Query Language (Operators)
Operators
Operator | LogRhythm Operator | Example | Search Result |
|---|---|---|---|
| Equal to (EQ) | = | unattributed.host.ip_address.value = 10.128.65.193 | Includes records where the host IP address value exactly matches 10.128.65.193. |
| Not Equal to (NE) | != | unattributed.host.ip_address.value != 10.128.65.193 | Excludes records where the host IP address value exactly matches 10.128.65.193. This search might be used if you have identified a safe IP in your dataset and want to remove that IP from your search. |
| Greater than (GT) | > | Potential use cases would be byte size, no examples currently available. | N/A |
| Greater than or Equal to (GE) | >= | Potential use cases would be byte size, no examples currently available. | N/A |
| Less than (LT) | < | Potential use cases would be byte size, no examples currently available. | N/A |
| Less than or Equal to (LE) | <= | Potential use cases would be byte size, no examples currently available. | N/A |
| In | IN | unattributed.host.ip_address.value IN [10.128.65.193,127.0.0.1] | Includes records that have host IP address values of 10.128.65.93 and 127.0.0.1. 
Requires the square brackets. This is also how you search for a list of values.
|
| To | TO | general_information.raw_message contains anything AND general_information.standard_message_time=now-30m TO now-15m unattributed.host.ip_address.value = blank AND general_information.standard_message_time = 2022-02-22T21:14:09.116957Z TO 2022-03-08T23:00:09.116957Z general_information.raw_message CONTAINS anything AND general_information.standard_message_time = 2020-03-29T10:05:45-07:00 TO now | Includes raw messages recorded between 30 minutes and 15 minutes ago. Includes messages where the host IP value is not populated between 2/22/2022 9:14 PM and 3/8/2022 11:00 PM. The times in the search are GMT (Zulu). Includes messages containing anything from 3/29/2020 at 10:05 AM to NOW. The time is normalized with the the subtraction of 7 hours to convert from GMT to MT. |
| Between | BETWEEN | unattributed.host.ip_address.value BETWEEN 192.168.1.1 AND 192.168.1.5 anything AND general_information.standard_message_time = 2022-08-25T00:00:00-06:00 to 2022-08-26T00:00:00-06:00 | This will look for messages with an unattributed.host.ip.address.value between 192.168.1.1 and 192.168.1.5 |
| Contains | CONTAINS | general_information.raw_message CONTAINS logrhythm | Includes all records. 
This is an unrestricted search and is likely to return a high number of entries.
|
Operators for Compound Searches
| Operator | LogRhythm Operator | Example | Search Result |
|---|---|---|---|
| And | AND | general_information.raw_message contains user AND unattributed.host.ip_address.value = 10.128.65.193 | Includes records where the raw message contains the word user AND where the host IP address is 10.128.65.193. |
| Not | NOT | general_information.raw_message contains user AND NOT unattributed.host.ip_address.value = 10.128.65.19 | Includes records where the raw message contains the word user and excludes records where the host IP address is 10.128.65.193. |
| Or | OR | general_information.raw_message contains user OR unattributed.host.ip_address.value = 10.128.65.193 | Includes records where the raw message contains the word user OR where the host IP address is 10.128.65.193. |
Separators
| Separator | Function | Example | Search Results |
|---|---|---|---|
| Parenthesis () | Subqueries | No examples currently available. | N/A |
| Curly {} | N/A | No examples currently available. | N/A |
| Quotes "" | Enforces order and is case sensitive | general_information.raw_message CONTAINS "accepted password" | Includes records where the general_information.raw_message has accepted password in that order and is case sensitive. |
| No Quotes | Order not enforced | general_information.raw_message CONTAINS password accepted | Includes records where the general_information.raw_message have the words password and accepted in no particular order and is case insensitive. |
| Square Bracket [] | Used to contain values in list searches | unattributed.host.ip_address.value IN [10.128.65.193] | Includes records that have a host IP address value of 10.128.65.93. |
| Escaping Characters | N/A | No examples currently available. | N/A |
Operators Not Used in Axon SIEM
- Wild card matching (using CONTAINS covers most searches)
- Proximity matching
- Boost
- Regular expression search