick filter must be enclosed in quotes.
Example
Query: quick:"Get File"
Results for the quick filter query:"Get File"
type_id
(integer)
email_address
(keyword)
location
(text)
received_date
(date)
command_name
(keyword)
4128
[email protected] somewhere.com
Cambridge, OH
-
get_file
Freeform
Freeform searches are "fuzzy" searches; the results are approximate matches based on the query string. The following caveats apply to freeform searches:
  • The results reflect any events which contain the specified value.
  • Values that contain spaces or colons must be enclosed in quotes.
  • Date values do not work within freeform searches. For instance, the following are not allowed:
    • "12:00"
    • "2018-02-22 17:15:31 UTC"
    For time-based searches, see Exact match.
  • Data of the type
    text
    is case-insensitive. Data of the type
    keyword
    is case-sensitive.
Syntax
value_query
Example A
Query: cambridge
Results for the freeform query: cambridge
type_id
(integer)
email_address
(keyword)
location
(text)
received_date
(date)
command_name
(keyword)
4118
[email protected] someplace.com
Cambridge, MA
-
-
4125
-
Cambridge, CA
2018-03-23T00:00:01. 733Z
-
Example B
Query: 41*
Results for the freeform query: 41*
type_id
(integer)
email_address
(keyword)
location
(text)
received_date
(date)
command_name
(keyword)
4118
[email protected] someplace.com
Cambridge, MA
-
-
4125
-
Cambridge, CA
2018-03-23T00:00:01. 733Z
-
4128
[email protected] somewhere.com
Cambridge, OH
-
get_file
Example C
Query: -cambridge
The minus sign preceding the value inverts the query from
include
to
exclude
. This query thus returns all documents that
do not
contain a value of
cambridge
in any field.
Results for the freeform query: -cambridge
type_id
(integer)
email_address
(keyword)
location
(text)
received_date
(date)
command_name
(keyword)
-cambridge
No result
No result
No result
No result
Exact match
The exact-match search method returns only those records that precisely match the field:value parameters that you enter.
Syntax:
field:value
The following caveats apply for the exact-match search:
  • Fields are case-sensitive.
  • Values that contain spaces or colons must be enclosed in quotes.
Example A
Query: type_id: 4118
Results for the exact-match query type_id: 4118
type_id
(integer)
email_address
(keyword)
location
(text)
received_date
(date)
command_name
(keyword)
4118
[email protected] someplace.com
Cambridge, MA
-
-
Example B
Query: location:"Cambridge, CA"
Results for the exact-match query location:"Cambridge, CA"
type_id
(integer)
email_address
(keyword)
location
(text)
received_date
(date)
command_name
(keyword)
4125
-
Cambridge, CA
2018-03-23T00:00:01. 733Z
-
Example C
Query: -type_id: 4118
The minus sign preceding the value inverts the query from
include
to
exclude
. This query thus returns all documents that
do not
contain a value of "4118" in the "type_id" field.
Results for the exact-match query -type_id: 4118
type_id
(integer)
email_address
(keyword)
location
(text)
received_date
(date)
command_name
(keyword)
4125
-
  Cambridge, CA
2018-03-23T00:00:01. 733Z
-
4128
[email protected] somewhere.com
  Cambridge, OH
-
get_file
Ranged
Ranged searches let you search for the values that appear within a given numeric range.
Syntax:
> field:{<gte> TO <lte>}
<gte> = "greater than or equal to", and <lte> = "less than or equal to." Replace either <gte> or <gte> with '*' to indicate no upper or lower bound. For example, {* TO *} returns all values for the field.
Regex is not supported for <gte> or <lte> elements. For instance, age:{3 TO 10} works, but age:{10 TO 3*} does not.
Example A
Query: type_id: {4000 TO *}
Results for the ranged query: type_id: {4000 TO *}
type_id
(integer)
email_address
(keyword)
location
(text)
received_date
(date)
command_name
(keyword)
4118
[email protected] someplace.com
Cambridge, MA
-
-
4125
-
  Cambridge, CA
2018-03-23T00:00:01. 733Z
-
4128
[email protected] somewhere.com
  Cambridge, OH
-
get_file
Example B
Ranged queries also work with text. Text is tested lexically (progressive alphabetizing) for inclusion in the range.
Query: location: {"Cambridge, CA" TO "Cambridge, OH" }
Results for the ranged query: location: {"Cambridge, CA" TO "Cambridge, OH" }
type_id
(integer)
email_address
(keyword)
location
(text)
received_date
(date)
command_name
(keyword)
4118
[email protected] someplace.com
Cambridge, MA
-
-
4125
-
-
  Cambridge, CA
2018-03-23T00:00:01. 733Z
-
4128
[email protected] somewhere.com
  Cambridge, OH
-
get_file
Example C
Query: -type_id: {* TO 4118}
The minus sign preceding the value inverts the query from
include
to
exclude
. This query thus returns all documents that
do not
contain the values ranging from "0 to 4118" in the "type_id" field.
Results for the ranged query: -type_id: {* TO 4118}
type_id
(integer)
email_address
(keyword)
location
(text)
received_date
(date)
command_name
(keyword)
4125
-
  Cambridge, CA
2018-03-23T00:00:01. 733Z
-
4128
[email protected] somewhere.com
  Cambridge, OH
-
get_file
Regex
Regex searches let you use regular expressions to test field values for inclusion in the search results.
Symantec EDR
uses a subset of the Perl regex features. See query-dsl-regexp-query.html#regexp-syntax for supported features.
Regex queries only work on keyword and text fields.
Syntax:
field:/<regex_pattern>/
Example A
Query: email_address:/.*some.*/
Results for the regex query: email_address:/.*some.*/
type_id
(integer)
email_address
(keyword)
location
(text)
received_date
(date)
command_name
(keyword)
4188
[email protected] someplace.com
Cambridge, MA
-
-
4128
[email protected] somewhere.com
  Cambridge, OH
-
get_file
Example B
Query: email_address:/.*some(one|place).*/
Results for the regex query: email_address:/.*some(one|place).*/
type_id
(integer)
email_address
(keyword)
location
(text)
received_date
(date)
command_name
(keyword)
4125
[email protected] someplace.com
  Cambridge, MA
-
-
Query: -command_name:/.*/
The minus sign preceding the value inverts the query from
include
to
exclude
. This query thus returns all documents that
do not
match the regex command_name:/.*/
Results for the regex query: -command_name:/.*/
type_id
(integer)
email_address
(keyword)
location
(text)
received_date
(date)
command_name
(keyword)
4118
[email protected] someplace.com
  Cambridge, MA
-
-
4125
-
  Cambridge, CA
2018-03-23T00:00:01.  733Z
-
Exists
The "exists" query looks for the records that contain (or do not contain) a specific field.
Syntax:
exists:field
Example A
Query: exists:command_name
Results for the
exists
query: exists:command_name
type_id
(integer)
email_address
(keyword)
location
(text)
received_date
(date)
command_name
(keyword)
4128
[email protected] somewhere.com
  Cambridge, OH
-
get_file
Example B
Query: -exists:email_address
The minus sign preceding the value inverts the query from
include
to
exclude
. This query thus returns all documents that
do not
include the field, email_address
Results for the
exists
query: -exists:email_address
type_id
(integer)
email_address
(keyword)
location
(text)
received_date
(date)
command_name
(keyword)
4125
-
  Cambridge, CA
2018-03-23T00:00:01. 733Z
-
One-of
One-of searches let you search for different values for a given field.
Syntax:
field:[<value> OR <value> ...]
You can append additional values to extend the search.
Example A
Query: type_id:[4118]
Results for one-of query: type_id:[4118]
type_id
(integer)
email_address
(keyword)
location
(text)
received_date
(date)
command_name
(keyword)
4118
[email protected] someplace.com
  Cambridge, MA
-
-
Example B
Query: type_id:[4118 OR 4125]
Results for the one-of query: type_id:[4118 OR 4125]
type_id
(integer)
email_address
(keyword)
location
(text)
received_date
(date)
command_name
(keyword)
4118
[email protected] someplace.com
  Cambridge, MA
-
-
4125
-
  Cambridge, CA
2018-03-23T00:00:01.  733Z
-
Example C
Query: -type_id:[4118 OR 4125]
The minus sign preceding the value inverts the query from
include
to
exclude
. This query thus returns all documents that
do not
include the type_id, "4118" or "4125"
Results for the one-of query: -type_id:[4118 OR 4125]
type_id
(integer)
email_address
(keyword)
location
(text)
received_date
(date)
command_name
(keyword)
4128
[email protected] somewhere.com
  Cambridge, OH
-
get_file
Complex
Complex queries contain two or more of the other search methods.
Syntax:
( <SEARCH_METHOD> <AND | OR> <SEARCH_METHOD> ) ...
You can append other search functions (with their fields and values) to achieve any desired level of specificity. Use parentheses to set the order of precedence for the search.
Example
Query: (quick:"Get File" AND -type_id:{4118 TO 4125})
This example combines a quick filter and a ranged query into a single complex query. The minus sign preceding a range inverts the query.
Results for the complex query: (quick:"Get File" AND -type_id:{4118 TO 4125})
type_id
(integer)
email_address
(keyword)
location
(text)
received_date
(date)
command_name
(keyword)
4128
[email protected] somewhere.com
  Cambridge, OH
-
get_file