Create a search query

Use the intuitive search builder to create a custom search query. To conduct custom searches in the HTML5 console, navigate to Historical Events.

By default, the initial search period covers the last hour. Specifically, the search period starts at the time you go to Historical Events, and stops one hour before.

As you build your search query, keep in mind the available operators and functions:

Operator	Definition
=	Equals
!=	Not equal to
>	Greater than
<	Less than
>=	Greater than or equal to
<=	Less than or equal to
in	True if the operand is equal to one of a list of expressions.
not in	Displays a record if the condition is not true.

Function	Definition
And	Displays results if all the conditions separated by And are true.
Or	Displays results if all the conditions separated by Or are true.
()	Parentheses: gives solving priority to the conditions inside of the first grouping when more than one grouping is listed.

Function

Definition

And

Displays results if all the conditions separated by And are true.

Displays results if all the conditions separated by Or are true.

()

Parentheses: gives solving priority to the conditions inside of the first grouping when more

than one grouping is listed.

You can build a query two different ways:

By dragging values from the left panel into the query builder.
Or:
By manually entering query data.
As you type in the query builder, tips and suggestions appear to guide you as you enter your query parameters.
Use the time picker to select a quick pick or custom date and time range.
When your query is complete, press Search to initiate the search.

Query building tips and examples

The query builder supports a combination values, operators, and functions.

Basic query structure

A basic query uses full-text values. For example:

"someText"

You can also chain the conditions using logical operators "AND" and "OR." For example:

"someText" AND "someOtherText" OR "someOtherText2"

To make sure your conditions are properly executed, you can also use brackets (parentheses). For example:

"someText" AND ( "someOtherText" OR "someOtherText2" )

Advanced conditions

Aside from basic conditions, you can add conditions with two operands connected by an operator.

For example, if you want to search for an event NOT containing certain text, you can write it as follows:

Text != "someText"

You can also search for events containing a value in a specific property. For example:

DestinationPort = 1234

Also, you can specify the event type and condition. For example:

Access.DestinationPort = 1234

Or, it can be split into separate conditions:

EventType = Access AND DestinationPort = 1234

And, you can enter name of the event group if it contains non-alphanumerical characters. For example:

"Any Alert".DestinationPort = 1234

Special characters and spaces

Queries support a wide range of special characters, including Unicode characters like ☃☀♫, for example. One of the main restrictions is using spaces and double quotes in names of custom groups and other things a user can create. To use them in a query, the value must be wrapped in quotes. For example:

"Any Alert".DestinationPort = 1234 OR DetectionIP in UserDefinedGroup."Auditd Watchers Excludes"

If the name or value contains a double quote, it must be doubled in the query. For example:

Text = "sometext""containing""quotes"

This will result in searching for the following text:

sometext"containing"quotes

Wildcards in strings

Wildcards can be used in string values, but it's important to understand where to place them.

The following examples use the asterisk (*) wildcard character.

Starting wildcard

Text	What this will match?	What this will NOT match?	Explanation
"*sometext"	"xxx sometext" "sometext"	"xxxsometext" "xxx sometext xxx"	A wildcard at the beginning indicates that other "words" can be before the following text, so "sometext" and " sometext" are actually equivalent queries.

Text

What this will match?

What this will NOT match?

Explanation

"*sometext"

"xxx sometext"

"sometext"

"xxxsometext"

"xxx sometext xxx"

A wildcard at the beginning indicates that other "words" can be before the following text, so "*sometext" and "* sometext" are actually equivalent queries.

Ending wildcard

Text	What this will match?	What this will NOT match?	Explanation
"sometext*"	"sometext" "sometextxxx" "sometextxxx someothertext"	"xxx sometext" "xxxsometext"	A wildcard at the end of the text WITHOUT a space indicates the value can continue with any other parts (without a starting wildcard this query would look for values starting with TEXT "sometext").
"sometext *"	"sometext" "sometext xxx someothertext"	"xxxsometext" "sometextxxx"	A wildcard at the end separated from the text by a space indicates that after the specified "word," any number of other words in the value would match (without a starting wildcard this query would look for values starting with the WORD "sometext").

Text

What this will match?

What this will NOT match?

Explanation

"sometext*"

"sometext"

"sometextxxx"

"sometextxxx someothertext"

"xxx sometext"

"xxxsometext"

A wildcard at the end of the text WITHOUT a space indicates the value can continue with any other parts (without a starting wildcard this query would look for values starting with TEXT "sometext").

"sometext *"

"sometext"

"sometext xxx someothertext"

"xxxsometext"

"sometextxxx"

A wildcard at the end separated from the text by a space indicates that after the specified "word," any number of other words in the value would match (without a starting wildcard this query would look for values starting with the WORD "sometext").

A Wildcard In The Text

Text	What this will match?	What this will NOT match?	Explanation
"some*text"	"sometext" "someothertext"	"xxxsometext" "sometextxxx" "xxx sometext xxx" "some text" "some xxx text"	A wildcard in the middle of the word looks for a "word" which can contain any number of alphanumerical characters in a place of the wildcard (without starting or ending wildcard this query would look for values containing one WORD starting with text "some" and ending with text "text").

Text

What this will match?

What this will NOT match?

Explanation

"some*text"

"sometext"

"someothertext"

"xxxsometext"

"sometextxxx"

"xxx sometext xxx"

"some text"

"some xxx text"

A wildcard in the middle of the word looks for a "word" which can contain any number of alphanumerical characters in a place of the wildcard (without starting or ending wildcard this query would look for values containing one WORD starting with text "some" and ending with text "text").

Combination of wildcards

Text	What this will match?	What this will NOT match?	Explanation
"sometext *"	"sometext" "someOtherText" "xxx sometext" "sometext xxx someothertext"	"xxx some text" "xxx sometextxxx"	You can combine these wildcards to more complex expressions based on the rules above.

Text

What this will match?

What this will NOT match?

Explanation

"*some*text *"

"sometext"

"someOtherText"

"xxx sometext"

"sometext xxx someothertext"

"xxx some text"

"xxx sometextxxx"

You can combine these wildcards to more complex expressions based on the rules above.

Custom Groups

The following are supported groups used with the "in" operator:

SubscriptionGroup
UserDefinedGroup
DirectoryServiceGroup
ConnectorProfileGroup

Unsupported groups:

TimeGroup

Since groups do not currently restrict unique names across group types, use the prefix to search for a group

Group Type	Prefix
SubscriptionGroup	Subscription
UserDefinedGroup	UserDefinedGroup
DirectoryServiceGroup	DSGroup
ConnectorProfileGroup	Profile

The query would be similar to the following:

DetectionIP in UserDefinedGroup.BlockedAddresses

If the name contains non-alphanumerical characters, it would be similar to the following:

DetectionIP in UserDefinedGroup."Auditd Watchers Excludes"

Hinter

This feature provides suggestions possible query values. The provided "hints" are based on cursor position in the input. As you type, hints are filtered to provide more specific options.

Limitations and restrictions

From previous versions, there is change, that it's not supported having Event Group named same as some Event Type. That will end up not being able to recognize which is which and match first to find.

Queries are limited to 10,000 characters.

Troubleshooting

Currently, there is a known issue that hinter is a bit horizontally misaligned to the input. On some occasions, the hinter suggestions may be vertically misaligned to the input. To fix the issue, close or open it.