Show Menu
Cheatography
  1. Home >
  2. Cheat Sheets >

[LR] Web Console Display Name - Lucene Syntax Cheat Sheet (DRAFT) by

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Examples

To escape a special character that is part of the query syntax, use a backslash before the character. Characters that require this treatment are: + - && || ! ( ) { } [ ] ^ " ~ * ? : \
Operators: || OR AND && NOT !
If you wanted to run a query for all impacted users whose account ends with Smith, you would use: login:­/.*­Smith/
If you wanted to run a query for impacted users whose names are similar to Jon, such as Ron or John, you would use: login:Jon~
If you wanted to run a query for all activity that falls under the Malware or Attack classi­fic­ations, you would use: classi­fic­ati­onN­ame­:("M­alw­are­" "­Att­ack­")
If you wanted to run a query for the host from which a log activity origin­ated, INCLUSIVE of the first and last IP address, you would use: origin­Host: [106.1­94.1­90.210 TO 106.19­4.1­90.250]
If you wanted to run a query for the host from which a log activity origin­ated, EXCLUSIVE of the first and last IP address, you would use: origin­Host: {106.1­94.1­90.210 TO 106.19­4.1­90.250}

Network

Domain (Impacted)
 
domain­Imp­acted
Domain (Origin)
 
domain­Origin
NAT TCP/UDP Port (Impacted)
 
impact­edN­atPort
NAT TCP/UDP Port (Origin)
 
origin­NatPort
Network (Impacted)
 
impact­edN­etwork
Network (Origin)
 
origin­Network
Protocol
 
protoc­olName
Session
 
session
Session Type
 
sessio­nType
TCP/UDP Port (Origin)
 
originPort
TCP/UDP Port (Impacted)
 
impact­edPort
URL
 
url
User Agent
 
userAgent

Classi­fic­ation

Classi­fic­ation
 
classi­fic­ati­onName
Common Event
 
common­Eve­ntName
CVE
 
cve
Direction
 
direct­ionName
MPE Rule Name
 
mpeRul­eName
Policy
 
policy
Reason
 
reason
Response Code
 
espons­eCode
Result
 
result
Severity
 
severity
Status
 
status
Threat Name
 
threatName
Vendor Info
 
vendorInfo
Vendor Message ID
 
vendor­Mes­sageId

Applic­ations

Action
 
action
Amount
 
amount
Command
 
command
Duration
 
duration
Hash
 
hash
Known Applia­ction
 
servic­eName
Object
 
object
Object Name
 
objectName
Object Type
 
objectType
Parent Process ID
 
parent­Pro­cessId
Parent Process Path
 
parent­Pro­ces­sPath
Process Name
 
process
Process ID
 
processId
Quantity
 
quantity
Rate
 
rate
Size
 
size
Subject
 
subject
Thread ID
 
threatid
Version
 
version
 

Host

Host (Impacted)
 
impact­edHost
Host (Origin)
 
originHost
Hostname (Impacted)
 
impact­edName
Hostname (Origin)
 
originName
Interface (Impacted)
 
impact­edI­nte­rface
Interface (Origin)
 
origin­Int­erface
IP Address (Impacted)
 
impactedIp
IP Address (Origin)
 
originIp
Known Host (Impacted)
 
impact­edH­ostName
Known Host (Origin)
 
origin­Hos­tName
Mac Address (Impacted)
 
impact­edMac
Mac Address (Origin)
 
originMac
NAT IP Address (Impacted)
 
impact­edNatIp
NAT IP Address (Origin)
 
origin­NatIp
Serial Number
 
serial­Number

Log

First Log Date
 
normal­MsgDate
Last Log Date
 
normal­DateMax
Log Count
 
count
Log Date
 
normalDate
Log Message
 
logMessage
Log Source
 
logSou­rceName
Log Source Entity
 
entityName
Log Source Host
 
logSou­rce­Hos­tName
Log Source Type
 
logSou­rce­Typ­eName
Log Sequence Number
 
sequen­ceN­umber

Location

Country (Impacted)
 
impact­edC­ountry
Country (Origin)
 
origin­Country
Entity (Impacted)
 
impact­edE­nti­tyName
Entity (Origin)
 
origin­Ent­ityName
Location (Impacted)
 
impact­edL­ocation
Location (Origin)
 
origin­Loc­ation
Region (Impacted)
 
impact­edR­egion
Region (Origin)
 
origin­Region
Zone (Impacted)
 
impact­edZ­oneName
Zone (Origin)
 
origin­Zon­eName

Traffic

Host (Impacted) KBytes Rcvd
 
kBytesIn
Host (Impacted) KBytes Sent
 
kBytesOut
Host (Impacted) KBytes Total
 
impact­edH­ost­Tot­alK­Bytes
Host (Impacted) Packets Rcvd
 
itemsP­ack­etsIn
Host (Impacted) Packets Sent
 
itemsP­ack­etsOut
Host (Impacted) Packets Total
 
impact­edH­ost­Tot­alP­ackets
KBytes Inbound
 
kBytes
KBytes Outbound
 
outbou­ndK­Bytes

Identity

Group
 
group
Recipient
 
recipient
Sender
 
sender
User (Origin)
 
login
User (Impacted)
 
account