Making Queries

A Query is a part of a FixIt! filter that defines categories of objects, data on which you want to view.

The other part, Fields, defines the categories of data on the selected object categories.

This section contains information on queries.

Query structure and syntax

A query consists of:

arguments (categories of objects you search for)

values (parameters of certain objects within a category)

One query can contain several conditions, combined by logical operators. To group conditions together, use brackets (...).

Example:

category_name: "files" AND arkstatus.file: (ts_malware OR ts_suspicious)

This query will return all objects with the type File, whose value of arkstatus.file corresponds to malicious and suspicious files.

Query operators

The main operators used to combine conditions in queries are AND, OR и AND NOT.

The AND operator helps find elements that match all conditions at once. It can be replaced with the + character before the value.

The OR operator helps find elements that match any one of the conditions.

The AND NOT operator helps find elements that do not match any conditions defined after it. It can be replaced with the - character before the value.

You can also use character operators in queries.

See the list of character operators and their description in this table.

Operator

Value

.

Replaces any character. Example:

ab. will return aba, abb, abz, etc.

?

Makes the preceding character optional. Example:

abc? will return ab and abc.

+

Repeats the preceding character at least once. Example:

ab+ will return ab, abb, abbb, etc.

*

Repeats the preceding character any number of times, including zero. Example:

ab* will return a, ab, abb, abbb, etc.

{...}

Curly brackets can contain the number of repetitions of the preceding character. Two numbers will represent min and max values. Example:

a{2} will return aa

a{2,4} will return aa, aaa, and aaaa

a{2,} will return a repeated twice and more times.

|

Corresponds to the OR operator. Results will match either left or right part of the query divided with this character. Example:

abc|xyz will match abc and xyz.

(…)

Combines values in groups. Such a group will be treated as a single value. Example:

abc(def)? will return abc and abcdef, but not abcd.

[…]

Returns results matching one of the values within brackets. Example:

[abc] will return a, b, c

Inside the square brackets, the hyphen (-) indicates a range unless - is the first character or escaped using the \ character. Example:

[a-c] will return a, b, or c

[-abc] will return -, a, b, or c (the hyphen will be treated as the first value)

[abc\-] will return a, b, c, or - (the hyphen is escaped)

^

When put before a value in square brackets, the ^ character excludes this value or range of values from results. Example:

[^abc] will return everything but a, b, or c

[^a-c] will return everything but a, b, or c

[^-abc] will return everything but -, a, b, or c

[^abc\-] will return everything but a, b, c , or -.

Value ranges

For objects with the data types ‘date’, ‘integer’, or ‘string’, you can specify ranges in queries.

If both upper and lower bound are included in the required range, use square brackets [...]: [min TO max]

If both upper and lower bound are excluded from the required range, use curly brackets {...}: {min TO max}

If only one of the bounds is included in the range, use both types of brackets: [min TO max}

If the range only has one bound, use the * character: [min TO *]

You can also use simplified syntax for ranges.

For ranges with one bound:

size:>10

size:>=10

size:<10

size:<=10

Ranges with both bounds require grouping when using simplified syntax:

size:(>=10 AND <20)

size:(+>=10 +<20)