Skip to main content

Lucene Syntax

Learn how to use complex search queries

S
Written by Sergey Bayrachny

You can search using the Lucene query syntax with keywords, dates, text, booleans, and integers. Use the examples below as a starting point, or see the List of Lucene Fields. Mind the date format: YYYY-MM-DD.

Note: To ensure that multiple words separated by a whitespace or a hyphen are treated as a single search term, use double quotes.

Lucene Field or Operator

Lucene Search Example

(you can copy-paste-edit it)

Result

case.name

case.name:(malware OR trojan)

Content containing either "malware" or "trojan" in its name

tags.author

tags.author:"Roman Ranskyi"

Content authored by Roman Ranskyi only

siem_type

siem_type:splunk

Content for Splunk only

siem_type:(splunk OR kibana)

Content for either Splunk or Kibana

sigma.level

sigma.level:“low”

Sigma Severity level

release_date

release_date:>2020-10-01

Content released after 2020-10-01 only

release_date:>=2020-10-01

Content released on or after 2020-10-01

release_date:[* TO 2020-10-0]

Content released before 2020-10-01 only (mind the space between the * and "TO")

release_date:[2020-10-01 TO 2020-10-31]

Content released between 2020-10-01 and 2020-10-31 excluding both the 1st and the 31st

release_date[2020-10-01 TO 2020-10-31]

Content released between 2020-10-01 and 2020-10-31 excluding the 1st only

release_date:[2020-01-01 TO 2020-12-31]

Content released in 2020

created

created:[2020-12-10 TO 2020-12-16]

Content created between 2020-12-10 and 2020-12-31 including the 10th and the 16th

^2

banking^2 trojan

Content for detecting trojans in banking with "banking" being 2x as important as "trojan"

List of Lucene Fields

Here is the list of Lucene fields you can use in your search query:

case.name

Type: Keyword.

Description: Content item name.

Value example: Text from the title, for example: "Hash based block list bypass - signtool.exe (via cmdline)".

Corresponding fields in the UI: Content item name.

case.paid_type

Type: Кeyword.

Description: git free access marks content sourced from SigmaHQ repo on GitHub. You can use this value to filter for such content.

Possible values: git free access.

Corresponding fields in the UI:

  • Free Access value in the Content Availability filter

  • Content availability status Free Access on the content item card and on the content item page

sigma.level

Type: Text.

Description: Sigma rule Severity level.

Possible values: low, medium, high, critical.

Corresponding fields in the UI: Severity field on the content item card when hovered and on the content item page.

created

Type: Date in the following format: YYYY-MM-DD.

Description: The date when the rule was first created but not released yet.

Value example: 2020-04-24.

Corresponding fields in the UI: No corresponding fields.

current_version

Type: Keyword.

Description: Content pack version.

Value example: 1.0.0.

Corresponding fields in the UI: Content Pack version field on the content pack page.

description

Type: Text.

Description: Content item description.

Value example: Text from the description, for example: "avoid hash based blocklist".

Corresponding fields in the UI: Content item description on the content item page.

doc_type

Type: Keyword.

Description: Content type.

Possible values: rule, rule_pack, premium_app.

Corresponding fields in the UI: No directly corresponding fields. However, there's a similarity to the Content Type filter on the Search page. Note that its values are not exactly like the accepted values of the lucene field:

  • rule_pack = Content Pack

  • premium_app = Premium App

  • rule = Alert or Query

release_date

Type: Date in the following format: YYYY-MM-DD.

Description: Content item release date.

Value example: 2020-04-24.

Corresponding fields in the UI: Released field on the content item card and on the content item page.

siem_type

Type: Keyword.

Description: Intended SIEM of the content item.

Possible values:

  • ala-rule — Microsoft Sentinel Rule

  • ala — Microsoft Sentinel Query

  • elasticsearch – Elasticsearch Query (Lucene)

  • es-eql – Elasticsearch Query (EQL)

  • xpack-watcher – Elasticsearch Watcher

  • elasticsearch-rule – Elasticsearch Detection Rule (Lucene)

  • es-rule-eql – Elasticsearch Detection Rule (EQL)

  • kibana — Kibana Saved Search

  • elastalert — Elasticsearch ElastAlert

  • qradar — Qradar Query

  • humio — Falcon LogScale Query

  • humio-alert — Falcon LogScale Alert

  • splunk — Splunk Query

  • splunk_alert — Splunk Alert

  • sumologic — Sumo Logic Query

  • sumologic-cse — Sumo Logic CSE Query

  • sumologic-cse-rule — Sumo Logic CSE Rule

  • arcsight-esm — ArcSight Rule

  • arcsight-keyword — ArcSight Query

  • logpoint — LogPoint Query

  • grep — Regex Grep Query

  • powershell — PowerShell Query

  • graylog — Graylog Query

  • kafka — Apache Kafka KSQL Query

  • rsa_netwitness — RSA NetWitness Query

  • carbonblack — VMware Carbon Black Cloud Query

  • carbonblack-edr — VMware Carbon Black EDR Query

  • open-ioc — FireEye OpenIOC

  • fireeye-helix — FireEye Helix Query

  • chronicle — Google SecOps Rule

  • chronicle-query — Google SecOps Query

  • securonix — Securonix Query

  • s1-events — SentinelOne Events Query

  • s1-process — SentinelOne Process State Query

  • sentinel-one-power-query — SentinelOne PowerQuery

  • mdatp — Microsoft Defender for Endpoint Query

  • qualys — Qualys IOC Query

  • sysmon — Sysmon Rule

  • crowdstrike — CrowdStrike Endpoint Security Query

  • limacharlie — LimaCharlie Rule

  • devo — Devo Query

  • snowflake — Snowflake Query

  • athena — Amazon Athena Query

  • opendistro-query — Amazon OpenSearch Query

  • opendistro-rule — Amazon OpenSearch Rule

  • fortisiem — FortiSIEM rule

  • axon-ads-query — LogRhythm Axon Query

  • axon-ads-rule — LogRhythm Axon Rule

  • cortex-xdr-xql-query - Palo Alto Cortex XDR Query

  • cortex-xql-query - Palo Alto Cortex XSIAM Query

  • hunters-sql-query - Hunters Query

  • anomali-aql-query - Anomali Security Analytics Query

Corresponding fields in the UI:

  • Platform filter on the content item card (note that in this filter you can select a platform like Microsoft Sentinel that would return all content types of that platform, or select a specific content type like Microsoft Sentinel Query that return only that specific content type)

  • platform + content type selection on the content item page.

sigma.falsepositives

Type: Text.

Description: Text from the Sigma rule falsepositives field.

Value example: "Legitimate administrative activity".

Corresponding fields in the UI:

  • falsepositives field in the Sigma rule and all translations where it can be added

  • Specific (Sigma Field Based) part of the False Positives section on the Intelligence tab of a content item page

sigma.git_filepath

Type: Keyword.

Description: The source file path for the Sigma rule.

Value example: /windows/builtin/win_susp_ntlm_auth.yml.

Corresponding fields in the UI: No corresponding fields.

sigma.text

Type: Text.

Description: Any text inside a content item's code. This field is available not only for Sigma rules, but for other platforms as well.

Value example: Text from the Sigma rule, for example: "signtool.exe".

Corresponding fields in the UI: The code on the Code tab of a content item page for any original translation. Not available for alternative translations.

tags.actor

Type: Keyword.

Description: Actors associated with the content item.

Value example: apt32, apt28, turla, cobalt group, apt3, oilrig, apt29.

Corresponding fields in the UI:

  • Actors filter on the Search page

  • Actors part of the MITRE ATT&CK Coverage section on the Intelligence tab of a content item page. May include actor aliases not added when searching with Lucene.

tags.alt_config

Type: Keyword.

Description: Name of the alternative translation Config.

Value example: winlogbeat6, ci-winlogbeat6, ci-winlogbeat7, cim, datamodel, ossem, mdatp.

Corresponding fields in the UI: Config dropdown on the Code tab of a content item page.

tags.author_parsed

Type: Keyword.

Description: Content item's author.

Value example: soc prime team, red canary.

Corresponding fields in the UI:

  • Authors filter on the Search page and the Authors field on the search results

  • Authors field on a content item page.

tags.category

Type: Keyword.

Description: Log source category (from Sigma category).

Value example: process_creation.

Corresponding fields in the UI:

  • Sigma Category filter on the Search page.

  • Category field on the Intelligence tab of a content item page.

tags.custom

Type: Keyword.

Description: Custom tags of the content item.

Value example: sysmon, windows, windows registry, process command-line parameters, osman demir, threat hunting sigma, malware, process monitoring, wfh, workfromhome.

Corresponding fields in the UI: Custom Tags part of the Tags section on the Intelligence tab of a content item page.

tags.cve_id

Type: Keyword.

Description: Vulnerability CVE ID.

Value example: CVE-2017-5753.

Corresponding fields in the UI:

  • CVE ID filter on the Search page

  • CVE ID part of the Tags section on the Intelligence tab of a content item page.

tags.data_component.data_source.id

Type: Keyword.

Description: Data Source ID according to the MITRE ATT&CK framework. Relevant only for Data Components.

Value example: DS0026, DS0032.

Corresponding fields in the UI: No corresponding field, but you can search for them using the Data Sources filter (by entering the ID into the search field if this filter).

tags.data_component.data_source.name

Type: Keyword.

Description: Data Source name according to the MITRE ATT&CK framework. Relevant only for Data Components.

Value example: Active Directory, Application Log.

Corresponding fields in the UI:

  • Data Sources filter on the Search page

  • Data Sources part of the Tags section on the Intelligence tab of a content item page.

tags.data_component.name

Type: Keyword.

Description: Data Component name according to the MITRE ATT&CK framework.

Value example: Active Directory Credential Request, Application Log Content.

Corresponding fields in the UI:

  • Data Component filter on the Search page

  • Data Component part of the Tags section on the Intelligence tab of a content item page.

tags.event_id

Type: Keyword.

Description: Event ID of the content item.

Value example: 4688, 1.

Corresponding fields in the UI: Event ID part of the Tags section on the Intelligence tab of a content item page.

tags.logsource

Type: Keyword.

Description: Log sources of the content item. Basically. is a combination of values from the Sigma Category, Sigma Product, and Sigma Service fields.

Value example: process_creation, windows, sysmon.

Corresponding fields in the UI: Log Sources part of the Tags section on the Intelligence tab of a content item page.

tags.product

Type: Keyword.

Description: Sigma rule product.

Value example: firewall, proxy, windows.

Corresponding fields in the UI:

  • Sigma Product filter on the Search page

  • Sigma Product field on the Intelligence tab of a content item page.

tags.related_vendor_product

Type: Keyword.

Description: The name of the product whose logs are used for detection.

Value example: Microsoft Azure, Apache, Checkpoint Firewall.

Corresponding fields in the UI: Log Source Product filter on the Search page

tags.rule_type

Type: Keyword.

Description: Can be Query or Alert:

  • Queries are intended for threat hunting

  • Alerts seldom have false-positives and are intended for real-time detection

Possible values: query, alert.

Corresponding fields in the UI:

  • Content Type filter on the Search page:

    • Query = query

    • Alert = alert

  • Content type field in search results

  • Content type field on the content item page

tags.service

Type: Keyword.

Description: Sigma rule service.

Value example: security, syslog.

Corresponding fields in the UI:

  • Sigma Service filter on the Search page

  • Sigma Service field on the Intelligence tab of a content item page.

tags.sigma_type

Type: Text.

Description: Type of the Sigma rule that depends on its intended use.

Possible values: Threat Hunting Sigma, IOC Sigma, Compliance.

Corresponding fields in the UI:

  • Sigma Type filter on the Search page

  • Sigma Type field in the Tags section on the Intelligence tab of a content item page.

tags.technique.id

Type: Keyword.

Description: Technique ID according to the MITRE ATT&CK framework.

Value example: T1189, T1087.

Corresponding fields in the UI: Techniques filter on the Search page

tags.technique.name

Type: Keyword.

Description:Technique name according to the MITRE ATT&CK framework.

Value example: Input Capture, Install Root Certificate, Modify Registry.

Corresponding fields in the UI:

  • Techniques filter on the Search page

  • Techniques field and Sub-Techniques field in the MITRE ATT&CK Coverage section on the Intelligence tab of a content item page

tags.technique.parent_id

Type: Keyword.

Description: Parent Technique ID. Relevant only for sub-techniques.

Value example: T1059.

Corresponding fields in the UI: No corresponding fields

tags.technique.tactics

Type: Keyword.

Description: Tactic name. Relevant only for techniquess.

Value example: discovery, defense-evasion.

Corresponding fields in the UI: Tactics filter on the Search page

tags.tool

Type: Keyword.

Description: Tool tag of the content item.

Value example: cmd, mimikatz, reg, schtasks, trickbot.

Corresponding fields in the UI:

  • Tools filter on the Search page

  • Tools part in the MITRE ATT&CK Coverage section on the Intelligence tab of a content item page

sigma.updated

Type: date of the following format: YYYY-MM-DD.

Description: Last update date of the source code of the content item. Thus, this field shows when the detection logic itself was last updated.

Value example: 2020-04-24.

Corresponding fields in the UI:

  • Updated field in search results

  • Updated field on the Intelligence tab of a content item page

Did this answer your question?