Basic operators

Operator |(pipe, AND logical operator)
Description Add a where clause with a logical AND, append it using the pipe character (|). For example, the query below returns links that are from 192.168.254.0/24 AND going to 172.217.168.0/24.
Example links | where from in_subnet? 192.168.254.0/24 | where to in_subnet? 172.217.168.0/24
Operator OR
Description To add a where clause with a logical OR, append it using the OR operator. For example, the query below returns links with either the http OR the https protocols.
Example links | where protocol == http OR protocol == https
Operator ! (exclamation point, NOT logical operator)
Description Put an exclamation point (!) before a term to negate it. For example, the query below returns links that do NOT (!) belong to 192.168.254.0/24.
Example nodes | where ip !in_subnet? 192.168.254.0/24 | count
Operator ->
Description To change a column name, select it and use the -> operator followed by the new name. It is worth noting that specific suffixes are parsed and used to visualize the column content differently. For example:
  • _time data is shown in a timestamp format (1647590986549 becomes 2022-03-18 09:09:46.549)
  • _bytes adds KB or MB, as applicable (50 becomes 50.0 B)
  • _percent adds a percentage sign (50 becomes 50%)
  • _speed adds a throughput speed in Mb/s (189915 becomes 1.8 Mb/s)
  • _date converts numbers into a date format (2022-06-22 15:43:31.297 becomes 2022-06-2214:24:09.280 becomes 2022-06-24 (current day))
  • _packets adds pp after the number of packets (50 becomes 50 pp)
Example 1 nodes | select created_at created_at->my_integer | where my_integer > 946684800000
Example 2 nodes | select created_at->my_creation_time
Example 3 nodes | select tcp_retransmission.bytes->my_retrans_bytes
Operators ==, =, <, >, <=, and >=
Description Queries support the mathematical operators listed above.
Operator " (Quotation marks)
Description Use quotation marks (") to specify an empty string. Consider these two cases where this technique is useful:
  • Finding non-empty values. Example 1 below returns assets where the os field is not blank.
  • Specifying that a value in the query is a string (if its type is ambiguous). Example 2 below tells concat to treat the "--" parameter as a fixed string to use rather than as a field from the alerts table.
Example 1 assets | where os != ""
Example 2 alerts | select concat(id_src,"--",id_dst)
Operator in?
Description in? is only used with arrays; the field type must be an array. The query looks for the text strings you specify using in? and returns arrays that match one of them.

The example below uses in? to find any node having computer or printer as elements in the array.
Example assets | where type in? ["computer","printer_scanner"]
Operator include?
Description The query looks for the text string you specify using include? and returns strings that match it.

The example below uses include? to find assets where the os field contains the string Win.
Example assets | where os include? Win