This is a draft cheat sheet. It is a work in progress and is not finished yet.
Examples
To escape a special character that is part of the query syntax, use a backslash before the character. Characters that require this treatment are: + - && || ! ( ) { } [ ] ^ " ~ * ? : \ |
Operators: || OR AND && NOT ! |
If you wanted to run a query for all impacted users whose account ends with Smith, you would use: login:/.*Smith/ |
If you wanted to run a query for impacted users whose names are similar to Jon, such as Ron or John, you would use: login:Jon~ |
If you wanted to run a query for all activity that falls under the Malware or Attack classifications, you would use: classificationName:("Malware" "Attack") |
If you wanted to run a query for the host from which a log activity originated, INCLUSIVE of the first and last IP address, you would use: originHost: [106.194.190.210 TO 106.194.190.250] |
If you wanted to run a query for the host from which a log activity originated, EXCLUSIVE of the first and last IP address, you would use: originHost: {106.194.190.210 TO 106.194.190.250} |
Network
Domain (Impacted) |
|
Domain (Origin) |
|
NAT TCP/UDP Port (Impacted) |
|
NAT TCP/UDP Port (Origin) |
|
Network (Impacted) |
|
Network (Origin) |
|
Protocol |
|
Session |
|
Session Type |
|
TCP/UDP Port (Origin) |
|
TCP/UDP Port (Impacted) |
|
URL |
|
User Agent |
|
Classification
Classification |
|
Common Event |
|
CVE |
|
Direction |
|
MPE Rule Name |
|
Policy |
|
Reason |
|
Response Code |
|
Result |
|
Severity |
|
Status |
|
Threat Name |
|
Vendor Info |
|
Vendor Message ID |
|
Applications
Action |
|
Amount |
|
Command |
|
Duration |
|
Hash |
|
Known Appliaction |
|
Object |
|
Object Name |
|
Object Type |
|
Parent Process ID |
|
Parent Process Path |
|
Process Name |
|
Process ID |
|
Quantity |
|
Rate |
|
Size |
|
Subject |
|
Thread ID |
|
Version |
|
|
|
Host
Host (Impacted) |
|
Host (Origin) |
|
Hostname (Impacted) |
|
Hostname (Origin) |
|
Interface (Impacted) |
|
Interface (Origin) |
|
IP Address (Impacted) |
|
IP Address (Origin) |
|
Known Host (Impacted) |
|
Known Host (Origin) |
|
Mac Address (Impacted) |
|
Mac Address (Origin) |
|
NAT IP Address (Impacted) |
|
NAT IP Address (Origin) |
|
Serial Number |
|
Log
First Log Date |
|
Last Log Date |
|
Log Count |
|
Log Date |
|
Log Message |
|
Log Source |
|
Log Source Entity |
|
Log Source Host |
|
Log Source Type |
|
Log Sequence Number |
|
Location
Country (Impacted) |
|
Country (Origin) |
|
Entity (Impacted) |
|
Entity (Origin) |
|
Location (Impacted) |
|
Location (Origin) |
|
Region (Impacted) |
|
Region (Origin) |
|
Zone (Impacted) |
|
Zone (Origin) |
|
Traffic
Host (Impacted) KBytes Rcvd |
|
Host (Impacted) KBytes Sent |
|
Host (Impacted) KBytes Total |
impactedHostTotalKBytes
|
Host (Impacted) Packets Rcvd |
|
Host (Impacted) Packets Sent |
|
Host (Impacted) Packets Total |
impactedHostTotalPackets
|
KBytes Inbound |
|
KBytes Outbound |
|
Identity
Group |
|
Recipient |
|
Sender |
|
User (Origin) |
|
User (Impacted) |
|
|