This topic describes terms, phrases, and operators you can use when constructing a complex query.

A term is a single keyword (without whitespace) that is searched in the Carbon Black EDR process or binary data store, or in the alerts or threat reports on your server. For example, a keyword could be: svchost.exe.

Terms can be combined by logical operators and nested to form complex queries; for example:

  • and, AND, or whitespace — Boolean AND operator: svchost.exe cmd.exe, svchost.exe and cmd.exe
  • or, OR — Boolean OR operator: svchost.exe or cmd.exe
  • - — Boolean NOT operator: -svchost.exe
  • nesting using parenthesis: (svchost.exe or cmd.exe) powershell.exe”
  • Wildcard searches with * ; for example, process_name:win*.exe

Terms can be limited to a single field with <field>:<term> syntax; for example:

process_name:svchost.exe

Multiple terms are connected with AND if not otherwise specified.

Terms that are not preceded by fields are expanded to search all default fields.

Because terms are whitespace-delimited, use double quotes, or escape whitespaces with a single backslash, when required.

For example:

path:"microsoft office\office15\powerpnt.exe"

or

path:microsoft\ office\office15\powerpnt.exe

Terms can be combined to form phrases. A phrase is a set of terms that are separated by whitespace and enclosed in quotes. Whitespace between the terms of a quoted phrase is not treated as a logical AND operator. Instead, a phrase is searched as a single term.

For example: “svchost.exe cmd.exe”

Phrases can be combined and nested with other phrases and terms using logical operators.

For example: "svchost.exe cmd.exe" or powershell.exe