EchoTrail Insights - Advanced Search

This guide will introduce you to EchoTrail Insights Advanced Search - a powerful new search capability for our EchoTrail Insights tool. It can help identify trends, outliers, and other useful analytics on endpoint process behavior. This can be used by threat hunters, detection engineers, and many other security professionals to:

  • discover useful starting points for hunt operations
  • identify baselines for new detections
  • gain context on average behavior of system processes

Getting Started

Advanced search requires a Pro account which can be purchased here. Once you have a Pro account, you can navigate directly to the Insights Dashboard and use our Search Help dropdown to test some example queries.

To learn more about Advanced Search, its syntax, and commands - read on!

The Search Syntax

Advanced Search syntax follows linux pipe style command chaining using a pipe ( | ) to output results of one query to the input of the next query. For example:

path=C:\Windows\System32 | count parents = 1
path=C:\Windows\System32 | count parents = 1

The above command searches for all filenames and hashes that match the "C:\Windows\System32" path - then filters for processes that only have 1 parent identified.

There are currently 2 supported search types and 1 command:

  • raw string search
  • field search
  • count command

Search Types

All search types can be chained together in any combination, except for "Raw String". This search command is only available as the initial search, and not after a pipe.

Raw String

A raw string search can contain any string, with 0 or more wildcards (*). It will search several areas of our database, including filenames and descriptions. However it will not search all fields - to ensure a particular field is searched, you should use the field search type.


Search for an exact match of the string "cmd.exe":


Search for any string starting with "Win":


Field Search

A field search allows you to search for a match in a specific property of a process. Wildcards (*) are allowed. Only allows use of "=" operator for string fields.

Searchable Fields:

  • filename
  • sha256
  • md5
  • path
  • parent
  • child
  • grandparent
  • network_port
  • description
  • intel
  • tags
  • rank (number)
  • prevalence


Search for all processes that have "services.exe" as a parent:

parent = services.exe
parent = services.exe

Search for all processes that have rank less than 50:

rank < 50
rank < 50

Search Commands

Must always follow at least one search type in order to have output to operate on.


The count command lets you sum a list-based field, such as children or ports, in order to search for fields of a particular length. Currently the count command can only be used against the following fields:

  • path(s)
  • parent(s)
  • child(ren)
  • grandparent(s)
  • network_port(s)


Search for processes that launch from path C:\Windows\System32 and only have one identified parent:

path = C:\Windows\System32 | count parents = 1
path = C:\Windows\System32 | count parents = 1

Search for processes launched from cmd.exe that open one or more ports:

parent = cmd.exe | count network_port > 1
parent = cmd.exe | count network_port > 1

Was this page helpful?