To search for telemetry events, you must use certain syntax. You must use the following syntax rules in search queries:
<event field name> <comparison operator> <field value>.AND (Boolean AND)The results include all events that match both conditions (to the left and right of the AND operator).
For example, the query DetectActionResult == "Quarantine" AND DetectStatus == "Malware*" returns events that have a DetectStatus starting with Malware and a DetectActionResult equaling Quarantine.
OR (Boolean OR)The results will include events that match at least one of the logical expressions.
For example, query DetectActionResult == "Quarantine" OR DetectStatus == "Malware*" returns events that have a DetectStatus starting with Malware or a DetectActionResult equaling Quarantine.
NOT (Boolean NOT)The results will include events that do not match the expression.
For example, the query NOT (DetectActionResult == "Quarantine") returns events in which DetectActionResult does not equal Quarantine.
For example, the (DetectActionResult == "Quarantine" OR DetectStatus == "Malware*") AND FileSize > 16 query will contain results that include events that have DetectStatus starting with Malware or DetectActionResult equaling Quarantine, and the size of the attached file exceeds 16 bytes.
If you run the DetectActionResult == "Quarantine" OR (DetectStatus == "Malware*" AND FileSize > 16) query, it returns events that have DetectActionResult equaling Quarantine, or DetectStatus starting with Malware and that the attached file exceeds 16 bytes.
For example, if you run the DetectActionResult == "Quarantine" query, it returns events in which the DetectActionResult field equals Quarantine.
For example, the query DetectActionResult != "Quarantine" returns events in which the DetectActionResult field does not equal Quarantine.
For example, the query FileSize > 16 returns events that have an attached file larger than 16 bytes.
For example, the query FileSize < 16 returns events that have an attached file less than 16 bytes.
For example, the query FileSize >= 16 returns events that have an attached file greater than or equal to 16 bytes.
For example, the query FileSize <= 16 returns events that have an attached file less than or equal to 16 bytes.
<field type> part is case-insensitive. For example, results of the computername == "host" query and COMPUTERNAME == "host" query are the same.<field value> part is a sequence of letters, numbers, and special characters. <Field value> cannot be the name of a <field type>. String values must be enclosed in quotation marks. The exception is for a search for a non-empty string, typing without quotation marks is possible (for example, computername == * or computername == "*").<field value> is case-insensitive. For example, results of the ComputerName == "host" query and ComputerName == "HOST" query are same.<Field value> can include the following special characters:*: the asterisk denotes any number of characters in a string (only applicable to string values).For example, query EventName == "H*" returns all events beginning with the "H" letter.
Also, you can use the asterisk to filter fields with null values: for example, the query EventName == "*" or EventName == * returns events in which the word field has a non-empty value.
?: the question mark denotes any single character in a string (only applicable to string values). For example, query ProcessUserName == "User?" returns events with ProcessUserName like Users, User1, User2, and other matching substrings.
\: the backslash is used to screen the asterisk, question mark, and backslash characters.For example, if you search for a path, use the backslash: file_pathes == "c:\\windows\\system32\\nslookup.exe".