Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.2.0 Administration Guide
5.2.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0

Appendix B - Lucene syntax

Appendix B - Lucene syntax

The FortiEDR Threat Hunting free-text query is based on Lucene syntax. This syntax consists of terms and operators, as described below. For more details about the use of this query, see Threat Hunting.

Terms

A free-text term is a single word (for example NetworkService or CryptSvc) or a phrase surrounded by double quotes (for example, ”NetworkService -p -s CryptSvc”) that searches for all the words in a phrase (in the same order) regardless of the field in which the words appear.

A Field: Value term is a combination of a field and a value.

A list of available fields is provided in the query box, which is an automatically-complete dropdown list.

Examples

Where the Source command line contains the value NetworkService:

Source.CommandLine: NetworkService

Where the value of the remote IP is 10.151.121.130:

RemoteIP: 10.151.121.130

Operators

Operators enable you to customize the search and/or to create more complex queries.

Operators are case insensitive.

Operators

Definition
OR , || The query should match either one of the terms/values.
AND, && The query should match both of the terms/values.
NOT, ! The query should not match the term/value.
_exists_ The query should match when the field value is not null.
+ – The term following this operator must be present.
The term following this operator must not be present.
Example

Where the Event includes either the RemoteIP field that contains 10.151.121.130 or the Remote Port field that contains 443

RemoteIP: 10.151.121.130 OR RemotePort: 443

Where the ProductName field contains both Microsoft and Windows

Source.File.ProductName: (microsoft AND windows)

Where the ProductName field contains Microsoft and does not include Windows

Source.File.ProductName: (microsoft -windows)

Where the Product Name field contains the exact phrase “Microsoft Windows”

Source.File.ProductName: "microsoft windows"

Where the field Behavior has any non-null value

_exists_: Behavior

Where the field PID does not include the value 5292

Source.PID: (NOT 5292)

Where the Event does not include the value 5292 in any of the Event fields

NOT 5292

Wildcards

Wildcard searches can be run on individual terms using a ? (question mark) to replace a single character, and an * (asterisk) to replace zero or more characters:

Progr?m Fil*

Note that wildcard queries may consume huge amounts of memory and perform poorly.

Ranges

Ranges can be specified for date, numeric or string fields. The inclusive ranges are specified with square brackets

[min TO max] and exclusive ranges with curly brackets {min TO max}.

Numbers 1..5

count:[1 TO 5]

Numbers from 10 upwards

count:[10 TO *]

Dates before 2012

date:{* TO 2012-01-01}

Ranges of IPs

RemoteIP: [140.100.100.0 TO 140.100.100.255]

Reserved characters

Should you need to use any of the characters that function as operators in the query itself (and not as operators), then you should escape them with a leading backslash (\). For instance, to search for c:\Windows\, write the query as c\:\\Windows\\.

Reserved characters are +,-, =, &&, ||, >, <, !, ( ), { }, [ ], ^, ", ~, *, ?, :, \ and /.

Previous
Next

Appendix B - Lucene syntax

The FortiEDR Threat Hunting free-text query is based on Lucene syntax. This syntax consists of terms and operators, as described below. For more details about the use of this query, see Threat Hunting.

Terms

A free-text term is a single word (for example NetworkService or CryptSvc) or a phrase surrounded by double quotes (for example, ”NetworkService -p -s CryptSvc”) that searches for all the words in a phrase (in the same order) regardless of the field in which the words appear.

A Field: Value term is a combination of a field and a value.

A list of available fields is provided in the query box, which is an automatically-complete dropdown list.

Examples

Where the Source command line contains the value NetworkService:

Source.CommandLine: NetworkService

Where the value of the remote IP is 10.151.121.130:

RemoteIP: 10.151.121.130

Operators

Operators enable you to customize the search and/or to create more complex queries.

Operators are case insensitive.

Operators

Definition
OR , || The query should match either one of the terms/values.
AND, && The query should match both of the terms/values.
NOT, ! The query should not match the term/value.
_exists_ The query should match when the field value is not null.
+ – The term following this operator must be present.
The term following this operator must not be present.
Example

Where the Event includes either the RemoteIP field that contains 10.151.121.130 or the Remote Port field that contains 443

RemoteIP: 10.151.121.130 OR RemotePort: 443

Where the ProductName field contains both Microsoft and Windows

Source.File.ProductName: (microsoft AND windows)

Where the ProductName field contains Microsoft and does not include Windows

Source.File.ProductName: (microsoft -windows)

Where the Product Name field contains the exact phrase “Microsoft Windows”

Source.File.ProductName: "microsoft windows"

Where the field Behavior has any non-null value

_exists_: Behavior

Where the field PID does not include the value 5292

Source.PID: (NOT 5292)

Where the Event does not include the value 5292 in any of the Event fields

NOT 5292

Wildcards

Wildcard searches can be run on individual terms using a ? (question mark) to replace a single character, and an * (asterisk) to replace zero or more characters:

Progr?m Fil*

Note that wildcard queries may consume huge amounts of memory and perform poorly.

Ranges

Ranges can be specified for date, numeric or string fields. The inclusive ranges are specified with square brackets

[min TO max] and exclusive ranges with curly brackets {min TO max}.

Numbers 1..5

count:[1 TO 5]

Numbers from 10 upwards

count:[10 TO *]

Dates before 2012

date:{* TO 2012-01-01}

Ranges of IPs

RemoteIP: [140.100.100.0 TO 140.100.100.255]

Reserved characters

Should you need to use any of the characters that function as operators in the query itself (and not as operators), then you should escape them with a leading backslash (\). For instance, to search for c:\Windows\, write the query as c\:\\Windows\\.

Reserved characters are +,-, =, &&, ||, >, <, !, ( ), { }, [ ], ^, ", ~, *, ?, :, \ and /.

Previous
Next