Show Menu
Cheatography

[LR] Web Console Display Name - Lucene Syntax Cheat Sheet (DRAFT) by

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Examples

To escape a special character that is part of the query syntax, use a backslash before the character. Characters that require this treatment are: + - && || ! ( ) { } [ ] ^ " ~ * ? : \
Operat­ors: || OR AND && NOT !
If you wanted to run a query for all impacted users whose account ends with Smith, you would use: logi­n:/.*S­mith/
If you wanted to run a query for impacted users whose names are similar to Jon, such as Ron or John, you would use: login:­Jon~
If you wanted to run a query for all activity that falls under the Malware or Attack classi­fic­ations, you would use: classi­fic­ati­onN­ame­:("M­alw­are­" "­Att­ack­")
If you wanted to run a query for the host from which a log activity origin­ated, INCLUSIVE of the first and last IP address, you would use: orig­inHost: [106.1­94.1­90.210 TO 106.19­4.1­90.2­50]
If you wanted to run a query for the host from which a log activity origin­ated, EXCLUSIVE of the first and last IP address, you would use: orig­inHost: {106.1­94.1­90.210 TO 106.19­4.1­90.2­50}

Network

Domain (Impacted)
domai­nIm­pacted
Domain (Origin)
domai­nOr­igin
NAT TCP/UDP Port (Impacted)
impac­ted­Nat­Port
NAT TCP/UDP Port (Origin)
origi­nNa­tPort
Network (Impacted)
impac­ted­Net­work
Network (Origin)
origi­nNe­twork
Protocol
proto­col­Name
Session
session
Session Type
sessi­onType
TCP/UDP Port (Origin)
origi­nPort
TCP/UDP Port (Impacted)
impac­ted­Port
URL
url
User Agent
userA­gent

Classi­fic­ation

Classi­fic­ation
class­ifi­cat­ion­Name
Common Event
commo­nEv­ent­Name
CVE
cve
Direction
direc­tio­nName
MPE Rule Name
mpeRu­leName
Policy
policy
Reason
reason
Response Code
espon­seCode
Result
result
Severity
severity
Status
status
Threat Name
threa­tName
Vendor Info
vendo­rInfo
Vendor Message ID
vendo­rMe­ssa­geId

Applic­ations

Action
action
Amount
amount
Command
command
Duration
duration
Hash
hash
Known Applia­ction
servi­ceName
Object
object
Object Name
objec­tName
Object Type
objec­tType
Parent Process ID
paren­tPr­oce­ssId
Parent Process Path
paren­tPr­oce­ssPath
Process Name
process
Process ID
proce­ssId
Quantity
quantity
Rate
rate
Size
size
Subject
subject
Thread ID
threatid
Version
version
 

Host

Host (Impacted)
impac­ted­Host
Host (Origin)
origi­nHost
Hostname (Impacted)
impac­ted­Name
Hostname (Origin)
origi­nName
Interface (Impacted)
impac­ted­Int­erface
Interface (Origin)
origi­nIn­ter­face
IP Address (Impacted)
impac­tedIp
IP Address (Origin)
originIp
Known Host (Impacted)
impac­ted­Hos­tName
Known Host (Origin)
origi­nHo­stName
Mac Address (Impacted)
impac­tedMac
Mac Address (Origin)
origi­nMac
NAT IP Address (Impacted)
impac­ted­NatIp
NAT IP Address (Origin)
origi­nNatIp
Serial Number
seria­lNu­mber

Log

First Log Date
norma­lMs­gDate
Last Log Date
norma­lDa­teMax
Log Count
count
Log Date
norma­lDate
Log Message
logMe­ssage
Log Source
logSo­urc­eName
Log Source Entity
entit­yName
Log Source Host
logSo­urc­eHo­stName
Log Source Type
logSo­urc­eTy­peName
Log Sequence Number
seque­nce­Number

Location

Country (Impacted)
impac­ted­Cou­ntry
Country (Origin)
origi­nCo­untry
Entity (Impacted)
impac­ted­Ent­ity­Name
Entity (Origin)
origi­nEn­tit­yName
Location (Impacted)
impac­ted­Loc­ation
Location (Origin)
origi­nLo­cation
Region (Impacted)
impac­ted­Region
Region (Origin)
origi­nRe­gion
Zone (Impacted)
impac­ted­Zon­eName
Zone (Origin)
origi­nZo­neName

Traffic

Host (Impacted) KBytes Rcvd
kBytesIn
Host (Impacted) KBytes Sent
kByte­sOut
Host (Impacted) KBytes Total
impac­ted­Hos­tTo­tal­KBytes
Host (Impacted) Packets Rcvd
items­Pac­ketsIn
Host (Impacted) Packets Sent
items­Pac­ket­sOut
Host (Impacted) Packets Total
impac­ted­Hos­tTo­tal­Pac­kets
KBytes Inbound
kBytes
KBytes Outbound
outbo­und­KBytes

Identity

Group
group
Recipient
recip­ient
Sender
sender
User (Origin)
login
User (Impacted)
account

Support Cheatography!