Search operators are available to the analyst.
Search operators are case-sensitive!
-
To check for traffic between the specific search and destination IPs:
src:”1.2.3.4” AND dest:”5.6.7.8” -
To check for traffic from a specific user:
user_uuid:someuser -
To check if there’s a user who ever logged in from a specific IP:
src:”1.2.3.4” AND _exists_:user_uuid -
To check if there’s a user who ever logged in to a specific IP (based on their AD authentication information mostly):
dest:”5.6.7.8” AND _exists_:user_uuid -
To find all logs from a user excluding connection logs:
user_uuid:someuser AND – entry_type:Connection -
To inspect all connections from a specific client User Agent pattern:
user_agent:Wget*
Operators and modifiers
|
Operators |
Modifiers |
|---|---|
|
Match field |
field1:”value” |
|
AND |
field1:(term1 AND term2) |
|
OR |
field1:(term1 OR term2) |
|
Missing |
_missing_:field1 |
|
Exists |
_exists_:field1 |
|
Any single character |
? |
|
Wildcard |
* We do not recommend using the wildcard operator when searching for IP Addresses. Instead, use the TO operator to search for a range of IP Addresses.
|
|
Numerical range |
[1 TO 10] Use the TO operator to search for a range of IP Addresses: [IPaddress TO IPaddress]. For example: [1.2.3.4 TO 1.2.3.100]
|
|
IP CIDR |
src:”10.0.0.0/8” |