Menu English (US) Čeština Dansk Deutsch Español (Latinoamérica) Español (España) Suomi Français (Canada) Français (France) हिंदी Magyar Bahasa Indonesia Italiano 日本語 한국어 Bahasa Melayu Nederlands Norsk Polski Português do Brasil Português (Portugal) Română Русский svenska ไทย Türkçe Українська Tiếng Việt 简体中文 繁體中文

How to Use Lucene Query Syntax

Updated:

Created:

What is Lucene Query Syntax?

Lucene is a query language that can be used to filter messages in your PhishER inbox. A query written in Lucene can be broken down into three parts:

  1. Field The ID or name of a specific container of information in a database. If a field is referenced in a query string, a colon ( ) must follow the field name.
  2. Terms Items you would like to search for in a database. You can search for Single Terms ("Hello") and Phrases ("Hello world"). A term does not have to be enclosed in quotation marks.
  3. Operators/Modifiers A symbol or keyword used to denote a logical operation.
    • Operator/Modifier Meaning
      AND Both input parameters return TRUE.
      OR At least one input parameter returns TRUE.
      NOT The input parameter returns FALSE. NOT can also be represented using the ( - ) symbol.
      * Wildcard that is a placeholder for multiple characters. 
      ? Wildcard that is a placeholder for a single character. This wildcard cannot be used as a placeholder for the first character of a string.

      Note: This is a condensed list of operators and modifiers.


To create a query, you can use the field, term, and operator/modifier to form a string. Below is an example of how a Lucene query string is constructed:

field_name: "This is the phrase I want to search for!" AND "This"

Note:

The field referred to in your string must match a field acknowledged in the database you are running a query against.

 

What Fields Can I Reference in a Query?

Below is a table of all the fields you may reference when filtering your PhishER inbox or PhishRIP queries.

PhishER Inbox
Field Name Use Case Example
attachment_names Use this field to filter messages by file name or extension type. attachment_names: "inv.pdf"
attachment_names: *.doc
cc Use this field to filter messages by an email address that was copied on the original message. cc: "@knowbe4.com"
from_name Use this field to filter messages by the sender name tied to the original message. from_name: "CyberheistNews"
from_name: Cyberheist*
hosts Use this field to filter messages by the hostname(s) tied to the message. hosts: "knowbe4.com"
hosts: *google.com
reported_at Use this field name to search for messages reported on a specific date.

The following date format is acceptable:
YYYY-MM-DD		 reported_at: "2018-11-27"
reported_by Use this field to filter messages by the email address of the reporter. reported_by: *"@knowbe4.com (http://knowbe4.com/)"
reported_by_name Use this field to filter messages by the name of the reporter. Note: This search is case sensitive. reported_by_name: "First Last"
sent_at Use this field to filter messages by the date it was sent to the reporter. See reported_at for the acceptable date format.

sent_at: "2018-12-04"
sent_at:[2020-03-03 TO *]
sent_at:[2020-03-03 TO 2020-04-04]
sent_at:[2020-03 TO 2020-04]
subject Use this field to filter messages by the subject line of the message. subject: "invoice"
subject: immediate*
tags Use this field to filter messages by the tags attached to it. tags: "threat"
-tags: "threat"
to Use this field to filter messages by the email address the message was originally sent to. to: "@knowbe4.com"
to: *know*
urls Use this field to filter messages by URLs found in the message. urls: "knowbe4.com"
urls:*

PhishRIP Queries
Field Name Use Case Example
source_id

Use this field to filter queries by the PhishER message used to initiate PhishRIP.


Note: You can view the message in the PhishER inbox by going to the following URL:

https://phisher.knowbe4.com/inbox/ + source_id

source_id: "b039476c-7534-4d52-b162-b8058acbb1e0"

 

https://phisher.knowbe4.com/inbox/b039476c-7534-4d52-b162-b8058acbb1e0
id Use this field to search for an individual PhishRIP query. id: "98719b0a-b739-485f-98fe-6c343c21c27f"
started

Use this field to filter messages by the date the query was created.

The following date format is acceptable:
YYYY-MM-DD

 started:"2020-04-04"
originator Use this field to filter queries by the first and last name of a user that initiated a PhishRIP. originator:"John Doe"

 

How Do I Run a Query in PhishER?

To run a query in PhishER, navigate to PhishER > Inbox. Then, type your query string in the Search... bar in the top-left.

Query strings will vary depending on the intended goal of your search. Below are example query strings you may customize and run in your PhishER inbox.

  1. This query will pull all messages tagged as a threat with "urgent" or "immediately" in the subject line:

    tags: "threat" AND (subject: "urgent" OR "immediately")

  2. Replace your-organization-domain.com with your organization's domain. Then, this query will pull all messages that are NOT sent from your domain:

    -from_name: your-organization-domain.com

    OR

    NOT from_name: your-organization-domain.com

  3. This query will pull all messages with words or phrases starting with "network" in the subject line and NOT tagged as spam:

    subject: "network*" AND -tag: "spam"

    Note:

    This is a brief overview of Lucene query syntax to get you started with custom searches in your PhishER inbox. Visit here for full Lucene query syntax documentation.

 

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles