Complex Queries
Boolean Operators
OR Operator
When you use the OR operator, the filter displays activity that includes any of the values listed.
The default Boolean operator is OR. If you do not include an operator when searching on multiple criteria, the query runs as an OR search. You can also use || in place of OR.
EXAMPLE - OR
To run a query for all activity that falls under the Malware classification or that originated from a particular host, all of the following syntaxes are acceptable:
- classificationName:"Malware" originHost: "106.194.190.210"
- classificationName:"Malware" OR originHost: "106.194.190.210"
- classificationName:"Malware" || originHost: "106.194.190.210"
AND Operator
When you use the AND operator, the filter displays activity that includes every value listed.
You can also use && in place of AND.
EXAMPLE - AND
To run a query to see whether Malware activity originated from a particular host, you can use either of the following:
- classificationName:"Malware" AND originHost: "106.194.190.210"
- classificationName:"Malware" && originHost: "106.194.190.210"
NOT Operator
When you use the NOT operator, the filter excludes activity associated with the value entered after NOT.
You can also use ! in place of NOT.
EXAMPLE - NOT
To run a query to see activity associated with user account jon.smith that is not classified as Malware, you can use either of the following:
- login:"jon.smith" NOT classificationName:"Malware"
- login:"jon.smith" ! classificationName:"Malware"
To run a NOT search by itself, use the following wildcard syntax:
- *:* AND NOT classificationName:"Malware"
TO Operator
To search by a range, include the TO operator between the parameters. To run an inclusive search, use square brackets [ ]. To run an exclusive search, use curly brackets { }.
EXAMPLE - TO
To run a query for the host from which a log activity originated that INCLUDES the first and last IP addresses listed:
- originHost:[106.194.190.210 TO 106.194.190.250]
To run a query for the host from which a log activity originated that EXCLUDES the first and last IP addresses listed:
- originHost:{106.194.190.210 TO 106.194.190.250}
To run a query for a log of a certain priority ranking that INCLUDES a ranking 40 or greater:
- priority:[40 TO *]
Log Dates
To run a search on a log date, you must convert the time to epoch format in milliseconds. There are several online tools to help you make the conversion, including EpochConverter and Unix Time Stamp.
EXAMPLE - DATE
To run a query for all logs after October 30, 2016 at 9 A.M. local time:
- normalDate:{1477839600000 TO *}
Grouping
You can run a query for multiple values in the same filter by enclosing all terms in parentheses. This is similar to using the OR operator, except that you can only search one metadata field with this syntax.
EXAMPLE - GROUPING
To run a query for all activity that falls under the Malware or Attack classifications:
- classificationName:("Malware" "Attack")
Field Grouping
To combine any of these query types into one query, use parentheses to group fields.
EXAMPLE - FIELD GROUPING
To run a query for the host from which Malware activity originated that excludes the first and last IP addresses in two different ranges:
- originHost:({106.194.190.210 TO 106.194.190.250} OR {106.194.190.256 TO 106.194.190.220}) AND classificationName:"Malware"
To run a query for Malware or Compromise activity that impacted any of three separate users but that does not come from a particular IP address:
- login:("jon.smith" "fred.miller" "janice.jones") AND classificationName:("Malware" "Compromise") AND NOT originHost:"106.194.190.210"