Events

When viewing system events under alerts, you can use the keywords in this section to search and filter.

Action

Use the syntax action:<text> to search by the action which caused the event.

action:agent-reconnected

Created timestamp

The timestamp fields created_at can be searched using the syntax created_at:<term>. The term supports the standard runZero time comparison syntax.

created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours

Details

The details in the event record can be searched using the syntax details:<text>. This can be useful for searching for IP addresses.

details:192.168.0.1

Source and target name

The source (src) column can be searched using the syntax src:<text> or source:<text>. The target (tgt) column can be searched using tgt:<text> target:<text>.

src:crowdstrike
target:primary

Source and target type

The source type (shown at the start of the src column) can be searched using the syntax src_type:<text> or source_type:<text>.

Similarly, the target type can be searched using tgt_type:<text> or target_type:<text>.

src_type:task
target_type:site

Organization, site, source and target IDs

The IDs of organizations, sites, sources and targets mentioned in event details can be searched using the following search terms:

  • organization_id:<uuid>
  • site_id:<uuid>
  • source_id:<uuid> or src_id:<uuid>
  • target_id:<uuid> or tgt_id:<uuid>

The IDs are unique and are written as UUIDs.

organization_id:0eacf412-6e69-11ec-88b9-f875a414a63a