Supported fields and operations for the Historical Search option
Technical Articles ID:
KB94584
Last Modified: 8/31/2021
Environment
McAfee MVISION EDR
Summary
The article provides insight into the supported search mechanism.
Supported Fields
Name |
Display Value |
Artifacts |
Device name |
DeviceName |
All |
Process name |
ProcessName |
Process |
Command line |
CommandLine |
Process |
IP address |
IpAddress |
Network |
Sha256 |
Sha256 |
File |
MD5 |
MD5 |
File |
Sha1 |
Sha1 |
File |
All Events |
Default (Empty) |
All |
Process ID |
ProcessID |
Process |
Parent Process Name |
ParentProcessName |
Process |
Parent Process ID |
ParentProcessID |
Process |
Supported Logical Operators:
NOTES:
- DeviceName can be joined with any other field using the "AND" logical operator.
NOTE: For the client systems with MVISION EDR client version 3.3.x or earlier, the result doesn't appear on the Historical Search dashboard when searched with the "AND" logical operator for artifacts DeviceName and ProcessName.
Example: DeviceName = 7ws3342 AND ProcessName = cmd.exe
- CommandLine and IpAddress can’t be joined using the "AND" logical operator, but can be joined using the "OR" logical operator.
- CommandLine and ProcessName can be joined using the "AND" logical operator.
- When you refer MD5, SHA-1 and SHA-256, it implies hashes corresponding to the file.
- When you refer IP address, it implies the destination address.
Supported Operators
Name |
Display Value |
DeviceName |
=, !=, contains, starts with, not contains |
ProcessName |
=, !=, contains, starts with, not contains |
CommandLine |
=, !=, contains, starts with, not contains |
IpAddress |
=, !=, contains, starts with, not contains |
Sha256 |
=, !=, in |
MD5 |
=, !=, in |
Sha1 |
=, !=, in |
NOTE: "Contains" is only applicable if time range is <=24 hours.
Allowed Operations:
- =
- !=
- When a field is included in a search, the results returned must contain a value in the field included in the search.
- If the search is based on an IP address, only the results with values in the IP address field are returned.
- Example:
"fieldname != value" means "(fieldName exists and fieldName != value)"
ipaddress != 10.1.1.1 and devicename = '7xblah'
ipaddress = destination IP at the moment.
Excludes all network traces with that ipaddress.
- starts with
- in
- contains
- not contains
- Queries having operators as starts with and contains all special characters and " " (Blank space) needs to be escaped.
NOTE: This is not the case for equals and not equals.
- When a value in the query contains double quotes that needs to be escaped, then the value must be enclosed in double quotes as shown below:
Example: CommandLine = "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource scheduler
To be updated as: CommandLine = "\"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe\" /ua /installsource scheduler"
- When the value contains space, then the whole value must be enclosed in double quotes as shown below:
Example: CommandLine = C:\Windows\System32\svchost.exe -k wsappx
To be updated as: CommandLine = "C:\Windows\System32\svchost.exe -k wsappx"
- For the Contains, Not Contains, and Starts with operator, all special characters needs to be escaped as shown below:
Example: Value: C:\Windows\System32\svchost.exe -k wsappx
To be updated as: CommandLine contains "C\:\\Windows\\System32\\svchost.exe\ -k\ wsappx"
This behavior is applicable for both Historical search and Device search.
Example: "fieldname not contains value" means "(fieldName exists and fieldName not contains value)"
|