VAST features a declarative query language for extracting a subset of the data.
A query in VAST is a boolean expression, consisting of conjunctions
&&), disjunctions (
||), and negations (
!). The operands of these
operations are either predicates or further sub-expressions.
For example, for valid predicates
D, an expression could
A && B && (C || !D). This expression is equivalent to the following parse
A predicate has the form
LHS op RHS, where
LHS denotes the left-hand
side operand and
RHS the right-hand side operand. The relational operator
op defines which operand types are compatible with each other. An operand is
either an extractor or data.
An extractor retrieves a certain aspect of an event. VAST supports the following extractor types:
Attribute: matches fields that have a particular attribute value.
Type: extracts all event types that have a field of a given type.
Key: extracts all fields whose name match a given record field name.
#type == "zeek.conn"
#timestamp > 2 days ago
Attribute extractors have the form
x is the name of an attribute.
#timestamp extracts the event timestamp and requires an operand
time. A predicate with a
#timestamp extractor only considers event
types that have a field with the
Type extractors have the form
T is the type of a field.
VAST supports the following type extractors:
:addr == 18.104.22.168
:count > 42M
"evil" in :string
Some predicates invovling type extractors and equality operators can be
written rather tersely. These data predicates have the form
:T == X,
X is a data instance and
T the type of
X. For such configurations,
the predicate parser also accepts
X as stand-alone predicate and infers
automatically. For example,
22.214.171.124 is a valid predicate and internally
:addr == 126.96.36.199. This allows for quick equality searches, such
(188.8.131.52 || 80/tcp) && "evil".
Key extractors have the form
z match on
field names. The dot allows for accessing fields in nested records.
A key extractor is always a suffix. If you want the nested field
z you can
x.y, it suffices to write just
ts > 1 day ago
id.orig_h in 192.168.0.0/24
orig_bytes >= 10Ki