Searching for Substrings of Large Tokens

This topic describes how to search for substrings of large tokens.

When searching the encoded command line for a PowerShell command, a search for any variation of the part after the -enc parameter can fail unless specifically handled. Searches for any part of the process_cmdline other than that will work.


Works	process_cmdline:powershell\ -noP\ -sta\ -w\ 1\ \-enc
Does not Work	process_cmdline:powershell\ -noP\ -sta\ -w\ 1\ \-enc\ SQBGACgAJABQAFMAVgB*

In the previous example, the search fails because Platform Search truncates very large tokens in its index on the assumption that they are not useful to search. These large tokens are still stored and returned in search results. A very large token is defined as >256 characters for a single token. Typically, the only large token is a very large base 64 string or hex string. To search for a very large token, use leading characters and a wildcard.

Note: We recommend searching for the rest of the command line in one query term and combining it with an AND that searches for large tokens in the command line using process_cmdline_length field:


Works	process_cmdline:powershell\ -noP\ -sta\ -w\ 1\ \-\enc\ AND process_cmdline_length:[100 TO *]
Does not Work	process_cmdline:powershell\ -noP\ -sta\ -w\ 1\ \-\enc\ SQBGACgAJABQAFMAVgB*