Skip to content

Dork

Dork is a domain-specific language to generate search queries that integrate advanced search operators. This language offers to exceed filters available on APIs.

Example

On the Operation Center, on the events page, the following query will match all not failed events received from the start of January 1st, 2020 to the end of January 2nd, 2020:

NOT(error_code:"Failed") AND timestamp:>=2020-01-01T00:00:00Z AND timestamp:<2020-01-03T00:00:00Z

Syntax

A dork query contains one or more terms. Each terms hold a field, an operator and a literal.

e.g: id:"ALWyJiGeJSiw"

These terms can be combined though the use of logical operators.

Literals

Type Format Example
String "\w+" "value"
Number \d+[.,]\d* 17.23
Boolean 0 (false) or 1 (true) 0
Date yyyy[-mm[-dd]] 2020-01-01
DateTime yyyy-mm-ddThh:mm:ss[.sss][+-hh:mm|Z] 2020-01-01T12:23:45.2342+02:00

Operators

String operators

Operator Description Example
: The field must exactly match the literal type:"malware"
:^ The field must start with the literal type:^"Mal"
:$ The field must end with the literal type:$"ware"
:~ The field must partially match the literal type:~"dicat"

If the field represents a list:

Operator Description Example
: The field must match one item of the list tag:"binary"

Number operators

Operator Description Example
: The field must equal the literal urgency:100
:= The field must equal the literal urgency:=100
:> The field must be less than literal urgency:>10
:< The field must be greater than literal urgency:<50

Boolean operators

Operator Description Example
: The field must equal the literal deleted:1

Date operators

Operator Description Example
: The field must equal the literal timestamp:2020-01-01
:= The field must equal the literal timestamp:=2020-01-01T12:13:45Z
:> The field must be less than literal timestamp:>2020-01-01T00:00:00Z
:< The field must be greater than literal timestamp:<2020-12-31T23:59:59+12:00

Logical operators

Operator Description Example
AND Match if both terms are verified timestamp:>2020-01-01T00:00:00Z AND type:$"ware"
OR Match if any terms are verified timestamp:>2020-01-01T00:00:00Z OR type:^"mal"
NOT Inverse the result of the term NOT type:^"mal"

Grouping operators

Operator Description Example
() Groups operands (timestamp:>2020-01-01T00:00:00Z OR type:$"ware") AND NOT type:^"mal"