Kibana

Search

Standard Search

Search for pair field:value

Compound Search

Search for both values together with AND: field:value AND field:value

Search for one OR another value: field:value OR field:value; Another approach to OR with multiple values: field:(value1,value2, value3)

Negation is done by NOT prefix: field1:value1 AND field2:value2 AND NOT field3:value3

Wildcard Searches

Matches any value starting with val: field:val*

Matches any value ending with ue: field:*ue

Matches any value starting with v and ending with e: field:v*e

CIDR Search

Kibana supports CIDR notation search like this: srcip:"192.168.1.0/24"

Comparison Searches

Greater than, srcport>80 port 80

Less than, srcport<80 port 80

Any port value other than port 80, srcport NOT 80

Range Search

Ports from 0 to 1024, srcport:(0 TO 1024)

Exists Search

If you need checked out that username field exists, _exists_:username

PreviousDeveloping SOAR PlaybooksNextIntroduction into DFIR

Last updated