- Search Overview
- Search Home Page
- Performing Searches
- Basic Search
- Advanced Search
- Advanced Search Building Blocks
- Running an Advanced Search Query
- Query Syntax
- Query by Subject
- Query by Vendor and Product
- Query by Field and Value
- Query by Context Table
- Query Using Regex
- Query Using Wildcards
- Free Text Search
- Query Using Advanced Query Language Operators
- Query Using Aggregation Functions
- Query Using Structured Fields
- Dynamic Field Extraction
- Natural Language Search
- Anomaly Search
- Refine a Search
- Context Tables in Search
- Search Best Practices
- Search Results
- Histogram View of Search Results
- Search Results Navigation Bar
- Timeline View of Search Results
- List View of Search Results
- Table View of Search Results
- Aggregated Search Results
- Event Details
- Detection Details
- Entity Details
- Data Insights
- Export Search Results
- View and Download Exported Search Result Files
- Dashboard Visualizations
Table View of Search Results
The Table view of Search results shows an overview of the results in a table format. Each row of the table represents an event or a detection in the results. The columns correspond to the set of fields defined in the selected Field template or made visible in the Event or Detection tabs of the Details panel.
When you run a search, the results are displayed by default in the List view. To access the Table view, click the Table View icon ( 
) just above the navigation header for the search results.
You can interact with results in the Table view in a number of ways. The sections below provide more detail about each of the following portions of the Table view page:
Toolbar Options
When search results first display in the Table view, it displays with a histogram of the results and a two-row toolbar above the results table. To preserve viewing space as you scroll through the results, you can opt to hide the histogram.
 |
On the toolbar, the following options are available:
Summary – Click to open a new panel on the left showing a list of all parsed fields in the search results, and a count of unique values for each field. By default, these results are calculated for the first 500 results. When opened, the Summary panel is pinned to the left side of the search results page. To close it, click the Summary button again. For more information about the options available on the Summary panel, see Field Summary.
View Selector Icons – Click on a view selector icon to switch into a different view of the search results data. Options include (
) Timeline view, (
) List view, and () Table View.Aggregation View – Click the Aggregation View icon (
) to view a high level summary of the search results. For more information about adding aggregation to your search results, see Aggregated Search Results.Field Template – Click the drop down menu to select which field template should determine the selection of fields displayed for each event in the results. By default, the
Autotemplate is selected. For more information about selecting a different template, see Field Templates.Reset Columns to – Click the drop down menu to select an option to reset the text in all of the columns to a specific truncate or wrap option.
Rows per view – Click the drop-down menu to select the number of rows you want to view per page.
Pagination arrows – Click the pagination arrows to scroll backwards and forwards through the pages of event results.
Events in the Table View
Event in the Table view are listed, by default, in chronological rows, with the most recent events at the top. Each row in the table represents an event or a detection. The columns provide the specific field values for each event or detection. The columns displayed are based on the Field template that's selected in the toolbar. You can also add or remove columns, from the display, by changing field visibility in the Event or Detection tabs of the Details panel.
You can interact with each event in the following ways:
Click the drop-down menu (
) icon beside any column header in the table to format the display or visibility of each column. Available options:Truncate text – Truncates the text in each value to fit within the width of the column.
Wrap text – Wraps the text in each value so that the entire field value is displayed on multiple lines in the column width.
Hide Column – Hides the column from the Table view. Hiding a column also unpins it from display in the Timeline and List views.
Note
When you hide a column, notice that the Field Template value changes to
Custom. To redisplay the hidden column, return to the previous Field Template value. Alternately, you can navigate to the Event or Detection tab in a Details panel and re-pin the field in order to redisplay it as a column in the Table view.
To display additional options for each field in the table, click on a specific cell to show a drop-down menu. Depending on the type of field, and whether or not it was included in the original query, the options below are available:
Click View User Entity if the field in the cell is associated with a user entity. The User Entity Details panel opens and displays the information stored about the selected entity in the Attack Surface Insights application. For more information about what the Entity Details panel shows and how to use it, see View Entity Details in the Attack Surface Insights Guide.
Click Copy to copy the value of the field to the clipboard.
Click Visualize Field to pivot immediately to the Dashboard application, which opens in the visualization editor view with the information from selected field preconfigured.
Use the Query Operators to add the field in the cell to your query or to exclude it. Available operators include AND, AND NOT, or OR.
Click Remove From Query to remove the field from your query. (Available only for field values that are already included in the query.)
View Event Details – To view detailed information about a specific event in the table, click on the Details link on the far right side of the row. The Details panel opens with the Event tab displayed. It includes a full raw log message and the entire list of parsed fields from the event. For more information about working with this tab, see Event Details.
View Detection Details – To view detailed information about a specific detection event in the table, click on the Details link on the far right side of the row. The Details panel opens with the Detection tab displayed. It includes details about the rules that triggered the detection. The tab also includes a full raw log message and the entire list of parsed fields from the event. For more information about working with this tab, see Detection Details.
View Entities – To view information about any entities associated with an event in the table, click on the Details link on the far right side of the row. The Details panel opens with the Event tab displayed. Click on the Entities tab. It displays a list of any entities associated with the selected event. For more information about working with this tab, see Entity Details.
For each entity listed in the Entities tab, you can opt to open an Entity Details panel that displays extensive information stored about the selected entity in the Attack Surface Insights application. For more information about what the Entity Details panel shows and how to use it, see View Entity Details in the Attack Surface Insights Guide.
View Data Insights – If an event includes users or devices that have been parsed, you can drill down into the data for more insights about those entities as follows. Click on the Details link on the far right side of the row. When the Event tab in the Details panel opens, click on the Insights tab. For more information about working with the this tab, see Data Insights.