Query Language Overview

A powerful query language lets you show only selected records from the log files, according to your criteria.

To create complex queries, use Boolean operators, wildcards, fields, and ranges.

This section refers in detail to the query language.

When you use Harmony Endpoint to create a query, the applicable criteria appear in the Query search bar.

The basic query syntax is:

[<Field>:] <Filter Criterion>

To put together many criteria in one query, use Boolean operators:

[<Field>:] <Filter Criterion> {AND | OR | NOT} [<Field>:] <Filter Criterion> ...

Most query keywords and filter criteria are not case sensitive, but there are some exceptions.

For example, "source:<X>" is case sensitive ("Source:<X>" does not match).

If your query results do not show the expected results, change the case of your query criteria, or try upper and lower case.

When you use queries with more than one criteria value, an AND is implied automatically, so there is no need to add it. Enter OR or other boolean operators if needed.

Criteria Values

Criteria values are written as one or more text strings.

You can enter one text string, such as a word, IP address, or URL, without delimiters.

Phrases or text strings that contain more than one word must be surrounded by quotation marks.

  • John

  • inbound

  • 192.168.2.1

  • some.example.com

  • dns_udp

  • "John Doe"

  • "Log Out"

  • "VPN-1 Embedded Connector"

IPv4 and IPv6 addresses used in log queries are counted as one word.

Enter IPv4 address with dotted decimal notation and IPv6 addresses with colons.

Example:

  • 192.0.2.1

  • 2001:db8::f00:d

You can also use the wildcard '*' character and the standard network suffix to search for logs that match IP addresses within a range.

Examples:

  • src:192.168.0.0/16

    Shows all records for the source IP 192.168.0.0 to 192.168.255.255 inclusive

  • src:192.168.1.0/24

    Shows all records for the source IP 192.168.1.0 to 192.168.1.255 inclusive

  • src:192.168.2.*

    Shows all records for the source IP 192.168.2.0 to 192.168.2.255 inclusive

  • 192.168.*

    Shows all records for 192.168.0.0 to 192.168.255.255 inclusive

NOT Values

You can use NOT <field> values with Field Keywords in log queries to find logs for which the value of the field is not the value in the query.

Syntax:

NOT <field>: <value>

Example:

NOT src:10.0.4.10

Wildcards

You can use the standard wildcard characters (* and ?) in queries to match variable characters or strings in log records.

You can use more than the wildcard character.

Wildcard syntax:

  • The ? (question mark) matches one character.

  • The * (asterisk) matches a character string.

Examples:

  • Jo? shows Joe and Jon, but not Joseph.

  • Jo* shows Jon, Joseph, and John Paul.

If your criteria value contains more than one word, you can use the wildcard in each word.

For example, 'Jo* N*' shows Joe North, John Natt, Joshua Named, and so on.

Note - Using a single '*' creates a search for a non-empty value string. For example asset name:*

Field Keywords

You can use predefined field names as keywords in filter criteria.

The query result only shows log records that match the criteria in the specified field.

If you do not use field names, the query result shows records that match the criteria in all fields.

This table shows the predefined field keywords. Some fields also support keyword aliases that you can type as alternatives to the primary keyword.

Keyword

Keyword Alias

Description

severity

 

Severity of the event

app_risk

 

Potential risk from the application, of the event

protection

 

Name of the protection

protection_type

 

Type of protection

confidence_level

 

Level of confidence that an event is malicious

action

 

Action taken by a security ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.

blade

product

Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities.

destination

dst

Traffic destination IP address, DNS name or Check Point network object name

origin

orig

Name of originating Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.

service

 

Service that generated the log entry

source

src

Traffic source IP address, DNS name or Check Point network object name

user

 

User name

Syntax for a field name query:

<field name>:<values>

Where:

  • <field name> - One of the predefined field names

  • <values> - One or more filters

To search for rule number, use the Rule field name.

For example:

rule:7.1

If you use the rule number as a filter, rules in all the Layers with that number are matched.

To search for a rule name, you must not use the Rule field. Use free text.

For example:

"Block Credit Cards"

Best Practice - Do a free text search for the rule name. Make sure rule names are unique and not reused in different Layers.

Examples:

  • source:192.168.2.1

  • action:(Reject OR Block)

    You can use the OR Boolean operator in parentheses to include multiple criteria values.

Important - When you use fields with multiple values, you must:

  • Write the Boolean operator, for example AND.

  • Use parentheses.

Boolean Operators

You can use the Boolean operators AND , OR, and NOT to create filters with many different criteria.

You can put multiple Boolean expressions in parentheses.

If you enter more than one criteria without a Boolean operator, the AND operator is implied.

When you use multiple criteria without parentheses, the OR operator is applied before the AND operator.

Examples: