NQL bitwise operators

Use bitwise and and or operators in the NQL where clause to apply multiple filters or create complex conditions.

Use the and operator to combine multiple conditions and retrieve only records that meet all conditions simultaneously.

Example:

Retrieve binaries where the name is "chrome.exe" and they run on Windows.

binaries during past 30d
| where name == "chrome.exe" and platform == windows

Use the or operator to combine multiple conditions and retrieve records that meet at least one of them.

Example:

Retrieve binaries where the name contains "chrome" or "firefox".

binaries  during past 7d
| where name == "*chrome*" or name == "*firefox*"

Last updated 6 months ago

Was this helpful?