- Search Overview
- Search Home Page
- Performing Searches
- Basic Search
- Advanced Search
- Advanced Search Building Blocks
- Running an Advanced Search Query
- Query Syntax
- Query by Subject
- Query by Vendor and Product
- Query by Field and Value
- Query by Context Table
- Query Using Regex
- Free Text Search
- Query Using Advanced Query Language Operators
- Query Using Aggregation Functions
- Query Using Structured Fields
- Dynamic Field Extraction
- Natural Language Search
- Anomaly Search
- Refine a Search
- Context Tables in Search
- Search Best Practices
- Search Results
- Dashboard Visualizations
Query by Subject
The subject of an event is the target entity of the event. For example, the subject of an event could be the user, an endpoint, a process, etc.
The queries are in the form:
subject: "app" OR subject= "user"
The following table lists the subjects that can be searched for in Search:
Subject | Description |
|---|---|
alert | Any security alert, whether anomaly, correlation, or third-party. |
app | An application’s interface and any activities directed toward it. |
audit-policy | A unique configuration, given either globally or per service, that defines the type of audit logs that are generated or recorded and transferred to a log. |
configuration | A global setting given to a program or an app that defines how the system should work or be enforced. |
dcom | DCOM (Distributed Component Object Model). Windows endpoint components that allow COM objects to communicate with each other over the network |
dns | Domain Name System (DNS) protocol is a network protocol used to translate hostnames to IP addresses. This subject represents DNS traffic related activities. |
ds-object | A directory service object represents every entity that can exist in a directory service configuration, such as OUs, groups, and users. This subject is only used in cases where the original subject was undetermined. |
An email is a mail message that is sent or received over a computer network. | |
endpoint | An endpoint machine and the objects that can represent the machine inside different applications. |
file | A storage object on endpoints and applications that contains content, data, or settings that can be written into it or read from it. |
group | A collection of user accounts or any other types of members, which can globally define their configuration, settings or role in the system. |
handle | A Windows handle is an object that represents the access point to a single object in memory. Processes in Windows must request a handle before they can directly access resources such as files or other processes. |
http | Hyper Text Transfer Protocol (HTTP). A network protocol used for web requests and communications. This subject represents HTTP (and protocols built on top of HTTP like HTTPS) traffic-related activities. |
log | A program or a service that collects audit data from an environment and keeps record of it. |
network | All unclassified network traffic and protocols. |
other | |
peripheral_storage | An external hardware device used for storing files and data such as USB, CD/DVD, or a HD.dll. |
printer | An external device which performs the functions on files and documents such as printing, copying, and faxing. |
process | An endpoint structure that represents an instance of a program that was executed and is now running. |
radius | Remote Authentication Dial-In User Service (RADIUS). A networking protocol that provides centralized authentication, authorization, and accounting management for users who connect and use a network service. |
rdp | Remote Desktop Protocol (RDP). A network protocol that provides a user with a graphical interface to connect to another computer over a network connection. This subject represents RDP traffic related activities. |
scheduled_task | An object that is scheduled to trigger and execute a program or run certain commands. |
service | An endpoint object that represents a program or a process that runs in the background and quietly performs automated tasks. For example - Windows services or a Unix daemon. |
share | An endpoint object that allows resources and files to be shared over a computer network as if they were local. |
ssh | Secure Shell (SSH). A network protocol used for secure remote login from one computer to another other a network. This subject represents SSH traffic-related activities. |
user | The identity given to a person or a machine with which they can interact with the environment. |
vpn | A VPN interface and contains activities directed towards the VPN app. |