Skip Navigation

Supported EQL syntax for advanced query

Syntax help

The syntax help pane on
CylanceOPTICS
> Advanced Query lists the available
CylanceOPTICS
event classes and their associated artifacts, types, categories, and subcategories.

EQL query format

CylanceOPTICS
EQL queries use the following format for a basic query:
<event class>
where
<event/artifact>
.
<facet>
==
<value>
A query searches for events that are related to artifacts, so you need to use the relevant event class in your query.
The where clause can filter the results based on the event.type, event.category, event.subcategory, or artifact.facet values.
You can use
or
or
and
to combine multiple filter clauses.

Match any event class

You can use
any
for the event class, which maps to all available event classes.

Escape an event class

To escape event classes that contain a special character (for example, a hyphen or period), contain a space, or start with a numeral, use enclosing quotation marks (") or three enclosing quotation marks (""").

Escape a field name

To escape field names that contain a hyphen, space, or start with a numeral, use enclosing backticks (`). Use double backticks (``) to escape any backticks (`) in the field name.

Escape a value

If you use a special character in a value, including a quotation mark or a backslash, it must be escaped with a preceding a backslash (for example, \” for a quotation mark, \\ for a backslash).

Conditions

A condition consists of one or more criteria that an event must match. You can specify and combine criteria with the operators described in the following sections.

Comparison operators

Operator
Description
<
This operator returns true if the value to the left of the operator is less than the value to the right. Otherwise, it returns false.
<=
This operator returns true if the value to the left of the operator is less than or equal to the value to the right. Otherwise, it returns false.
==
This operator returns true if the values to the left and right of the operator are equal. Otherwise, it returns false. Wildcards are not supported.
:
This operator returns true if strings to the left and right of the operator are equal. Otherwise, it returns false. Can be used to compare strings only.
!=
This operator returns true if the values to the left and right of the operator are not equal. Otherwise, it returns false. Wildcards are not supported.
>=
This operator returns true if the value to the left of the operator is greater than or equal to the value to the right. Otherwise, it returns false. When comparing strings, the operator uses a case-sensitive lexicographic order.
>
This operator returns true if the value to the left of the operator is greater than the value to the right. Otherwise, it returns false. When comparing strings, the operator uses a case-sensitive lexicographic order.
= is not supported as an equal operator. Use == or : instead.

Pattern comparison keywords

Operator
Description
like
This operator returns true if the string to the left of the keyword matches the string to the right (case-sensitive). It supports list lookups (see lookup operators below) and can be used to compare strings only. For case-insensitive matching, use like~.
regex
This operator returns true if the string to the left of the keyword matches a regular expression to the right (see Regular expression syntax). It supports list lookups and can be used to compare strings only. For case-insensitive matching, use regex~.
my_field like "VALUE*" // case-sensitive wildcard matching my_field like~ "value*" // case-insensitive wildcard matching my_field regex "VALUE[^Z].?" // case-sensitive regex matching my_field regex~ "value[^z].?" // case-insensitive regex matching

Limitations for comparisons

You can’t chain comparisons. Use a logical operator between comparisons instead (see the logical operators section below).
For example,
foo < bar <= baz
is not supported but
foo < bar and bar <= baz
is supported.
You cannot compare a field to another field, even if the fields are changed using a function.
The following query is not valid because it compares the process.parent.name field value to the process.name field:
process where process.parent.name == "foo" and process.parent.name == process.name
The following query is valid because it compares both the process.parent.name and process.name fields to static values:
process where process.parent.name == "foo" and process.name == "foo"

Logical operators

Operator
Description
and
This operator returns true only if the condition to the left and right both return true. Otherwise, it returns false.
or
This operator returns true if one of the conditions to the left or right are true. Otherwise, it returns false.
not
This operator returns true if the condition to the right is false.

Lookup operators

Operator
Description
in
This operator returns true if the value is contained in the provided list (case-sensitive). For case-insensitive matching, use in~.
not in
This operator returns true if the value is not contained in the provided list (case-sensitive). For case-insensitive matching, use not in~.
:
This operator returns true if the string is contained in the provided list. It can be used to compare strings only.
like
This operator returns true if the string matches a string in the provided list (case-sensitive). It can be used to compare strings only. For case-insensitive matching, use like~.
regex
This operator returns true if the string matches a regular expression pattern in the provided list (see Regular expression syntax). It can be used to compare strings only. For case-insensitive matching, use regex~.
my_field in ("Value-1", "VALUE2", "VAL3") // case-sensitive my_field in~ ("value-1", "value2", "val3") // case-insensitive my_field not in ("Value-1", "VALUE2", "VAL3") // case-sensitive my_field not in~ ("value-1", "value2", "val3") // case-insensitive my_field : ("value-1", "value2", "val3") // case-insensitive my_field like ("Value-*", "VALUE2", "VAL?") // case-sensitive my_field like~ ("value-*", "value2", "val?") // case-insensitive my_field regex ("[vV]alue-[0-9]", "VALUE[^2].?", "VAL3") // case-sensitive my_field regex~ ("value-[0-9]", "value[^2].?", "val3") // case-insensitive

Match any condition

Use the
where true
condition to match events solely on event category. For example, the following query matches any file events:
file where true
To match any event, you can combine the any keyword with the where true condition:
any where true