This topic describes terms, phrases, and operators you can use when constructing a complex query.
A term is a single keyword (without whitespace) that is searched in the Carbon Black EDR process or binary data store, or in the alerts or threat reports on your server. For example, a keyword could be: svchost.exe.
Terms can be combined by logical operators and nested to form complex queries; for example:
- and, AND, or whitespace — Boolean
ANDoperator: svchost.exe cmd.exe, svchost.exe and cmd.exe
- or, OR — Boolean
ORoperator: svchost.exe or cmd.exe
- - — Boolean
- nesting using parenthesis: (svchost.exe or cmd.exe) powershell.exe”
- Wildcard searches with
*; for example, process_name:win*.exe
Terms can be limited to a single field with <field>:<term> syntax; for example:
Multiple terms are connected with
AND if not otherwise specified.
Terms that are not preceded by fields are expanded to search all default fields.
Because terms are whitespace-delimited, use double quotes, or escape whitespaces with a single backslash, when required.
Terms can be combined to form phrases. A phrase is a set of terms that are separated by whitespace and enclosed in quotes. Whitespace between the terms of a quoted phrase is not treated as a logical
AND operator. Instead, a phrase is searched as a single term.
For example: “svchost.exe cmd.exe”
Phrases can be combined and nested with other phrases and terms using logical operators.
For example: "svchost.exe cmd.exe" or powershell.exe