Show Menu
Cheatography

[LR] Web Console Display Name - Lucene Syntax Cheat Sheet (DRAFT) by

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Examples

To escape a special character that is part of the query syntax, use a backslash before the character. Characters that require this treatment are: + - && || ! ( ) { } [ ] ^ " ~ * ? : \
Operators: || OR AND && NOT !
If you wanted to run a query for all impacted users whose account ends with Smith, you would use: login:­/.*­Smith/
If you wanted to run a query for impacted users whose names are similar to Jon, such as Ron or John, you would use: login:Jon~
If you wanted to run a query for all activity that falls under the Malware or Attack classi­fic­ations, you would use: classi­fic­ati­onN­ame­:("M­alw­are­" "­Att­ack­")
If you wanted to run a query for the host from which a log activity origin­ated, INCLUSIVE of the first and last IP address, you would use: origin­Host: [106.1­94.1­90.210 TO 106.19­4.1­90.250]
If you wanted to run a query for the host from which a log activity origin­ated, EXCLUSIVE of the first and last IP address, you would use: origin­Host: {106.1­94.1­90.210 TO 106.19­4.1­90.250}

Network

Domain (Impacted)
domain­Imp­acted
Domain (Origin)
domain­Origin
NAT TCP/UDP Port (Impacted)
impact­edN­atPort
NAT TCP/UDP Port (Origin)
origin­NatPort
Network (Impacted)
impact­edN­etwork
Network (Origin)
origin­Network
Protocol
protoc­olName
Session
session
Session Type
sessio­nType
TCP/UDP Port (Origin)
originPort
TCP/UDP Port (Impacted)
impact­edPort
URL
url
User Agent
userAgent

Classi­fic­ation

Classi­fic­ation
classi­fic­ati­onName
Common Event
common­Eve­ntName
CVE
cve
Direction
direct­ionName
MPE Rule Name
mpeRul­eName
Policy
policy
Reason
reason
Response Code
espons­eCode
Result
result
Severity
severity
Status
status
Threat Name
threatName
Vendor Info
vendorInfo
Vendor Message ID
vendor­Mes­sageId

Applic­ations

Action
action
Amount
amount
Command
command
Duration
duration
Hash
hash
Known Applia­ction
servic­eName
Object
object
Object Name
objectName
Object Type
objectType
Parent Process ID
parent­Pro­cessId
Parent Process Path
parent­Pro­ces­sPath
Process Name
process
Process ID
processId
Quantity
quantity
Rate
rate
Size
size
Subject
subject
Thread ID
threatid
Version
version
 

Host

Host (Impacted)
impact­edHost
Host (Origin)
originHost
Hostname (Impacted)
impact­edName
Hostname (Origin)
originName
Interface (Impacted)
impact­edI­nte­rface
Interface (Origin)
origin­Int­erface
IP Address (Impacted)
impactedIp
IP Address (Origin)
originIp
Known Host (Impacted)
impact­edH­ostName
Known Host (Origin)
origin­Hos­tName
Mac Address (Impacted)
impact­edMac
Mac Address (Origin)
originMac
NAT IP Address (Impacted)
impact­edNatIp
NAT IP Address (Origin)
origin­NatIp
Serial Number
serial­Number

Log

First Log Date
normal­MsgDate
Last Log Date
normal­DateMax
Log Count
count
Log Date
normalDate
Log Message
logMessage
Log Source
logSou­rceName
Log Source Entity
entityName
Log Source Host
logSou­rce­Hos­tName
Log Source Type
logSou­rce­Typ­eName
Log Sequence Number
sequen­ceN­umber

Location

Country (Impacted)
impact­edC­ountry
Country (Origin)
origin­Country
Entity (Impacted)
impact­edE­nti­tyName
Entity (Origin)
origin­Ent­ityName
Location (Impacted)
impact­edL­ocation
Location (Origin)
origin­Loc­ation
Region (Impacted)
impact­edR­egion
Region (Origin)
origin­Region
Zone (Impacted)
impact­edZ­oneName
Zone (Origin)
origin­Zon­eName

Traffic

Host (Impacted) KBytes Rcvd
kBytesIn
Host (Impacted) KBytes Sent
kBytesOut
Host (Impacted) KBytes Total
impact­edH­ost­Tot­alK­Bytes
Host (Impacted) Packets Rcvd
itemsP­ack­etsIn
Host (Impacted) Packets Sent
itemsP­ack­etsOut
Host (Impacted) Packets Total
impact­edH­ost­Tot­alP­ackets
KBytes Inbound
kBytes
KBytes Outbound
outbou­ndK­Bytes

Identity

Group
group
Recipient
recipient
Sender
sender
User (Origin)
login
User (Impacted)
account