WebsiteLinkedIn

Query Operators

Logical Operators

Spaces need to surround a logical operator in order for the syntax to properly detect the operator. If not, it will assume the operator is a part of a value being input.

AND

"And" displays results that include all of the values listed. You can enter "and" using any of the formats below; keep in mind that there must be a space before and after the operator:

  • " AND " or " and " - (upper or lowercase)

  • " & " - ampersand

AND Syntax

<column1>:<value1> AND <value2> and <value3> & <value4>

The syntax above shows all of the formats for AND: AND, and, and &.

AND Example

sources:windows_ad AND crowdstrike and mcafee & nexpose

This example searches the sources column for records that include all of the values entered: windows_ad, crowdstrike, mcafee, and nexpose. Because "and" is used, the results will show each record that contains all four sources.

Notice the various ways the "and" operator is used: AND, and, and &. Also notice the spaces before and after each operator, whether the operator is a word or a special character.

OR

"Or" displays results that include any of the values listed. You can enter "or" using any of the formats below:

  • " OR " or " or "- (upper and lowercase)

  • " | " - pipe

OR Syntax

<column1>:<value1> OR <value2> or <value3> | <value4>

The syntax above shows all of the formats for "OR": OR, or, and |.

OR Example

sources:windows_ad OR crowdstrike or mcafee | nexpose

This example searches the sources column for records that include any of the values entered: windows_ad, crowdstrike, mcafee, or nexpose. Because "or" is used, the results will show each record that contains one or more of the sources..

Notice the various ways the "or" operator is used: OR, or, and |.

Unions - Using Parentheses

Encasing values with parentheses can draw upon logical unions to drive complex queries:

Union Syntax

<column1>:(<value1> | <value2>) AND <value3>

The syntax above searches column1 and looks for records that include value1 or value2 and also include value3. Note the use of the "or" operator inside the parentheses, and the "and" operator outside the parentheses.

Union Example

CVE:(2020* | 2021*) AND 2022*

This example searches the CVE column and looks for records that include 2020 or 2021 and also include 2022. Note the use of the "*" wildcard to look for items that begin with 2020, 2021, and 2022 and include any number of characters after those values.

Negation Operators

NOT

You can search for records that don't include a particular value by using the NOT operator in either of these formats:

  • "NOT " - only uppercase, found at the start of a string

  • "-" - a hyphen at the start of a string

NOT Syntax

<column1>:-<value1>

The syntax above searches column1 and displays all records that don't include value1. Notice that there isn't a space between the hyphen and the value. 

<column1>:-(<value1> | <value2> | <value3>)

The syntax above searches column1 and displays all records that don't include value 1, value2, or value3. It will display all other records.

NOT Examples

sources:-windows_ad

The example above searches the sources column and displays all records that don't include windows_ad. 

sources:-(windows_ad | crowdstrike | mcafee)

The example above searches the sources column and displays all records that don't include windows_ad, crowdstrike, or mcafee. For example, it would display a record that included nexpose as long as it didn't also include windows_ad, crowdstrike, or mcaffee.

String Operators

Wildcard (Asterisk)

Asterisks are used in traditional wildcard operations, with the important caveat that at least two characters must precede the asterisk..

  • "*" - asterisk

At least two characters or digits must precede a wildcard. For example, a* will not generate any results.

Wildcard (Asterisk) Syntax

<column1>:<value*>

The syntax above will search column1 for all entries containing strings that begin with "value".

Wildcard (Asterisk) Examples

CVE:20*
ip_address:254*
hostname:C_0085* | C_0080*

The examples above perform these search functions:

  • Search the CVE column for all entries beginning with 20.

  • Search the ip_address column for all entries beginning with 254.

  • Search the hostname column for all entries that either begin with C0085 or C0080.

Numerical Operators

Numerical operators have syntax similar to the logical operators in that they must be preceded and followed by a space character.

Greater Than

Greater than is used to show any numerical value over the one provided in the query.

  • " > "

Greater Than Examples

cvss: > 8
score: > 5.5

In the examples above, notice the space characters before and after >. These examples perform these search functions:

  • Search the cvss column for numerical values greater than 8. All entries of 8.1 and greater are listed.

  • Search the score column for numerical values greater than 5.5. All entries of 5.6 and greater are listed.

Greater Than or Equal To

Similar to greater than, but will now include the numerical value provided, and anything greater than it.

  • " >= "

Greater Than or Equal To Examples

cvss: >= 8
score: >= 5.5

The examples above perform these search functions:

  • Search the cvss column for numerical values greater than or equal to or equal to 8. All entries of 7 and greater are listed.

  • Search the score column for numerical values greater than or equal to 5.5. All entries of 5.5 and greater are listed.

Less Than

Less than is used to determine any numerical value under the one provided in the query.

  • " < "

Less Than Examples

cvss: < 8
score: < 5.5

The examples above perform these search functions:

  • Search the cvss column for numerical values less than 8. All entries of 7.9 and less are listed.

  • Search the score column for numerical values less than 5.5. All entries of 5.4 and less are listed.

Less Than or Equal To

Similar to less than, but will now include the numerical value provided, and anything under it.

  • " <= "

Less Than or Equal To Examples

cvss: <= 8
score: <= 5.5

The examples above perform these search functions:

  • Search the cvss column for numerical values less than or equal to or equal to . All entries of 8 and greater are listed.

  • Search the score column for numerical values less than or equal to 5.5. All entries of 5.5 and less are listed.

Equals

Search for only numerical values equal to the one provided in the query.

  • " = "

cvss: = 8
score: = 5.5

The examples above perform these search functions:

  • Search the cvss column for numerical values equal to 8. All entries of exactly 8 are listed.

  • Search the score column for numerical values equal to 5.5. All entries of exactly 5.5 are listed.

Range

Search for a range of numerical values between the two values provided in the query.

  • " - " - hyphen

Range Examples

cvss: 8 - 9
score: 5.5 - 6.6

  • Search the cvss column for numerical values between 8 and 9. All values from 8.1 to 8.9 are listed.

  • Search the score column for numerical values between to 5.5 and 6.6. All values from 5.6 to 6.5 are listed.

PreviousSearch BasicsNextComplex Epiphany Queries

Last updated