When viewing system events under alerts, you can use the keywords in this section to search and filter.
Action
Use the syntax action:<text> to search by the action which caused the event.
action:agent-reconnected
Created timestamp
The timestamp fields created_at can be searched using the syntax created_at:<term>. The term supports the standard runZero time comparison syntax.
created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours
Details
The details in the event record can be searched using the syntax details:<text>. This can be useful for searching for IP addresses.
details:192.168.0.1
Source and target name
The source (src) column can be searched using the syntax src:<text> or source:<text>. The target (tgt) column can be searched using tgt:<text> target:<text>.
src:crowdstrike
target:primary
Source and target type
The source type (shown at the start of the src column) can be searched using the syntax src_type:<text> or source_type:<text>.
Similarly, the target type can be searched using tgt_type:<text> or target_type:<text>.
src_type:task
target_type:site
Organization, site, source and target IDs
The IDs of organizations, sites, sources and targets mentioned in event details can be searched using the following search terms:
organization_id:<uuid>site_id:<uuid>source_id:<uuid> or src_id:<uuid>target_id:<uuid> or tgt_id:<uuid>
The IDs are unique and are written as UUIDs.
organization_id:0eacf412-6e69-11ec-88b9-f875a414a63a