About syntax in threat hunting queries

To search for telemetry events, you must use certain syntax. You must use the following syntax rules in search queries:

• A query must contain at least one logical expression that matches the following syntax: <event field name> <comparison operator> <field value>.
• A query can contain several logical expressions. You can combine logical expressions by using the following logical operators:
  • AND (Boolean AND)

    The results include all events that match both conditions (to the left and right of the AND operator).

    For example, the query DetectActionResult == "Quarantine" AND DetectStatus == "Malware*" returns events that have a DetectStatus starting with Malware and a DetectActionResult equaling Quarantine.

  • OR (Boolean OR)

    The results will include events that match at least one of the logical expressions.

    For example, query DetectActionResult == "Quarantine" OR DetectStatus == "Malware*" returns events that have a DetectStatus starting with Malware or a DetectActionResult equaling Quarantine.

  • NOT (Boolean NOT)

    The results will include events that do not match the expression.

    For example, the query NOT (DetectActionResult == "Quarantine") returns events in which DetectActionResult does not equal Quarantine.

• You can control the execution order of logical operations by using parentheses.

  For example, the (DetectActionResult == "Quarantine" OR DetectStatus == "Malware*") AND FileSize > 16 query will contain results that include events that have DetectStatus starting with Malware or DetectActionResult equaling Quarantine, and the size of the attached file exceeds 16 bytes.

  If you run the DetectActionResult == "Quarantine" OR (DetectStatus == "Malware*" AND FileSize > 16) query, it returns events that have DetectActionResult equaling Quarantine, or DetectStatus starting with Malware and that the attached file exceeds 16 bytes.

• You can use the following comparison operators:
  • == (equals)

    For example, if you run the DetectActionResult == "Quarantine" query, it returns events in which the DetectActionResult field equals Quarantine.

  • != (does not equal)

    For example, the query DetectActionResult != "Quarantine" returns events in which the DetectActionResult field does not equal Quarantine.

  • > (greater than)

    For example, the query FileSize > 16 returns events that have an attached file larger than 16 bytes.

  • < (less than)

    For example, the query FileSize < 16 returns events that have an attached file less than 16 bytes.

  • >= (greater than or equal)

    For example, the query FileSize >= 16 returns events that have an attached file greater than or equal to 16 bytes.

  • <= (less than or equal)

    For example, the query FileSize <= 16 returns events that have an attached file less than or equal to 16 bytes.

• You can view the list of event field names in the Threat hunting section → the Help tab.
• The <field type> part is case-insensitive. For example, results of the computername == "host" query and COMPUTERNAME == "host" query are the same.
• The <field value> part is a sequence of letters, numbers, and special characters. <Field value> cannot be the name of a <field type>. String values must be enclosed in quotation marks. The exception is for a search for a non-empty string, typing without quotation marks is possible (for example, computername == * or computername == "*").
• Search by <field value> is case-insensitive. For example, results of the ComputerName == "host" query and ComputerName == "HOST" query are same.
• <Field value> can include the following special characters:
  • *: the asterisk denotes any number of characters in a string (only applicable to string values).

    For example, query EventName == "H*" returns all events beginning with the "H" letter.

    Also, you can use the asterisk to filter fields with null values: for example, the query EventName == "*" or EventName == * returns events in which the word field has a non-empty value.

  • ?: the question mark denotes any single character in a string (only applicable to string values).

    For example, query ProcessUserName == "User?" returns events with ProcessUserName like Users, User1, User2, and other matching substrings.

  • \: the backslash is used to screen the asterisk, question mark, and backslash characters.

    For example, if you search for a path, use the backslash: file_pathes == "c:\\windows\\system32\\nslookup.exe".