Create a search query
Use the intuitive search builder to create a custom search query. To conduct custom searches in the HTML5 console, navigate to Historical Events.
By default, the initial search period covers the last hour. Specifically, the search period starts at the time you go to Historical Events, and stops one hour before.
As you build your search query, keep in mind the available operators and functions:
Operator | Definition |
---|---|
= | Equals |
!= | Not equal to |
> | Greater than |
< | Less than |
>= | Greater than or equal to |
<= | Less than or equal to |
in | True if the operand is equal to one of a list of expressions. |
not in | Displays a record if the condition is not true. |
You can build a query two different ways:
- By dragging values from the left panel into the query builder.
Or:
- By manually entering query data.
As you type in the query builder, tips and suggestions appear to guide you as you enter your query parameters.
Use the time picker to select a quick pick or custom date and time range.
When your query is complete, press Search to initiate the search.
Query building tips and examples
The query builder supports a combination values, operators, and functions.
Basic query structure
A basic query uses full-text values. For example:
"someText"
You can also chain the conditions using logical operators "AND" and "OR." For example:
"someText" AND "someOtherText" OR "someOtherText2"
To make sure your conditions are properly executed, you can also use brackets (parentheses). For example:
"someText" AND ( "someOtherText" OR "someOtherText2" )
Advanced conditions
Aside from basic conditions, you can add conditions with two operands connected by an operator.
For example, if you want to search for an event NOT containing certain text, you can write it as follows:
Text != "someText"
You can also search for events containing a value in a specific property. For example:
DestinationPort = 1234
Also, you can specify the event type and condition. For example:
Access.DestinationPort = 1234
Or, it can be split into separate conditions:
EventType = Access AND DestinationPort = 1234
And, you can enter name of the event group if it contains non-alphanumerical characters. For example:
"Any Alert".DestinationPort = 1234
Special characters and spaces
Queries support a wide range of special characters, including Unicode characters like ☃☀♫, for example. One of the main restrictions is using spaces and double quotes in names of custom groups and other things a user can create. To use them in a query, the value must be wrapped in quotes. For example:
"Any Alert".DestinationPort = 1234 OR DetectionIP in UserDefinedGroup."Auditd Watchers Excludes"
If the name or value contains a double quote, it must be doubled in the query. For example:
Text = "sometext""containing""quotes"
This will result in searching for the following text:
sometext"containing"quotes
Wildcards in strings
Wildcards can be used in string values, but it's important to understand where to place them.
The following examples use the asterisk (*) wildcard character.
Starting wildcard
Text |
What this will match? |
What this will NOT match? |
Explanation |
---|---|---|---|
"*sometext" |
"xxx sometext" "sometext" |
"xxxsometext" "xxx sometext xxx" |
A wildcard at the beginning indicates that other "words" can be before the following text, so "*sometext" and "* sometext" are actually equivalent queries. |
Ending wildcard
Text |
What this will match? |
What this will NOT match? |
Explanation |
---|---|---|---|
"sometext*" |
"sometext" "sometextxxx" "sometextxxx someothertext" |
"xxx sometext" "xxxsometext" |
A wildcard at the end of the text WITHOUT a space indicates the value can continue with any other parts (without a starting wildcard this query would look for values starting with TEXT "sometext"). |
"sometext *" |
"sometext" "sometext xxx someothertext" |
"xxxsometext" "sometextxxx" |
A wildcard at the end separated from the text by a space indicates that after the specified "word," any number of other words in the value would match (without a starting wildcard this query would look for values starting with the WORD "sometext"). |
A Wildcard In The Text
Text |
What this will match? |
What this will NOT match? |
Explanation |
---|---|---|---|
"some*text" |
"sometext" "someothertext" |
"xxxsometext" "sometextxxx" "xxx sometext xxx" "some text" "some xxx text" |
A wildcard in the middle of the word looks for a "word" which can contain any number of alphanumerical characters in a place of the wildcard (without starting or ending wildcard this query would look for values containing one WORD starting with text "some" and ending with text "text"). |
Combination of wildcards
Text |
What this will match? |
What this will NOT match? |
Explanation |
---|---|---|---|
"*some*text *" |
"sometext" "someOtherText" "xxx sometext" "sometext xxx someothertext" |
"xxx some text" "xxx sometextxxx" |
You can combine these wildcards to more complex expressions based on the rules above. |
Custom Groups
The following are supported groups used with the "in" operator:
- SubscriptionGroup
- UserDefinedGroup
- DirectoryServiceGroup
- ConnectorProfileGroup
Unsupported groups:
- TimeGroup
Since groups do not currently restrict unique names across group types, use the prefix to search for a group
Group Type | Prefix |
---|---|
SubscriptionGroup |
Subscription |
UserDefinedGroup |
UserDefinedGroup |
DirectoryServiceGroup | DSGroup |
ConnectorProfileGroup |
Profile |
The query would be similar to the following:
DetectionIP in UserDefinedGroup.BlockedAddresses
If the name contains non-alphanumerical characters, it would be similar to the following:
DetectionIP in UserDefinedGroup."Auditd Watchers Excludes"
Hinter
This feature provides suggestions possible query values. The provided "hints" are based on cursor position in the input. As you type, hints are filtered to provide more specific options.
Limitations and restrictions
From previous versions, there is change, that it's not supported having Event Group named same as some Event Type. That will end up not being able to recognize which is which and match first to find.
Queries are limited to 10,000 characters.
Troubleshooting
Currently, there is a known issue that hinter is a bit horizontally misaligned to the input. On some occasions, the hinter suggestions may be vertically misaligned to the input. To fix the issue, close or open it.