Skip to main content
Exclusive access to the Trickest Query Language via Solutions is provided solely for Enterprise users. If you are interested in learning more about the Enterprise Edition, please contact us.

Overview

The Trickest Query Language enables precise filtering across very large, heterogeneous security datasets. It uses human‑readable conditions, comparison operators, and regular‑expression matching so you can compose multi‑condition filters that surface exactly what you need.
Field availability depends on the dataset you are querying (e.g., Web Servers, Open Ports, Network Services, Vulnerabilities).

Operators

The Query Language supports four categories of operators for filtering data.

Equality and Inequality

Test exact matches or exclusions across any field type.
OperatorDescriptionApplicable Types
=Exact matchStrings, numbers, dates, IPs
!=Does not matchStrings, numbers, dates, IPs

Comparison Operators

Perform greater-than and less-than comparisons on numeric and time-like fields.
OperatorDescriptionApplicable Types
>Greater thanNumbers, dates/times
<Less thanNumbers, dates/times

Pattern Matching (Regex)

Match string fields against regular expressions for flexible filtering.
OperatorDescriptionApplicable Types
~Matches regex patternStrings
!~Does not match regex patternStrings
Escaping Special Characters: Regular expressions use special characters (. * + ? [ ] ( ) { } ^ $ | \). To match them literally, escape with a backslash:
  • . (dot) → \\. to match a literal period
  • * (asterisk) → \\* to match a literal asterisk
  • \ (backslash) → \\\\ to match a literal backslash

Logical Connectors

Combine multiple conditions to create complex filters.
OperatorDescription
ANDBoth conditions must be true
OREither condition can be true

Examples

Basic Field Conditions

Match exact values: 
status_code = 200
Numeric comparisons: 
response_time > 1000
String equality: 
technology = "nginx"
Exclude values: 
port != 80

Combining Conditions

Use AND to require multiple conditions: 
status_code = 200 AND content_length < 1000
Use OR for alternative conditions: 
port = 80 OR port = 443
Chain multiple conditions: 
port = 22 AND banner ~ "OpenSSH" AND last_seen > "2024-01-01"
Group with parentheses: 
(port = 80 OR port = 443) AND status_code = 200

Pattern Matching

Basic hostname pattern: 
hostname ~ "api\\.example\\.com"
Wildcard-like matching: 
hostname ~ ".*staging.*"
Complex regex (vulnerable SSH versions): 
port = "22" AND banner ~ "SSH-2\\.0-OpenSSH_(8\\.5p1|8\\.6p1|8\\.7p1|8\\.8p1|8\\.9p1|9\\.0p1|9\\.1p1|9\\.2p1|9\\.3p1|9\\.4p1|9\\.5p1|9\\.6p1|9\\.7p1)(?:\\s|$)"
Negative matching: 
technology !~ "wordpress|joomla"

Time-Based Queries

Find recent entries: 
first_seen > "2024-01-01"
Find stale assets: 
last_seen < "2023-01-01"
Time range: 
first_seen > "2024-01-01" AND last_seen < "2025-01-01"

Practical Use Cases

Identify services on non-standard ports: 
port != 80 AND port != 443
Detect a specific vulnerability: 
vulnerability_id = "CVE-2021-44228"
Find lightweight successful responses: 
status_code = 200 AND content_length < 1000
Filter by IP address: 
ip = "192.168.1.1"
Exclude specific technologies: 
technology != "nginx"

Building Reliable Queries

  • Start broad, then refine — begin with a simple condition and add more only as needed.
  • Use explicit comparisons — prefer =, !=, >, < over implicit matching.
  • Quote strings and dates — keep text and time‑like values in quotes; keep numbers unquoted.
  • Escape regex carefully — metacharacters like . and + must be escaped when intended literally.
  • Reuse successful filters — save filters in your workflow’s Insights view to standardize triage.

Notes & Limitations

  • The language operates over fields present in the active dataset; if a field doesn’t exist, the filter will return no results.
  • Operator behavior depends on field type (numeric vs. string). Use the appropriate operator for the data you are querying.
  • Complex grouping with parentheses is not required for the examples above; combine conditions with AND/OR as shown.
I