This article describes the
contains filter feature. This feature provides users with
wildcard capabilities on both index and non-indexed string data. The
contains feature has syntax requirements that are highlighted below.
NOTE: You can use the command in any field that allows text or string data. Most text fields have the
Aa (case insensitivity) icon next to the Filter Field Name. Other fields that allow
contains don't have that icon.
Syntax for contains:
The basic syntax for contains is as below:
contains(somevalue)
The following table provides some examples:
Example command |
Description |
Use either of the following:
- contains(admin)
- contains(stra)
|
This command is a simple search.
- In the first example, any value that contains admin is returned. For example, administrator and admin.
- In the second example, any string with stra is returned. For example, administrator, gmestrad, or straub.
NOTE: To make this command case-insensitive, click the Aa icon and the search returns any value that starts with admin, regardless of case. You can also use the /i regular expression notation for case insensitivity. For example, contains(admin/i)
|
contains((admin|NGCP))
|
This command is an OR'd search.
It returns any string within the field that contains admin or NGCP. As with the previous example, to make it case-insensitive, click the Aa icon. The search returns any value that starts with admin or NGCP, regardless of case.
NOTE: In this example, there's an extra set of parentheses that are needed for the OR to function.
|
Use either of the following:
- contains(\x24)
- contains(\$)
|
This command is a search for any special character. Service Accounts are an example.
This command returns any string within the field that contains a $. If you try to use the $ without 'scaling', the result set returns empty.
Using PCRE escape sequences is a much better method to search.
For more information about the HEX value for the character you might be looking for, see the ASCII Codes Table.
Other examples
To search for a percent sign (%), use either of the following:
- contains(\x25)
- contains(\%)
To search for a backslash, use either of the following:
- contains(\x5c)
- contains(\\)
To search for dual backslashes (useful if looking for a fully qualified host name), use either of the following:
- contains(\x5c\x5c)
- contains(\\\)
NOTES:
- Sometimes, if you don't use the HEX value or the slash, you might get an Invalid Regular Expression (ER5-0015) error.
- The NOT (!), OR (or), and Case Insensitivity (Aa) icons all apply to the contains value. So, if you want to see all NON service accounts, use the searching for any special character example above with NOT selected.
Also, as stated in the Release Notes, you can use the /i regular expression notation for case insensitivity. Example, contains(admin/i).
|
contains(nitroguard\x28[3–4]\x29[com|info]+)
(3)www(10)nitroguard(3)com(0)
(3)www(10)nitroguard(4)info(0)
(3)www(10)nitroguard(3)gov(0)
(3)www(10)nitroguard(3)edu(0)
(3)www(10)nitroguard(7)oddball(0)
NOTE: These domains are from Microsoft DNS events.
|
This command is a search using a Regular Expression.
The purpose of this regular expression is to pick out a specific string. In this case, nitroguard, a three or four digit primary domain, and match COM or INFO.
This RegEx matches the first two entries, but not the rest.
NOTE: These examples show how RegEx would be used with the feature. Your expressions might be quite different.
|
Caveats for use:
- Using contains with values fewer than three characters causes a higher overhead and longer query performance. We recommend that you use queries that have strings longer than three characters.
- You can't use it in Correlation Rules.
- You can't use it in Alarms.
- Using contains with NOT can cause higher overhead and longer query performance.
- Some fields don't have the case-insensitivity icon. This fact will be changed in a future release. Until that change is made, use the /i flag as shown previously.