RSQL Filtering

Collection and export endpoints support RSQL (REST structured query language) based data filtration.

Search Type	Operator	Examples
Equal	==	`?filter=file.name==RC-Shell.php`
Not Equal	!=	`?filter=file.name!='My Shell.php'`
Wildcard	==	`?filter=file.name=='*Shell.php'`
Greater Than	>	`?filter=count>1` `?filter=audit_created>2020-01-01`
Greater Than or Equal	>=	`?filter=count>=1` `?filter=audit_created>=2020-01-01`
Less Than	<	`?filter=count<1` `?filter=audit_created<2020-01-01`
Less Than or Equal	<=	`?filter=count<=1` `?filter=audit_created<=2020-01-01`
In	=in=	`?filter=agent.version=in=(3.1.1,3.0.0)`
Not In	=out=	`?filter=agent.version=out=(3.1.1,3.0.0)`
Null	=isnull=	`?filter=agent.version=isnull=1`
Not Null	=notnull=	`?filter=agent.version=notnull=1`
Conjunctions	N/A	`?filter=count>1 and count<100` `?filter=audit_created>=2020-01-01 and audit_created<=2020-01-07` `?filter=file.name==RC-Shell.php or file.name==other.php`
Precedence	N/A	`?filter=(count>1 and count<10) or (count>100 and count<1000)`

Error Handling

A malformed RSQL filter is expected to throw a 400 Bad Request, with error context MX.InvalidCollectionFilter, e.g.:

{ 
"timestamp": "2020-01-06T15:03:47.106+0000", 
"status": 400,
"error": "Bad Request", 
"message": "MX.InvalidCollectionFilter", 
"path": "/v1/enterprise/d6288400-3f2e-4a28-9c9a-ab4c9d7a6eff/agent-file" 
}

RSQL Filters with Collection And Export Endpoints

RSQL Filtering

Error Handling