Documentation forSecurity Event Manager

Create a search query

Use the intuitive search builder to create a custom search query. To conduct custom searches in the HTML5 console, navigate to Events > Analyze historical data.

By default, the initial search period covers the last hour. Specifically, the search period starts at the time you go to Events - Analyze, and stops one hour before.

As you build your search query, keep in mind the available operators and functions:

Operator Definition
= Equals
!= Not equal to
> Greater than
< Less than
>= Greater than or equal to
<= Less than or equal to
in True if the operand is equal to one of a list of expressions.
not in Displays a record if the condition is not true.
Function Definition
And Displays results if all the conditions separated by And are true.
Or Displays results if all the conditions separated by Or are true.
()

Parentheses: gives solving priority to the conditions inside of the first grouping when more

than one grouping is listed.

You can build an nDepth query two different ways:

  1. By dragging values from the left panel into the query builder.

    - or -

  2. By manually entering query data.

    As you type in the query builder, tips and suggestions appear to guide you as you enter your query parameters.

    - and -

    The query builder notifies you of invalid entries.

    Use the time picker to select a quick pick or custom date and time range.

    When your query is complete, press Search to initiate the search.

Query building tips and examples

The query builder supports a combination values, operators, and functions.

Basic query structure

A basic query uses full-text values. For example:

"someText"

You can also chain the conditions using logical operators "AND" and "OR." For example:

"someText" AND "someOtherText" OR "someOtherText2"

To make sure your conditions are properly executed, you can also use brackets (parentheses). For example:

"someText" AND ( "someOtherText" OR "someOtherText2" )

Advanced conditions

Aside from basic conditions, you can add conditions with two operands connected by an operator.

For example, if you want to search for an event NOT containing certain text, you can write it as follows:

Text != "someText"

You can also search for events containing a value in a specific property. For example:

DestinationPort = 1234

Also, you can specify the event type and condition. For example:

Access.DestinationPort = 1234

Or, it can be split into separate conditions:

EventType = Access AND DestinationPort = 1234

And, you can enter name of the event group if it contains non-alphanumerical characters. For example:

"Any Alert".DestinationPort = 1234

Special characters and spaces

Queries support a wide range of special characters, including Unicode characters like ☃☀♫, for example. One of the main restrictions is using spaces and double quotes in names of custom groups and other things a user can create. To use them in a query, the value must be wrapped in quotes. For example:

"Any Alert".DestinationPort = 1234 OR DetectionIP in UserDefinedGroup."Auditd Watchers Excludes"

If the name or value contains a double quote, it must be doubled in the query. For example:

Text = "sometext""containing""quotes"

This will result in searching for the following text:

sometext"containing"quotes

Wildcards in strings

Wildcards can be used in string values, but it's important to understand where to place them.

The following examples use the asterisk (*) wildcard character.

Starting wildcard

Text = "*sometext"

What this will match?

  • "xxx sometext"
  • "sometext"

What this will NOT match?

  • "xxxsometext"
  • "xxx sometext xxx"

Explanation

A wildcard at the beginning indicates that other "words" can be before the following text, so "*sometext" and "* sometext" are actually equivalent queries.

Ending wildcard

Text = "sometext*"

What this will match?

  • "sometext"
  • "sometextxxx"
  • "sometextxxx someothertext"

What this will NOT match?

  • "xxx sometext"
  • "xxxsometext

Explanation

A wildcard at the end of the text WITHOUT a space indicates the value can continue with any other parts (without a starting wildcard this query would look for values starting with TEXT "sometext").

Text = "sometext *"

What this will match?

  • "sometext"
  • "sometext xxx someothertext"

What this will NOT match?

  • "xxxsometext"
  • "sometextxxx"

Explanation

A wildcard at the end separated from the text by a space indicates that after the specified "word," any number of other words in the value would match (without a starting wildcard this query would look for values starting with the WORD "sometext").

A Wildcard In The Text

Text = "some*text"

What this will match?

  • "sometext"
  • "someothertext"

What this will NOT match?

  • "xxxsometext"
  • "sometextxxx"
  • "xxx sometext xxx"
  • "some text"
  • "some xxx text"

Explanation

A wildcard in the middle of the word looks for a "word" which can contain any number of alphanumerical characters in a place of the wildcard (without starting or ending wildcard this query would look for values containing one WORD starting with text "some" and ending with text "text").

Combination of wildcards

Text = "*some*text *"

What this will match?

  • "sometext"
  • "someOtherText"
  • "xxx sometext"
  • "sometext xxx someothertext"

What this will NOT match?

  • "xxx some text"
  • "xxx sometextxxx"

Explanation

You can combine these wildcards to more complex expressions based on the rules above.

Custom Groups

The following are supported groups used with the "in" operator:

  • SubscriptionGroup
  • UserDefinedGroup
  • DirectoryServiceGroup
  • ConnectorProfileGroup

Unsupported groups:

  • TimeGroup

Since groups do not currently restrict unique names across group types, use the prefix to search for a group

Group Type Prefix

SubscriptionGroup

Subscription

UserDefinedGroup

UserDefinedGroup
DirectoryServiceGroup DSGroup
ConnectorProfileGroup

Profile

The query would be similar to the following:

DetectionIP in UserDefinedGroup.BlockedAddresses

If the name contains non-alphanumerical characters, it would be similar to the following:

DetectionIP in UserDefinedGroup."Auditd Watchers Excludes"

Hinter

This feature provides suggestions possible query values. The provided "hints" are based on cursor position in the input. As you type, hints are filtered to provide more specific options.

Limitations and restrictions

From previous versions, there is change, that it's not supported having Event Group named same as some Event Type. That will end up not being able to recognize which is which and match first to find.

Queries are limited to 10,000 characters.

Troubleshooting

Currently, there is a known issue that hinter is a bit horizontally misaligned to the input. On some occasions, the hinter suggestions may be vertically misaligned to the input. To fix the issue, close or open it.