This topic describes terms, phrases, and operators you can use when constructing a complex query.
A term is a single keyword (without whitespace) that is searched in the Carbon Black EDR process or binary data store, or in the alerts or threat reports on your server. For example, a keyword could be: svchost.exe.
Terms can be combined by logical operators and nested to form complex queries; for example:
- and, AND, or whitespace — Boolean
ANDoperator: svchost.exe cmd.exe, svchost.exe and cmd.exe - or, OR — Boolean
ORoperator: svchost.exe or cmd.exe - - — Boolean
NOToperator: -svchost.exe - nesting using parenthesis: (svchost.exe or cmd.exe) powershell.exe”
- Wildcard searches with
*; for example, process_name:win*.exe
Terms can be limited to a single field with <field>:<term> syntax; for example:
process_name:svchost.exe
Multiple terms are connected with AND if not otherwise specified.
Terms that are not preceded by fields are expanded to search all default fields.
Because terms are whitespace-delimited, use double quotes, or escape whitespaces with a single backslash, when required.
For example:
path:"microsoft office\office15\powerpnt.exe"
or
path:microsoft\ office\office15\powerpnt.exe
Terms can be combined to form phrases. A phrase is a set of terms that are separated by whitespace and enclosed in quotes. Whitespace between the terms of a quoted phrase is not treated as a logical AND operator. Instead, a phrase is searched as a single term.
For example: “svchost.exe cmd.exe”
Phrases can be combined and nested with other phrases and terms using logical operators.
For example: "svchost.exe cmd.exe" or powershell.exe
