Skip to content


You must join the EAP to use this feature.

You can find specific endpoint data in the Sophos Data Lake.

You can search for indicators of compromise (IOCs) or for other data such as IP addresses or usernames.

You create your search using the query language Lucene. For help, see Lucene tutorial.

The Search page

Go to Threat Analysis Center > Search.

The right pane lets you create and run your search and displays a list of results that match it.

The Schema pane on the left shows the data fields you can use in your search. It also lets you add, remove, or reorder the corresponding columns in the results.

Search page in Threat Analysis Center

To create and run a search, do as follows:

  1. Go to Threat Analysis Center > Search.
  2. Select a time range for the detections you want to search.
  3. Enter your search in the search bar where you see "Type @ for autocompletion".

    1. Type @ and start typing the name of the data field you want to include in your search. You'll be prompted with a list of matching fields.
    2. Enter a data field followed by a colon and then the search parameter. You can include multiple data fields. Here are some examples:

      hostname:sys1 OR hostname:sys2 OR hostname:sys3 AND protocol:RDP


    Alternatively, you can use free text entry to enter your own search strings. For more information, see How to build searches.

    The Search bar

  4. Optionally, in the left-hand pane, select the data fields you want to see in your results. Click names in Available columns to add them to the Visible columns that will show in results.

    For more details, see Add, remove, or reorder columns

    Data fields list

  5. Click Search. You see results in the lower pane.

    Search results

  6. To see the full details of a detection, click the arrow beside it. Currently details are shown in a JSON table.

    Detection details

Currently you can't save your searches.

You can't take any actions on the detections in the results. In later releases, you'll be able to select detections and add them to Threat Analysis Center investigations.

How to build searches

Build a search using our data fields or enter your own text.

Data fields plus parameters

Enter the data field (any of the fields shown in the left-hand pane) followed by a colon and then the search parameter.

You can create searches with multiple data fields. Here are some examples:

process_name:lsass AND username:admin OR username:system

event_id:4100 OR event_id:4013 OR event_id:4104 NOT username:"help desk"

sha1:0a43ff3773e7fcbb9a98029957c41bc3af56ae94 AND dest_ip:""

hostname:sys1 OR hostname:sys2 OR hostname:sys3 AND protocol:RDP


run_as_username:system OR run_as_username:admin

Free text entry

Enter a string of text to find detections that include the entered text. For strings like MAC addresses or IP addresses, which include special characters, use quotation marks in free text searches.

Here are some examples:




Filter results

To see only the results you're most interested in, do as follows:

  1. Click Add filter.

    Add filter option

  2. In Quick filter, enter an expression that will filter the results.

    Quick filter dialog

Change the columns in results

You can either accept the default columns in results or change and reorder them.

Default columns

By default the following columns are shown in results.

Column Details
time -
category For example, "network"
activity_type For example, "open sockets"
hostname -
username Not shown if no user is signed in, for example on a server
device_IP -
device_mac The MAC address
device_type For example, client or server
device_make For example, Windows or macOS

Add, remove, or reorder columns

You can change and reorder the columns of data shown in the results.

Selector for columns

In the left pane, Visible columns lists the columns currently shown in results. Available columns shows the additional columns you can select.

To remove a column, click the minus sign beside its name in Visible columns.

To add a column, click its name in Available columns. The column is added to the Visible columns list and shows as the last column in the results table.

To look for the columns you want to add, enter the name in Search fields.

To change the order of columns in the results table, drag the names in the Visible columns list into the order you want.