Network analysis rules

You can define network analysis rules that allow you to match the raw data records collected by the system. For example, a rule can be defined to match on flow records with a specific destination IP address or a DNS request for a specific domain name.

Rules can be used in two ways: online and offline:

  • In online mode, a rule is matched to incoming data records as they are collected and analyzed: this can be used to generate alerts for specific activity of interest as soon as it is detected.

  • In offline mode, a rule is matched to historical data records: this can be used to search for a specific activity in past records (within your data-retention limits).

Network analysis rule syntax

A network analysis rule is a combination of clauses that express a condition on attributes of a record type. A rule has the following format:

record_type . attribute relation value

A rule consists of four parts:

  • record_type The record type to be matched. The following record types are supported:

    The record type and its attribute are separated by a dot (.).

  • attribute The attribute to be matched. The attributes vary depending on the record type.

  • relation The relation between the record and its attribute and the value to match for. Supported relation types are:

    • Equality (:)

    • Inequality (NOT)

    • Greater than (:>)

    • Less than (:<)

  • value The value to match against the record_type and attribute.

    You can search for a value that contains whitespace by surrounding it with single-quotes. For example:

    host.os:'Windows 8.1'

Following are the supported combinations of record types and attributes.

Filehash rules

Attributes for record type filehash:

Attribute

Description

Examples

md5

Matches file downloads where a file with the given MD5 hash was downloaded.

Show which host downloaded a file with the MD5 hash d41d8cd98f00b204e9800998ecf8427e.

filehash.md5:d41d8cd98f00b204e9800998ecf8427e

recipient_ip

Matches file downloads with the given recipient IP address (the downloader).

Show which files 192.168.1.1 downloaded.

filehash.recipient_ip:192.168.1.1

sender_ip

Matches file downloads with the given sender IP address.

Show which host downloaded files from server 6.6.6.6.

filehash.sender_ip:6.6.6.6

sha1

Matches file downloads where a file with the given SHA1 hash was downloaded.

Show which host downloaded a file with the SHA1 hash da39a3ee5e6b4b0d3255bfef95601890afd80709.

filehash.sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709

These rules are matched in offline mode only and are ignored in online mode.

Host rules

Attributes for record type host:

Attribute

Description

Examples

app

Matches hosts that were found to run the given application (typically, name and version).

Show which host is running curl.

host.app:curl

category

Matches hosts that were determined to be the given device category/type.

Show which host is determined to be a mobile phone or tablet.

host.category:mobile

os

Matches hosts that were found to run the given operating system.

Show which host is running Android.

host.os:Android

Show which host is running Windows 8.1.

host.os:'Windows 8.1'

service

Matches hosts that were found to run the given service.

Show the SMB servers in the network.

host.service:smb

These rules are matched in offline mode only and are ignored in online mode.

Kerberos rules

Attributes for record type krb:

Attribute

Description

Examples

app_dst

Matches Kerberos messages where the destination host is running the given application. This rule can only be matched in online mode.

Show messages where the destination host is running Microsoft Word.

krb.app_dst:msword

app_src

Matches Kerberos messages where the source host is running the given application. This rule can only be matched in online mode.

Show messages where the source host is running an Apache Web server.

krb.app_src:httpd

category_dst

Matches Kerberos messages where the destination host is determined to be the given device category/type. This rule can only be matched in online mode.

Show messages where the destination host is determined to be a mobile phone or tablet.

krb.category_dst:mobile

category_src

Matches Kerberos messages where the source host is determined to be the given device category/type. This rule can only be matched in online mode.

Show messages where the source host is determined to be a server.

krb.category_src:server

dst_ip

Matches Kerberos messages with the given destination IP (typically, the server).

Show which Kerberos messages were received by 192.168.1.254.

krb.dst_ip:192.168.1.254

dst_port

Matches Kerberos messages with the given destination port. Port 88 is the standard Kerberos port.

Show which Kerberos messages were sent to a non-standard port, not port 88.

NOT krb.dst_port:88

geoip_dst

Matches Kerberos messages where the dst_ip is geo-located in the given 2-letter ISO 3166 country code.

Show Kerberos messages where the dst_ip is geo-located in Russia.

krb.geoip_dst:RU

geoip_src

Matches Kerberos messages where the src_ip is geo-located in the given 2-letter ISO 3166 country code.

Show Kerberos messages where the src_ip is geo-located in China.

krb.geoip_src:CN

hosttag_dst

Matches Kerberos messages where the destination host has been tagged with the given value. The tag is an arbitrary string assigned to the host. Rules with this attribute are only matched in online mode.

Show messages where the destination host was tagged as "ceo-laptop".

krb.hosttag_dst:ceo-laptop

hosttag_src

Matches Kerberos messages where the source host has been tagged with the given value. The tag is an arbitrary string assigned to the host. Rules with this attribute are only matched in online mode.

Show messages where the source host was tagged as "server1".

krb.hosttag_src:server1

kerberos_cname

Matches Kerberos messages with the given client principal name.

Show Kerberos messages where the cname is the vsphere-user.

krb.kerberos_cname:vsphere-user

kerberos_encryption

Matches Kerberos messages with the given encryption used.

Show Kerberos messages using rc4-hmac encryption.

krb.kerberos_encryption:rc4-hmac

kerberos_msg_type

Matches Kerberos messages with the given message type.

Show Kerberos error (KRB_ERROR) messages.

krb.kerberos_msg_type:KRB_ERROR

kerberos_realm

Matches Kerberos messages with the given server realm.

Show Kerberos messages where the realm is EXAMPLE.INTERNAL.

krb.kerberos_realm:EXAMPLE.INTERNAL

kerberos_sname

Matches Kerberos messages with the given server principal name.

Show Kerberos messages where the sname is krbtgt/HQ.EXAMPLE.COM.

krb.kerberos_sname:krbtgt/HQ.EXAMPLE.COM

kerberos_weak_encryption

Matches Kerberos messages that have weak (true) or strong (false) encryption.

Show Kerberos messages using weak encryption.

krb.kerberos_weak_encryption:true

os_dst

Matches Kerberos messages where the destination host is determined to be the given operating system. This rule can only be matched in online mode.

Show messages where the destination host is determined to be running Windows 10.

krb.os_dst:'Windows 10'

os_src

Matches Kerberos messages where the source host is determined to be the given operating system. This rule can only be matched in online mode.

Show messages where the source host is determined to be running Linux.

krb.os_src:Ubuntu

service_dst

Matches Kerberos messages where the destination host is determined to be running the given service. This rule can only be matched in online mode.

Show messages where the destination host is determined to be running SMB.

krb.service_dst:smb

service_src

Matches Kerberos messages where the source host is determined to be running the given service. This rule can only be matched in online mode.

Show messages where the source host is determined to be running SMB.

krb.service_src:smb

src_ip

Matches Kerberos messages with the given source IP (typically, a client issuing a request).

Show which Kerberos messages were issued by 192.168.1.1.

krb.src_ip:192.168.1.1

These rules are matched in both online and offline mode.

Flow record rules

Attributes for record type netflow:

Attribute

Description

Examples

app_dst

Matches netflow records where the destination host is running the given application. This rule can only be matched in online mode.

Show all records where the destination host is running Microsoft Word.

netflow.app_dst:msword

app_layer_protocol

Matches netflow records with the given application layer protocol: DHCP, DNS, FTP, HTTP, HTTPS, IMAP, ISAKMP, KERBEROS, LDAP, POP3, RDP, SMB, SMTP, SSH, TELNET, TLS, and VNC. The match is case sensitive and expects an uppercase protocol name.

Show all HTTPS connections

netflow.app_layer_protocol:HTTPS

app_src

Matches netflow records where the source host is running the given application. This rule can only be matched in online mode.

Show all records where the source host is running an Apache Web server.

netflow.app_src:httpd

category_dst

Matches netflow records where the destination host is determined to be the given device category/type. This rule can only be matched in online mode.

Show all records where the destination host is determined to be a mobile phone or tablet.

netflow.category_dst:mobile

category_src

Matches netflow records where the source host is determined to be the given device category/type. This rule can only be matched in online mode.

Show all records where the source host is determined to be a server.

netflow.category_src:server

dst_ip

Matches netflow records with the given destination IP address.

Show all connections to 192.168.1.1

netflow.dst_ip:192.168.1.1

dst_port

Matches netflow records with the given destination port.

Show all SSH (port 22) connections

netflow.dst_port:22

Show connections to all ports except HTTP (port 80)

NOT netflow.dst_port:80

geoip_dst

Matches netflow records where the dst_ip is geo-located in the given 2-letter ISO 3166 country code.

Show all records where the dst_ip is geo-located in Russia.

netflow.geoip_dst:RU

geoip_src

Matches netflow records where the src_ip is geo-located in the given 2-letter ISO 3166 country code.

Show all records where the src_ip is geo-located in China.

netflow.geoip_src:CN

hosttag_dst

Matches netflow records where the destination host has been tagged with the given value. The tag is an arbitrary string assigned to the host. Rules with this attribute are only matched in online mode.

Show all records where the destination host was tagged as "ceo-laptop".

netflow.hosttag_dst:ceo-laptop

hosttag_src

Matches netflow records where the source host has been tagged with the given value. The tag is an arbitrary string assigned to the host. Rules with this attribute are only matched in online mode.

Show all records where the source host was tagged as "server1".

netflow.hosttag_src:server1

os_dst

Matches netflow records where the destination host is determined to be the given operating system. This rule can only be matched in online mode.

Show all records where the destination host is determined to be running Windows 10.

netflow.os_dst:'Windows 10'

os_src

Matches netflow records where the source host is determined to be the given operating system. This rule can only be matched in online mode.

Show all records where the source host is determined to be running Linux.

netflow.os_src:Ubuntu

service_dst

Matches netflow records where the destination host is determined to be running the given service. This rule can only be matched in online mode.

Show all records where the destination host is determined to be running SMB.

netflow.service_dst:smb

service_src

Matches netflow records where the source host is determined to be running the given service. This rule can only be matched in online mode.

Show all records where the source host is determined to be running SMB.

netflow.service_src:smb

src_ip

Matches netflow records with the given source IP address.

Show all connections from 192.168.1.1

netflow.src_ip:192.168.1.1

src_port

Matches netflow records with the given source port.

Show all connections to source port 11111

netflow.src_port:11111

These rules are matched in both online and offline mode.

Passive DNS rules

Attributes for record type pdns:

Attribute

Description

Examples

app_dst

Matches pdns records where the destination host is running the given application. This rule can only be matched in online mode.

Show all records where the destination host is running Microsoft Word.

pdns.app_dst:msword

app_src

Matches pdns records where the source host is running the given application. This rule can only be matched in online mode.

Show all records where the source host is running an Apache Web server.

pdns.app_src:httpd

category_dst

Matches pdns records where the destination host is determined to be the given device category/type. This rule can only be matched in online mode.

Show all records where the destination host is determined to be a mobile phone or tablet.

pdns.category_dst:mobile

category_src

Matches pdns records where the source host is determined to be the given device category/type. This rule can only be matched in online mode.

Show all records where the source host is determined to be a server.

pdns.category_src:server

dst_ip

Matches pdns records with the given destination IP address (typically, the nameserver receiving the query).

Show all queries to the Google nameservers.

pdns.dst_ip:8.8.8.8

error

Matches pdns records with the defined error status for the request. See iana.org for possible error values.

Show queries that resolved to NXDOMAIN.

pdns.error:3

Show all queries that had any kind of error.

pdns.error:>0

geoip_dst

Matches pdns records where the dst_ip is geo-located in the given 2-letter ISO 3166 country code.

Show all records where the dst_ip is geo-located in Russia.

pdns.geoip_dst:RU

geoip_src

Matches pdns records where the src_ip is geo-located in the given 2-letter ISO 3166 country code.

Show all records where the src_ip is geo-located in China.

pdns.geoip_src:CN

hosttag_dst

Matches pdns records where the destination host has been tagged with the given value. The tag is an arbitrary string assigned to the host. Rules with this attribute are only matched in online mode.

Show all records where the destination host was tagged as "ceo-laptop".

pdns.hosttag_dst:ceo-laptop

hosttag_src

Matches pdns records where the source host has been tagged with the given value. The tag is an arbitrary string assigned to the host. Rules with this attribute are only matched in online mode.

Show all records where the source host was tagged as "server1".

pdns.hosttag_src:server1

os_dst

Matches pdns records where the destination host is determined to be the given operating system. This rule can only be matched in online mode.

Show all records where the destination host is determined to be running Windows 10.

pdns.os_dst:'Windows 10'

os_src

Matches pdns records where the source host is determined to be the given operating system. This rule can only be matched in online mode.

Show all records where the source host is determined to be running Linux.

pdns.os_src:Ubuntu

rdata

Matches pdns records with the given response data.

Show which host attempted to resolve 6.6.6.6.

pdns.rdata:6.6.6.6

rrname

Matches pdns records querying for the given entity.

Show which host requested a lookup of evil.com.

pdns.rrname:evil.com

service_dst

Matches pdns records where the destination host is determined to be running the given service. This rule can only be matched in online mode.

Show all records where the destination host is determined to be running SMB.

pdns.service_dst:smb

service_src

Matches pdns records where the source host is determined to be running the given service. This rule can only be matched in online mode.

Show all records where the source host is determined to be running SMB.

pdns.service_src:smb

src_ip

Matches pdns records with the given source IP address (typically, a client issuing a query).

Show all queries from 192.168.1.1.

pdns.src_ip:192.168.1.1

These rules are matched in both online and offline mode.

SMB rules

Attributes for record type smb:

Attribute

Description

Examples

app_dst

Matches SMB messages where the destination host is running the given application. This rule can only be matched in online mode.

Show messages where the destination host is running Microsoft Word.

smb.app_dst:msword

app_src

Matches SMB messages where the source host is running the given application. This rule can only be matched in online mode.

Show messages where the source host is running an Apache Web server.

smb.app_src:httpd

category_dst

Matches SMB messages where the destination host is determined to be the given device category/type. This rule can only be matched in online mode.

Show messages where the destination host is determined to be a mobile phone or tablet.

smb.category_dst:mobile

category_src

Matches SMB messages where the source host is determined to be the given device category/type. This rule can only be matched in online mode.

Show messages where the source host is determined to be a server.

smb.category_src:server

command

Matches SMB messages with the given command value.

Show who issued SMB2_COMMAND_WRITE messages.

smb.command:SMB2_COMMAND_WRITE

dst_ip

Matches SMB messages with the given destination IP (typically, the server).

Show who issued SMB requests to 192.168.1.254.

smb.dst_ip:192.168.1.254

dst_port

Matches SMB messages with the given destination port.

Show who issued SMB requests to port 8445.

smb.dst_port:8445

geoip_dst

Matches SMB messages where the dst_ip is geo-located in the given 2-letter ISO 3166 country code.

Show all messages where the dst_ip is geo-located in Russia.

smb.geoip_dst:RU

geoip_src

Matches SMB messages where the src_ip is geo-located in the given 2-letter ISO 3166 country code.

Show all messages where the src_ip is geo-located in China.

smb.geoip_src:CN

hosttag_dst

Matches SMB messages where the destination host has been tagged with the given value. The tag is an arbitrary string assigned to the host. Rules with this attribute are only matched in online mode.

Show messages where the destination host was tagged as "ceo-laptop".

smb.hosttag_dst:ceo-laptop

hosttag_src

Matches SMB messages where the source host has been tagged with the given value. The tag is an arbitrary string assigned to the host. Rules with this attribute are only matched in online mode.

Show messages where the source host was tagged as "server1".

smb.hosttag_src:server1

os_dst

Matches SMB messages where the destination host is determined to be the given operating system. This rule can only be matched in online mode.

Show messages where the destination host is determined to be running Windows 10.

smb.os_dst:'Windows 10'

os_src

Matches SMB messages where the source host is determined to be the given operating system. This rule can only be matched in online mode.

Show messages where the source host is determined to be running Linux.

smb.os_src:Ubuntu

service_dst

Matches SMB messages where the destination host is determined to be running the given service. This rule can only be matched in online mode.

Show messages where the destination host is determined to be running SMB.

smb.service_dst:smb

service_src

Matches SMB messages where the source host is determined to be running the given service. This rule can only be matched in online mode.

Show messages where the source host is determined to be running SMB.

smb.service_src:smb

src_ip

Matches SMB messages with the given source IP (typically, a client issuing a request).

Show which SMB messages were issued by 192.168.1.1.

smb.src_ip:192.168.1.1

These rules are matched in both online and offline mode.

TLS rules

Attributes for record type tls:

Attribute

Description

Examples

app_dst

Matches TLS records where the destination host is running the given application. This rule can only be matched in online mode.

Show all records where the destination host is running Microsoft Word.

tls.app_dst:msword

app_src

Matches TLS records where the source host is running the given application. This rule can only be matched in online mode.

Show all records where the source host is running an Apache Web server.

tls.app_src:httpd

category_dst

Matches TLS records where the destination host is determined to be the given device category/type. This rule can only be matched in online mode.

Show all records where the destination host is determined to be a mobile phone or tablet.

tls.category_dst:mobile

category_src

Matches TLS records where the source host is determined to be the given device category/type. This rule can only be matched in online mode.

Show all records where the source host is determined to be a server.

tls.category_src:server

dst_ip

Matches TLS records with the given destination IP (typically, a server receiving a TLS connection).

Show TLS connections ending at a given host (a Google IP address in this case).

tls.dst_ip:35.224.243.173

dst_port

Matches TLS records with the given destination port.

Show TLS connections which are not using the default HTTPS port 443.

NOT tls.dst_port:443

geoip_dst

Matches TLS records where the dst_ip is geo-located in the given 2-letter ISO 3166 country code.

Show all records where the dst_ip is geo-located in Russia.

tls.geoip_dst:RU

geoip_src

Matches TLS records where the src_ip is geo-located in the given 2-letter ISO 3166 country code.

Show all records where the src_ip is geo-located in China.

tls.geoip_src:CN

hosttag_dst

Matches TLS records where the destination host has been tagged with the given value. The tag is an arbitrary string assigned to the host. Rules with this attribute are only matched in online mode.

Show all records where the destination host was tagged as "ceo-laptop".

tls.hosttag_dst:ceo-laptop

hosttag_src

Matches TLS records where the source host has been tagged with the given value. The tag is an arbitrary string assigned to the host. Rules with this attribute are only matched in online mode.

Show all records where the source host was tagged as "server1".

tls.hosttag_src:server1

ja3_hash

Matches TLS records with the given JA3 hash.

Show TLS connections with a well-known JA3 hash (listed in the JA3 malicious reputation).

tls.ja3_hash:2d8794cb7b52b777bee2695e79c15760

os_dst

Matches TLS records where the destination host is determined to be the given operating system. This rule can only be matched in online mode.

Show all records where the destination host is determined to be running Windows 10.

tls.os_dst:'Windows 10'

os_src

Matches TLS records where the source host is determined to be the given operating system. This rule can only be matched in online mode.

Show all records where the source host is determined to be running Linux.

tls.os_src:Ubuntu

service_dst

Matches TLS records where the destination host is determined to be running the given service. This rule can only be matched in online mode.

Show all records where the destination host is determined to be running SMB.

tls.service_dst:smb

service_src

Matches TLS records where the source host is determined to be running the given service. This rule can only be matched in online mode.

Show all records where the source host is determined to be running SMB.

tls.service_src:smb

sni

Matches TLS records with the given Server Name Indication value.

Show TLS connections with a given SNI value.

tls.sni:gc-components-healthcheck

src_ip

Matches TLS records with the given source IP (typically, a client setting up a TLS connection).

Show TLS connections initiated by a given host.

tls.src_ip:192.168.52.43

These rules are matched in offline mode only and are ignored in online mode.

Webrequest rules

Attributes for record type webrequest:

Attribute

Description

Examples

app_dst

Matches webrequest records where the destination host is running the given application. This rule can only be matched in online mode.

Show all records where the destination host is running Microsoft Word.

webrequest.app_dst:msword

app_src

Matches webrequest records where the source host is running the given application. This rule can only be matched in online mode.

Show all records where the source host is running an Apache Web server.

webrequest.app_src:httpd

category_dst

Matches webrequest records where the destination host is determined to be the given device category/type. This rule can only be matched in online mode.

Show all records where the destination host is determined to be a mobile phone or tablet.

webrequest.category_dst:mobile

category_src

Matches webrequest records where the source host is determined to be the given device category/type. This rule can only be matched in online mode.

Show all records where the source host is determined to be a server.

webrequest.category_src:server

dst_ip

Matches webrequest records with the given destination IP (typically, a web server).

Show which hosts sent HTTP requests to 6.6.6.6.

webrequest.dst_ip:6.6.6.6

dst_port

Matches webrequest records with the given destination port (typically, 80 or 443).

Show which hosts sent HTTP requests to port 8888.

webrequest.dst_port:8888

geoip_dst

Matches webrequest records where the dst_ip is geo-located in the given 2-letter ISO 3166 country code.

Show all records where the dst_ip is geo-located in Russia.

webrequest.geoip_dst:RU

geoip_src

Matches webrequest records where the src_ip is geo-located in the given 2-letter ISO 3166 country code.

Show all records where the src_ip is geo-located in China.

webrequest.geoip_src:CN

hostname

Matches webrequest records to the given hostname.

Show which hosts sent HTTP requests to evil.com.

webrequest.hostname:evil.com

hosttag_dst

Matches webrequest records where the destination host has been tagged with the given value. The tag is an arbitrary string assigned to the host. Rules with this attribute are only matched in online mode.

Show all records where the destination host was tagged as "ceo-laptop".

webrequest.hosttag_dst:ceo-laptop

hosttag_src

Matches webrequest records where the source host has been tagged with the given value. The tag is an arbitrary string assigned to the host. Rules with this attribute are only matched in online mode.

Show all records where the source host was tagged as "server1".

webrequest.hosttag_src:server1

normalized_url

Matches webrequest records with the given URL (normalized). A normalized URL is obtained by removing the query part from a URL.

Show which hosts requested http://evil.com/path.

webrequest.normalized_url:http://evil.com/path

os_dst

Matches webrequest records where the destination host is determined to be the given operating system. This rule can only be matched in online mode.

Show all records where the destination host is determined to be running Windows 10.

webrequest.os_dst:'Windows 10'

os_src

Matches webrequest records where the source host is determined to be the given operating system. This rule can only be matched in online mode.

Show all records where the source host is determined to be running Linux.

webrequest.os_src:Ubuntu

resource_path

Matches webrequest records with the given resource path.

Show which hosts sent HTTP requests for resource path /path.

webrequest.resource_path:/path

service_dst

Matches webrequest records where the destination host is determined to be running the given service. This rule can only be matched in online mode.

Show all records where the destination host is determined to be running SMB.

webrequest.service_dst:smb

service_src

Matches webrequest records where the source host is determined to be running the given service. This rule can only be matched in online mode.

Show all records where the source host is determined to be running SMB.

webrequest.service_src:smb

src_ip

Matches webrequest records with the given source IP (typically, a client issuing a request).

Show the requests made by 192.168.1.1.

webrequest.src_ip:192.168.1.1

These rules are matched in both online and offline mode.

Combined rules

You can combine network analysis rules of the same record type with the AND and OR operators:

  • Show which hosts connected to port 4142 on IP address 6.6.6.6.

    netflow.dst_port:4142 AND netflow.dst_ip:6.6.6.6

Rules on different object types can be combined with OR (taking the union of the results provided by each query):

  • Show which hosts downloaded a file with the MD5 hash d41d8cd98f00b204e9800998ecf8427e or resolved evil.com.

    filehash.md5:d41d8cd98f00b204e9800998ecf8427e OR pdns.rrname:evil.com

Rules on different object types can also be combined with >>, taking the temporal sequence of the results provided by each query.

  • Show which hosts downloaded a file with the MD5 hash d41d8cd98f00b204e9800998ecf8427e and then resolved evil.com.

    filehash.md5:d41d8cd98f00b204e9800998ecf8427e >> pdns.rrname:evil.com

    The time window used for the offline matching of these rules corresponds to the selected time window in the User Portal, while for online matching, it is set to 1 hour.

Regular expression support

You can use regular expressions and wildcards in network analysis rules. The following fields support regular expressions and wildcards:

  • netflow.app_layer_protocol
  • pdns.rrname
  • webrequest.hostname
  • webrequest.normalized_url
  • webrequest.resource_path

Wildcard support

The following wildcards are supported:

  • * Matches any character sequence (including an empty string).

  • ? Matches any single character.

Regular expression support

The field value must be wrapped in / (slash) to indicate that it is to be interpreted as a regular expression pattern. In a regular expression pattern, the following regexp operators are supported:

  • . Represents any character.

  • + Repeat the preceding shortest pattern once or more times.

  • * Match the preceding shortest pattern zero or more times.

  • ? Makes the preceding shortest pattern optional.

  • "{}" Specifies a minimum and (optionally) maximum number of times the preceding shortest pattern can repeat.

  • () Define a sub-pattern.

  • | Defines the OR operator.

  • [] Specifies a character range.

Note:

Regular expressions are implicitly anchored: the pattern provided must match the entire string.

Escape

To force the field value to be interpreted literally, it must be enclosed in double quotes.

Regex examples

Search for webrequest records where hostname starts with example:

webrequest.hostname:example*

Search for webrequest records where hostname matches the regular expression ex.+:

webrequest.hostname:/ex.+/