Documentation forSecurity Event Manager

Create a search query

Use the intuitive search builder to create custom search queries. To perform custom searches, click Historical Events in the toolbar.

By default, the initial search period covers the last hour. The search period begins when you go to Historical Events, and stops one hour before.

The following table lists the available operators and functions.

Operator Definition
= Equals
!= Not equal to
> Greater than
< Less than
>= Greater than or equal to
<= Less than or equal to
in True if the operand is equal to one of a list of expressions.
not in Displays a record if the condition is not true.
Function Definition
And Displays results if all the conditions separated by And are true.
Or Displays results if all the conditions separated by Or are true.
( )

Parentheses: gives solving priority to the conditions inside of the first grouping when more than one grouping is listed.

You can build a query using the following methods:

Refine the query results

  1. Log in to the SEM Console.

  2. In the toolbar, click Historical Events and Reports.
  3. In the left column, click Refine Results to list the categories of available fields.
  4. Click the drop-down menu and select a category.

    For example, Events.

    You can also enter a term in the Search field to locate an entity. All matches are highlighted in the results.

    For example, InternalWarning.

  5. Select an event entity. Hover over the information icon to display a description.

    For example, click the Events drop-down menu and select InternalWarning.

    All entities listed in the Events menu include context help.
  6. Hover over the selected entity and click + to add the query.

    Your selection is added to the query builder.

  7. Select one or more additional options.

    For example:

    By default, the query is built using AND conditions.

    The condition can be changed to an OR condition and parenthesis added as required.

  8. Continue adding other fields until you have created your query.

  9. Click the time picker (for example, Last 10 minutes).

  10. Refine your results using the custom time picker. You can select a quick pick or a specific date and time range.

    For example, if you click Last 10 minutes, that value displays next to the query builder.

  11. Click Search.

    Your results display in the window.

Enter the query data

You can also enter query data in the query builder. As you enter the query, tips and suggestions display to guide you as you enter your parameters.

Add the time period for the query

When you create the query fields, use the time picker to select the date range you want the query to cover.

When your query is complete, click Search to initiate the search.

Query building tips and examples

The query builder supports a combination values, operators, and functions.

Basic query structure

A basic query uses full-text values. For example:

someText"

You can also chain the conditions using logical operators "AND" and "OR." For example:

someText" AND "someOtherText" OR "someOtherText2"

To ensure that your conditions execute properly, use brackets (parenthesis). For example:

someText" AND ( "someOtherText" OR "someOtherText2" )

Advanced conditions

Besides the basic conditions, you can add conditions with two operands connected by an operator.

For example, if you want to search for an event NOT containing certain text, create the event as shown below:

Text != "someText"

You can search for events containing a value in a specific property.

DestinationPort = 1234

You can specify the event type and condition.

Access.DestinationPort = 1234

You can split the event into separate conditions.

EventType = Access AND DestinationPort = 1234

You can enter name of the event group if it contains non-alphanumerical characters.

Any Alert".DestinationPort = 1234

Special characters and spaces

Queries support a wide range of special characters, including Unicode characters such as ☃☀♫, for example. One primary restriction is using spaces and double quotes in the names of custom groups and other items a user can create. To use them in a query, wrap the value in quotes.

Any Alert".DestinationPort = 1234 OR DetectionIP in UserDefinedGroup."Auditd Watchers Excludes"

If the name or value contains a double quote, it must be doubled in the query.

Text = "sometext""containing""quotes"

This results in searching for the following text:

sometext"containing"quotes

Wilccards in strings

You can use wildcards in string values, but their placement is important. The following examples use the asterisk (*) wildcard character.

Starting wildcard

Text

What this will match?

What this will NOT match?

Explanation

*sometext"

"xxx sometext"

"sometext"

"xxxsometext"

"xxx sometext xxx"

A wildcard at the beginning indicates that other "words" can be before the following text. As a result, "*sometext" and "* sometext" are actually equivalent queries.

Ending wildcard

Text

What this will match?

What this will NOT match?

Explanation

sometext*"

"sometext"

"sometextxxx"

"sometextxxx someothertext"

"xxx sometext"

"xxxsometext"

A wildcard at the end of the text WITHOUT a space indicates the value can continue with any other parts.

Without a starting wildcard, this query would search for values starting with TEXT "sometext".

sometext *"

"sometext"

"sometext xxx someothertext"

"xxxsometext"

"sometextxxx"

A wildcard at the endof the text separated by a space indicates that after the specified "word," any number of other words in the value would match.

Without a starting wildcard, this query would search for values starting with the WORD "sometext".

Wildcard in the text

Text

What this will match?

What this will NOT match?

Explanation

some*text"

"sometext"

"someothertext"

"xxxsometext"

"sometextxxx"

"xxx sometext xxx"

"some text"

"some xxx text"

A wildcard in the middle of the word looks for a "word" that can contains alphanumerical characters in a place of the wildcard.

Without starting or ending wildcard this query would look for values containing one WORD starting with text "some" and ending with text "text".

Wildcard combinations

Text

What this will match?

What this will NOT match?

Explanation

*some*text *"

"sometext"

"someOtherText"

"xxx sometext"

"sometext xxx someothertext"

"xxx some text"

"xxx sometextxxx"

You can combine wildcards to more complex expressions based on the rules above.

Custom groups

The following groups are supported groups used with the "in" operator:

  • SubscriptionGroup
  • UserDefinedGroup
  • DirectoryServiceGroup
  • ConnectorProfileGroup

The following group not supported when used with the "in" operator: Unsupported groups:

  • TimeGroup

Since groups do not currently restrict unique names across group types, use the prefix to search for a group

Group Type Prefix

SubscriptionGroup

Subscription

UserDefinedGroup

UserDefinedGroup
DirectoryServiceGroup DSGroup
ConnectorProfileGroup

Profile

The query would be similar to the following:

DetectionIP in UserDefinedGroup.BlockedAddresses

If the name contains non-alphanumerical characters, it would be similar to the following:

DetectionIP in UserDefinedGroup."Auditd Watchers Excludes"

Hinter

This feature suggests possible query values. The provided "hints" are based on cursor position in the input. As you type, hints are filtered to provide more specific options.

Limitations and restrictions

Queries are limited to 10,000 characters.

Troubleshooting

Currently, there is a known issue that hinter is horizontally misaligned to the input. In some occasions, the hinter suggestions may be vertically misaligned to the input. To fix the issue, close or open it.