Search

You can find specific endpoint data in the Sophos Data Lake.

You can search for indicators of compromise (IOCs) or for other data such as IP addresses or usernames.

You create your search using the query language Lucene. For help, see Lucene tutorial.

The Search page

Go to Threat Analysis Center > Search.

The right pane lets you create and run your search and displays a list of results that match it.

The Schema pane on the left shows the data fields you can use in your search. It also lets you add, remove, or reorder the corresponding columns in the results.

Create and run a search

To create and run a search, do as follows:

1. Go to Threat Analysis Center > Search.
2. Select a time range for the detections you want to search.

3. Enter your search in the search bar where you see "Type @ for autocompletion".

   1. Type @ and start typing the name of the data field you want to include in your search. You'll be prompted with a list of matching fields.

   2. Enter a data field followed by a colon and then the search parameter. You can include multiple data fields. Here are some examples:

      hostname:sys1 OR hostname:sys2 OR hostname:sys3 AND protocol:RDP

      command_line:mimikatz

   Alternatively, you can use free text entry to enter your own search strings. For more information, see How to build searches.

   

4. Optionally, in the left-hand pane, select the data fields you want to see in your results. Click names in Available columns to add them to the Visible columns that will show in results.

   For more details, see Add, remove, or reorder columns

   

5. Click Search. You see results in the lower pane.

   

6. To see the full details of a detection, click the arrow beside it. Currently details are shown in a JSON table.

   

Currently you can't save your searches.

You can't take any actions on the detections in the results. In later releases, you'll be able to select detections and add them to Threat Analysis Center investigations.

How to build searches

Build a search using our data fields or enter your own text.

Data fields plus parameters

Enter the data field (any of the fields shown in the left-hand pane) followed by a colon and then the search parameter.

You can create searches with multiple data fields. Here are some examples:

process_name:lsass AND username:admin OR username:system

event_id:4100 OR event_id:4013 OR event_id:4104 NOT username:"help desk"

sha1:0a43ff3773e7fcbb9a98029957c41bc3af56ae94 AND dest_ip:"1.2.3.4"

hostname:sys1 OR hostname:sys2 OR hostname:sys3 AND protocol:RDP

command_line:mimikatz

run_as_username:system OR run_as_username:admin

Free text entry

Enter a string of text to find detections that include the entered text. For strings like MAC addresses or IP addresses, which include special characters, use quotation marks in free text searches.

Here are some examples:

0a43ff3773e7fcbb9a98029957c41bc3af56ae94

jdoe

"00:00:5e:00:53:af"

Filter results

To see only the results you're most interested in, do as follows:

1. Click Add filter.

   

2. In Quick filter, enter an expression that will filter the results.

   

Change the columns in results

You can either accept the default columns in results or change and reorder them.

Default columns

By default the following columns are shown in results.

Add, remove, or reorder columns

You can change and reorder the columns of data shown in the results.

In the left pane, Visible columns lists the columns currently shown in results. Available columns shows the additional columns you can select.

To remove a column, click the minus sign beside its name in Visible columns.

To add a column, click its name in Available columns. The column is added to the Visible columns list and shows as the last column in the results table.

To look for the columns you want to add, enter the name in Search fields.

To change the order of columns in the results table, drag the names in the Visible columns list into the order you want.