# Query Operators ## Logical Operators {% hint style="info" %} Spaces need to surround a logical operator in order for the syntax to properly detect the operator. If not, it will assume the operator is a part of a value being input. {% endhint %} ### AND "And" displays results that include *all* of the values listed. You can enter "and" using any of the formats below; keep in mind that there must be a space before and after the operator: * " AND " or " and " - (upper or lowercase) * " & " - ampersand #### AND Syntax ``` : AND and & ``` The syntax above shows all of the formats for AND: **AND**, **and**, and **&**. #### AND Example ``` sources:windows_ad AND crowdstrike and mcafee & nexpose ``` This example searches the **sources** column for records that include *all* of the values entered: **windows\_ad**, **crowdstrike**, **mcafee**, and **nexpose**. Because "and" is used, the results will show each record that contains all four sources. Notice the various ways the "and" operator is used: **AND**, **and**, and **&**. Also notice the spaces before and after each operator, whether the operator is a word or a special character. ### OR "Or" displays results that include *any* of the values listed. You can enter "or" using any of the formats below: * " OR " or " or "- (upper and lowercase) * " | " - pipe #### OR Syntax ``` : OR or | ``` The syntax above shows all of the formats for "OR": **OR**, **or**, and **|**. #### OR Example ``` sources:windows_ad OR crowdstrike or mcafee | nexpose ``` This example searches the **sources** column for records that include *any* of the values entered: **windows\_ad**, **crowdstrike**, **mcafee**, or **nexpose**. Because "or" is used, the results will show each record that contains one or more of the sources.. Notice the various ways the "or" operator is used: **OR**, **or**, and **|**. ### Unions - Using Parentheses Encasing values with parentheses can draw upon logical unions to drive complex queries: #### Union Syntax ``` :( | ) AND ``` The syntax above searches **column1** and looks for records that include **value1** *or* **value2** *and* also include **value3**. Note the use of the "or" operator inside the parentheses, and the "and" operator outside the parentheses. #### Union Example ``` CVE:(2020* | 2021*) AND 2022* ``` This example searches the **CVE** column and looks for records that include **2020** *or* **2021** *and* also include **2022**. Note the use of the "\*" wildcard to look for items that begin with 2020, 2021, and 2022 and include any number of characters after those values. ## Negation Operators ### NOT You can search for records that *don't* include a particular value by using the NOT operator in either of these formats: * "NOT " - only uppercase, found at the start of a string * "-" - a hyphen at the start of a string #### NOT Syntax ``` :- ``` The syntax above searches **column1** and displays all records that *don't* include **value1**. Notice that there isn't a space between the hyphen and the value. ``` :-( | | ) ``` The syntax above searches **column1** and displays all records that *don't* include **value 1, value2**, or **value3**. It will display all other records. #### NOT Examples ``` sources:-windows_ad ``` The example above searches the **sources** column and displays all records that *don't* include **windows\_ad**. ``` sources:-(windows_ad | crowdstrike | mcafee) ``` The example above searches the **sources** column and displays all records that *don't* include **windows\_ad**, **crowdstrike**, *or* **mcafee**. For example, it would display a record that included **nexpose** as long as it didn't also include **windows\_ad, crowdstrike,** or **mcaffee**. ## String Operators ### Wildcard (Asterisk) Asterisks are used in traditional wildcard operations, with the important caveat that at least two characters must precede the asterisk.. * "\*" - asterisk {% hint style="warning" %} At least two characters or digits must precede a wildcard. For example, **a\*** will not generate any results. {% endhint %} #### Wildcard (Asterisk) Syntax ``` : ``` The syntax above will search **column1** for all entries containing strings that begin with "**value**". #### Wildcard (Asterisk) Examples ``` CVE:20* ip_address:254* hostname:C_0085* | C_0080* ``` The examples above perform these search functions: * Search the **CVE** column for all entries beginning with **20**. * Search the **ip\_address** column for all entries beginning with **254**. * Search the **hostname** column for all entries that either begin with **C0085** *or **C*****0080**. ## Numerical Operators {% hint style="info" %} Numerical operators have syntax similar to the logical operators in that they must be preceded and followed by a space character. {% endhint %} ### Greater Than Greater than is used to show any numerical value over the one provided in the query. * " > " #### Greater Than Examples ``` cvss: > 8 score: > 5.5 ``` In the examples above, notice the space characters before and after **>**. These examples perform these search functions: * Search the **cvss** column for numerical values greater than **8**. All entries of 8.1 and greater are listed. * Search the **score** column for numerical values greater than **5.5**. All entries of 5.6 and greater are listed. ### Greater Than or Equal To Similar to greater than, but will now include the numerical value provided, and anything greater than it. * " >= " #### Greater Than or Equal To Examples ``` cvss: >= 8 score: >= 5.5 ``` The examples above perform these search functions: * Search the **cvss** column for numerical values greater than or equal to or equal to 8. All entries of 7 and greater are listed. * Search the **score** column for numerical values greater than or equal to **5.5**. All entries of 5.5 and greater are listed. ### Less Than Less than is used to determine any numerical value under the one provided in the query. * " < " #### Less Than Examples ``` cvss: < 8 score: < 5.5 ``` The examples above perform these search functions: * Search the **cvss** column for numerical values less than **8**. All entries of 7.9 and less are listed. * Search the **score** column for numerical values less than **5.5**. All entries of 5.4 and less are listed. ### Less Than or Equal To Similar to less than, but will now include the numerical value provided, and anything under it. * " <= " #### Less Than or Equal To Examples ``` cvss: <= 8 score: <= 5.5 ``` The examples above perform these search functions: * Search the **cvss** column for numerical values less than or equal to or equal to . All entries of 8 and greater are listed. * Search the **score** column for numerical values less than or equal to **5.5**. All entries of 5.5 and less are listed. ### Equals Search for only numerical values equal to the one provided in the query. * " = " ``` cvss: = 8 score: = 5.5 ``` The examples above perform these search functions: * Search the **cvss** column for numerical values equal to **8**. All entries of exactly 8 are listed. * Search the **score** column for numerical values equal to **5.5**. All entries of exactly 5.5 are listed. ### Range Search for a range of numerical values between the two values provided in the query. * " - " - hyphen #### Range Examples ``` cvss: 8 - 9 score: 5.5 - 6.6 ``` * Search the **cvss** column for numerical values between **8** and **9**. All values from 8.1 to 8.9 are listed. * Search the **score** column for numerical values between to **5.5** and **6.6**. All values from 5.6 to 6.5 are listed. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.reveald.com/technical-documentation/admin-guides/epiphany-intelligence-platform-administrator-guide/search-and-query-guidelines/query-operators.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.