Appendix B - Lucene syntax
The FortiEDR Threat Hunting free-text query is based on Lucene syntax. This syntax consists of terms and operators, as described below. For more details about the use of this query, see Threat Hunting.
You can convert JSON and XML syntax queries into Lucene syntax using the built-in Convert Query button in the Free-text Query filter. |
Terms
A free-text term is a single word (for example NetworkService or CryptSvc) or a phrase surrounded by double quotes (for example, ”NetworkService -p -s CryptSvc”) that searches for all the words in a phrase (in the same order) regardless of the field in which the words appear.
A Field: Value term is a combination of a field and a value.
A list of available fields is provided in the query box, which is an automatically-complete dropdown list.
Examples
Where the Source command line contains the value NetworkService:
Source.CommandLine: NetworkService
Where the value of the remote IP is 10.151.121.130:
RemoteIP: 10.151.121.130
Operators
Operators enable you to customize the search and/or to create more complex queries.
Operators are case insensitive.
Operators |
Definition |
---|---|
OR , || | The query should match either one of the terms/values. |
AND, && | The query should match both of the terms/values. |
NOT, ! | The query should not match the term/value. |
_exists_ | The query should match when the field value is not null. |
+ – | The term following this operator must be present. |
• | The term following this operator must not be present. |
Example
Where the Event includes either the RemoteIP field that contains 10.151.121.130 or the Remote Port field that contains 443
RemoteIP: 10.151.121.130 OR RemotePort: 443
Where the ProductName field contains both Microsoft and Windows
Source.File.ProductName: (microsoft AND windows)
Where the ProductName field contains Microsoft and does not include Windows
Source.File.ProductName: (microsoft -windows)
Where the Product Name field contains the exact phrase “Microsoft Windows”
Source.File.ProductName: "microsoft windows"
Where the field Behavior has any non-null value
_exists_: Behavior
Where the field PID does not include the value 5292
Source.PID: (NOT 5292)
Where the Event does not include the value 5292 in any of the Event fields
NOT 5292
Wildcards
Wildcard searches can be run on individual terms using a ? (question mark) to replace a single character, and an * (asterisk) to replace zero or more characters:
Progr?m Fil*
Note that wildcard queries may consume huge amounts of memory and perform poorly.
Ranges
Ranges can be specified for date, numeric or string fields. The inclusive ranges are specified with square brackets
[min TO max] and exclusive ranges with curly brackets {min TO max}.
Numbers 1..5
count:[1 TO 5]
Numbers from 10 upwards
count:[10 TO *]
Dates before 2012
date:{* TO 2012-01-01}
Ranges of IPs
RemoteIP: [140.100.100.0 TO 140.100.100.255]
Reserved characters
Should you need to use any of the characters that function as operators in the query itself (and not as operators), then you should escape them with a leading backslash (\). For instance, to search for c:\Windows\, write the query as c\:\\Windows\\.
Reserved characters are +,-, =, &&, ||, >, <, !, ( ), { }, [ ], ^, ", ~, *, ?, :, \ and /.