Skip to main content
Skip table of contents

Search Quick Reference

Search operators are available to the analyst.

Search operators are case-sensitive!

  • To check for traffic between the specific search and destination IPs: src:”1.2.3.4” AND dest:”5.6.7.8”
  • To check for traffic from a specific user: user_uuid:someuser
  • To check if there’s a user who ever logged in from a specific IP: src:”1.2.3.4” AND _exists_:user_uuid
  • To check if there’s a user who ever logged in to a specific IP (based on their AD authentication information mostly): dest:”5.6.7.8” AND _exists_:user_uuid
  • To find all logs from a user excluding connection logs: user_uuid:someuser AND – entry_type:Connection
  • To inspect all connections from a specific client User Agent pattern: user_agent:Wget*

Operators and modifiers

Operators Modifiers

Match field

field1:”value”

AND

field1:(term1 AND term2)

OR

field1:(term1 OR term2)

Missing

_missing_:field1

Exists

_exists_:field1

Any single character

?

Wildcard

*

We do not recommend using the wildcard operator when searching for IP Addresses. Instead, use the TO operator to search for a range of IP Addresses.

Numerical range

[1 TO 10]

Use the TO operator to search for a range of IP Addresses: [IPaddress TO IPaddress].

For example: [1.2.3.4 TO 1.2.3.100] 

IP CIDR

src:”10.0.0.0/8”

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close