When viewing system events under alerts, you can use the keywords in this section to search and filter.
Action
Use the syntax action:<text>
to search by the action which caused the event.
action:agent-reconnected
Created timestamp
The timestamp fields created_at
can be searched using the syntax created_at:<term>
. The term supports the standard runZero time comparison syntax.
created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours
Details
The details in the event record can be searched using the syntax details:<text>
. This can be useful for searching for IP addresses.
details:192.168.0.1
Source and target name
The source (src) column can be searched using the syntax src:<text>
or source:<text>
. The target (tgt) column can be searched using tgt:<text>
target:<text>
.
src:crowdstrike
target:primary
Source and target type
The source type (shown at the start of the src column) can be searched using the syntax src_type:<text>
or source_type:<text>
.
Similarly, the target type can be searched using tgt_type:<text>
or target_type:<text>
.
src_type:task
target_type:site
Organization, site, source and target IDs
The IDs of organizations, sites, sources and targets mentioned in event details can be searched using the following search terms:
organization_id:<uuid>
site_id:<uuid>
source_id:<uuid>
or src_id:<uuid>
target_id:<uuid>
or tgt_id:<uuid>
The IDs are unique and are written as UUIDs.
organization_id:0eacf412-6e69-11ec-88b9-f875a414a63a