Restrictions on Terms

This topic describes restrictions on terms you can encounter when constructing a complex query.

Whitespace

Whitespace is the default delimiter. A query with whitespace is “tokenized” and parsed as multiple terms.

For example:

This input: microsoft office\office15\powerpnt.exe

is interpreted as two terms: microsoft AND office\office15\powerpnt.exe

Use quotation marks to avoid automatic parsing into individual terms.

For example:

This input: "microsoft office\office15\powerpnt.exe"

Is interpreted as: microsoft office\office15\powerpnt.exe

Alternatively, you can escape whitespaces by using the backslash (\).

For example:

This input: microsoft\ office\office15\powerpnt.exe

Is interpreted as: microsoft office\office15\powerpnt.exe

See Field Type: path for more information about how whitespaces and slashes affect path tokenization.

Parentheses

Parentheses are used as a delimiter for nested queries. A query with parentheses is parsed as a nested query, and if a proper nesting cannot be found, a syntax error is returned.

For example:

This input: c:\program files (x86)\windows

is interpreted as: c:\program AND files AND x86 AND \windows

Use quotation marks around the whole phrase to avoid automatic nesting. Otherwise, escape the parentheses (and whitespaces) using the backslash (\).

For example:

This input: c:\program\ files\ \(x86\)\windows

is interpreted as: c:\program files (x86)\windows

Negative Sign

The negative sign is used as logical NOT operator. Queries that begin with a negative sign are negated in the submitted query.

For example:

This input: -system.exe

is interpreted as: not system.exe

This input: -alliance_score_srstrust:*

is interpreted as: Return all results that are not trusted by the alliance .

You can use a phrase query to avoid automatic negation.

Double Quotes

Double quotes are used as a delimiter for phrase queries. A query in which double quotes should be taken literally must be escaped using backslash (\).

For example, the following query input:

cmdline:"\"c:\program files \(x86\)\google\update\googleupdate.exe\" /svc"

is interpreted to match the following command line (with the command line including the quotes as shown):

"c:\program files (x86)\google\update\googleupdate.exe\" /svc

Leading Wildcards

The use of leading wildcards in a query is not recommended unless absolutely necessary, and is blocked by default. Leading wildcards carry a significant performance penalty for the search.

For example, the following query is not recommended:

filemod:*/system32/ntdll.dll

The same results would be returned by the following query, and the search would be much more efficient:

filemod:system32/ntdll.dll

Note: While process searches with leading wildcards are blocked by default beginning in Carbon Black EDR version 6.2.3, you can change this either through the Advanced Settings page or the cb.conf file. See Managing High-Impact Queries and the Carbon Black EDR Server Configuration Guide.