You can use a filter to limit the query results for the following commands:
kesl-control -E --query "<
logical expression
>"
kesl-control -B --query "<
logical expression
>"
kesl-control -B --mass-remove --query "<
logical expression
>"
You can use multiple logical expressions to specify a filter by combining them using the AND operator. Logical expressions must be enclosed in quotation marks.
Syntax
"<
field
> <
comparison operator
> '<
value
>'"
"<
field
> <
comparison operator
> '<
value
>' and <
field
> <
comparison operator
> '<
value
>'"
Comparison operator
Comparison operator |
Description |
---|---|
|
Greater than |
|
Less than |
|
Matches the specified value (when specifying the value, you can use masks %, see the example below) |
|
Equal to |
|
Not equal to |
|
Greater than or equal to |
|
Less than or equal to |
Examples: Get information about files in the Storage that have the High severity level:
Get information about events that contain the text "etc" in the FileName field:
Get events of the ThreatDetected type:
Output ThreatDetected events generated by ODS tasks:
Get events generated after the date specified in the UNIX™ time stamp system (the number of seconds that have elapsed since 00:00:00 (UTC), 1 January 1970):
Get events generated after the date specified in YYYY-MM-DD hh:mm:ss format:
|