This section describes search functionality that applies to all Carbon Black Cloud modules.
- Lucene by default assumes an
OR
if no operator is specified. - Platform Search by default assumes an
AND
if no operator is specified.
Default Boolean Operator
In Platform Search, if you do not include an operator, the default operator is AND
.
If you omit an AND
, NOT
, or OR
operator between search clauses, the query results will use an AND
operator by default.
For example, the following queries are equivalent and provide the same result:
process_name:powershell.exe crossproc_name:ccmexec.exe
process_name:powershell.exe AND crossproc_name:ccmexec.exe
process_name
and
crossproc_name
are not valid field names.
Negation
You can exclude a search query term by using one of three operators:
AND NOT
NOT
-
(leading dash or minus sign character)
For example, the following queries are equivalent and provide the same result:
process_name:chrome.exe AND NOT netconn_domain:google.com
process_name:chrome.exe NOT netconn_domain:google.com
process_name:chrome.exe -netconn_domain:google.com
Special Characters
The following characters, as defined by Lucene, have special meaning when they appear in a search query:
+ |
() |
" |
- |
{} |
~ |
&& |
[] |
* |
|| |
^ |
? |
: |
\ |
! |
Anytime you use these characters in a raw Lucene search, they must be escaped (that is, preceded with a backslash \
character).
For example:
Works | regmod_name:\{4a15d1fe\-35eb\-ed8c\-5d7b\-0aaefad84326\} |
Does not Work | regmod_name:{4a15d1fe-35eb-ed8c-5d7b-0aaefad84326} |
Carbon Black Cloud Inventory Search defines special characters as follows:
+ |
() |
" |
- |
{} |
~ |
&& |
[] |
* |
|| |
^ |
? |
: |
\ |
! |
/ |
Double quotation marks are not supported.
Wildcards
You can leverage wildcards when searching for filenames that have specific file extensions. For many fields, searching for the file extension works efficiently without wildcards.
For example:
process_name:.exe
finds all processes with names that have an .exe extension.process_cmdline:.txt
finds all processes that have command lines with a .txt extension.
- Avoid using a leading wildcard such as
process_name:*.exe
orregmod_name:*Windows*
. This is computationally expensive, can impact the performance of this and other searches for your organization, and is redundant. - Wildcards do not work if you quote the value. After you surround a string in quotes, wildcards between the quotation marks are ignored. If you do not include the quotes and escape properly, you can use wildcards in value search.
Works process_name:c\:\\windows\\temp\\inv*_tmp\\*
Does not Work process_name:"c:\\windows\\temp\\inv*_tmp\\*\\invcol.exe"
- Leading wildcards are implied.
Works process_name:Microsoft\ Office\\*
Does not Work process_name:**\Microsoft Office\**
Does not Work process_name:"Microsoft Office"
Fuzzy Search
Fuzzy search is a way of searching for terms that are spelled similar to, but not the same, as the terms in the index. The trailing ~
(tilde) character invokes the fuzzy search capability.
For example, searching for process_name:svch0st.exe~
returns the same results as if you searched on process_name:svchost.exe
.
- Fuzzy search can be applied to all string fields (see Search Fields).
- Fuzzy search does not work for numeric fields, date fields, or IP address fields.
- Fuzzy search only works on terms, not on phrases. For example, if you perform a fuzzy search for a single term in
process_cmdline
, as long as that term does not contain a delimiter that is used to split apart command line tokens, the fuzzy search will work.
To specify a distance parameter, append an integer between 0 and 2. For example:
process_name:svch0st.exe~2
works the same way as process_name:svch0st.exe~
The netconn_domain
search field is a special case. Fuzzy search only works on the FQDN, not on substrings or variants of the FQDN.
For example:
If the indexed netconn domain is... | Works | Does not Work |
---|---|---|
google.com | netconn_domain:g00gle.com~ |
netconn_domain:g00gle~ |
www.google.com | netconn_domain:www.g00gle.com~ |
netconn_domain:g00gle.com~ netconn_domain:google.com~ |
For details on how the distance parameter works, see https://www.elastic.co/blog/found-fuzzy-search.
Escaping
You must escape for any regex (regular expressions), and then escape for Lucene. For example:
-
On the Investigate page, you can search for files with double extensions such as document.doc.exe that has this regular expression query.
In the following example, note that the double backslash is used to enable you to search for the
\
character.process_name:/[^\\/]+\\.[^\\/]{2,3}\\.[^\\/]{2,3}/
- On the Enterprise EDR Watchlist page, you must ensure that every query term is escaped properly, especially for spaces, so that all terms appear at
Key:Value
pairs, and there are no unpaired terms in the query.For example:
Does not Work as a Watchlist IOC childproc_name:schtasks.exe -childproc_cmdline:C\:\\WINDOWS\\System32\\schtasks.exe Vquery Vtn (724_*)
The strings
Vquery
,Vtn
, and(724_*)
are treated as unpaired terms due to the unescaped spaces after schtasks.exe.Works as a Watchlist IOC childproc_name:schtasks.exe -childproc_cmdline:C\:\\WINDOWS\\System32\\schtasks.exe\ Vquery\ Vtn\ (724_*)
Parentheses
Placement of parentheses in a multi-term query can have a significant effect on what is matched.
For example:
(netconn_inbound:false AND netconn_ipv4:0.0.0.0)
Returns all processes that have outbound traffic to 0.0.0.0.
((netconn_inbound:false) AND netconn_ipv4:0.0.0.0)
Returns all processes that have made an outbound connection but have also had inbound or outbound traffic with 0.0.0.0.