Events

When viewing system events under alerts, you can use the keywords in this section to search and filter.

Note that event records are retained for one year.

Action

Use the syntax action:<text> to search by the action which caused the event.

action:agent-reconnected

Created timestamp

The timestamp fields created_at can be searched using the syntax created_at:<term>. The term supports the standard runZero time comparison syntax.

created_at:>2weeks

created_at:<30minutes

updated_at:>1month

updated_at:2hours

Details

The details in the event record can be searched using the syntax details:<text>. This can be useful for searching for IP addresses.

details:192.168.0.1

Source and target name

The source (src) column can be searched using the syntax src:<text> or source:<text>. The target (tgt) column can be searched using tgt:<text> target:<text>.

src:crowdstrike

target:primary

Source and target type

The source type (shown at the start of the src column) can be searched using the syntax src_type:<text> or source_type:<text>.

Similarly, the target type can be searched using tgt_type:<text> or target_type:<text>.

src_type:task

target_type:site

Organization, site, source and target IDs

The IDs of organizations, sites, sources and targets mentioned in event details can be searched using the following search terms:

organization_id:<uuid>
site_id:<uuid>
source_id:<uuid> or src_id:<uuid>
target_id:<uuid> or tgt_id:<uuid>

The IDs are unique and are written as UUIDs.

organization_id:0eacf412-6e69-11ec-88b9-f875a414a63a

Updated October 7, 2023

Previous: Queries Next: Automating queries