Using text search

You can manually create a search query using the industry-standard queryparsersyntax.html. Some limits apply:
To open the query editor, click on the
icon to the right of the Filter By label:
To help you save time, when you start typing a field name into the query builder, the search engine looks ahead and starts listing fields according to the characters you enter.
Each search field has a specific data type such as, boolean, text, integer, etc.. The operators you can use vary by the field data type.
For text type search fields, you can use tokens.
In the query builder, if you enter the text type field followed by a '.' then the option token is listed.
Select the token and enter the token value to complete the search.
For example,
Here, the token value used is test_app.
For more information on search fields, refer to the article, see Threat Hunting Guide .
You can also search for events by just entering the values you're looking for (without event types, field names, etc.). For example, a search for
chrome.exe events from device abc-client
"chrome.exe AND abc-client"
Be aware of the following:
  • Term types
    : There are two kinds of terms: single terms and phrases. Use double quotes (") around phrases and words that contain special characters.
  • Wildcards
    : The single character wildcard
    is used within a term to replace a single letter. For instance,
    . The multiple character wildcard * is used to replace 0 or more characters. For instance
    test, tests
    , and
    You can't use a * or ? symbol as the first character in a query.
The following characters must be escaped:
: \ / [ ] ( ) { } “ . ! ~
File name search examples
What to search for
Text Filter
Files names
File name search using wildcards
File name with any drive letter
File names containing space
File_Path:"c\:\\program files\\symantec"
File name search using regex
/ Specify_regex_within_forward_slashes/
You can specify the entire Windows file path within the regex query.
If you press Enter in between the query text, incorrect query results or invalid search query error is shown.