Documentation forSecurity Event Manager

Create a search query

Use the intuitive search builder to create custom search queries. To conduct custom searches, navigate to Historical Events in the SEM console.

By default, the initial search period covers the last hour. Specifically, the search period starts at the time you go to Historical Events, and stops one hour before.

As you build your search query, keep in mind the available operators and functions:

Operator Definition
= Equals
!= Not equal to
> Greater than
< Less than
>= Greater than or equal to
<= Less than or equal to
in True if the operand is equal to one of a list of expressions.
not in Displays a record if the condition is not true.
Function Definition
And Displays results if all the conditions separated by And are true.
Or Displays results if all the conditions separated by Or are true.
( )

Parentheses: gives solving priority to the conditions inside of the first grouping when more than one grouping is listed.

You can build a query two different ways:

Build by selecting fields from the left column

  1. Click Refine Results to list the categories of available fields.
  2. Click on a category to display the existing field values and the number of occurrences within events. For example, if you created a query that simply returned all events involving the IP address that starts with lab-checkpoint you would have a query containing 933 events.

  3. Move the mouse over the plus icon and click.
  4. Continue adding other fields until you have created your query. By default, the query is built up using ANDs but these can be changed to OR conditions and parenthesis added as required.

Build by manually entering queries data

You can also manually enter query data. As you type in the query builder, tips and suggestions appear to guide you as you enter your query parameters.

Add the time period for the query

When you have created the query fields you can use the time picker to select the date range you want the query to cover.

When your query is complete, press Search to initiate the search.

Query building tips and examples

The query builder supports a combination values, operators, and functions.

Basic query structure

A basic query uses full-text values. For example:


You can also chain the conditions using logical operators "AND" and "OR." For example:

someText" AND "someOtherText" OR "someOtherText2"

To make sure your conditions are properly executed, you can also use brackets (parentheses). For example:

someText" AND ( "someOtherText" OR "someOtherText2" )

Advanced conditions

Aside from basic conditions, you can add conditions with two operands connected by an operator.

For example, if you want to search for an event NOT containing certain text, you can write it as follows:

Text != "someText"

You can also search for events containing a value in a specific property. For example:

DestinationPort = 1234

Also, you can specify the event type and condition. For example:

Access.DestinationPort = 1234

Or, it can be split into separate conditions:

EventType = Access AND DestinationPort = 1234

And, you can enter name of the event group if it contains non-alphanumerical characters. For example:

Any Alert".DestinationPort = 1234

Special characters and spaces

Queries support a wide range of special characters, including Unicode characters like ☃☀♫, for example. One of the main restrictions is using spaces and double quotes in names of custom groups and other things a user can create. To use them in a query, the value must be wrapped in quotes. For example:

Any Alert".DestinationPort = 1234 OR DetectionIP in UserDefinedGroup."Auditd Watchers Excludes"

If the name or value contains a double quote, it must be doubled in the query. For example:

Text = "sometext""containing""quotes"

This will result in searching for the following text:


Wildcards in strings

Wildcards can be used in string values, but it's important to understand where to place them.

The following examples use the asterisk (*) wildcard character.

Starting wildcard


What this will match?

What this will NOT match?



"xxx sometext"



"xxx sometext xxx"

A wildcard at the beginning indicates that other "words" can be before the following text, so "*sometext" and "* sometext" are actually equivalent queries.

Ending wildcard


What this will match?

What this will NOT match?





"sometextxxx someothertext"

"xxx sometext"


A wildcard at the end of the text WITHOUT a space indicates the value can continue with any other parts (without a starting wildcard this query would look for values starting with TEXT "sometext").

sometext *"


"sometext xxx someothertext"



A wildcard at the end separated from the text by a space indicates that after the specified "word," any number of other words in the value would match (without a starting wildcard this query would look for values starting with the WORD "sometext").

A Wildcard In The Text


What this will match?

What this will NOT match?







"xxx sometext xxx"

"some text"

"some xxx text"

A wildcard in the middle of the word looks for a "word" which can contain any number of alphanumerical characters in a place of the wildcard (without starting or ending wildcard this query would look for values containing one WORD starting with text "some" and ending with text "text").

Combination of wildcards


What this will match?

What this will NOT match?


*some*text *"



"xxx sometext"

"sometext xxx someothertext"

"xxx some text"

"xxx sometextxxx"

You can combine these wildcards to more complex expressions based on the rules above.

Custom Groups

The following are supported groups used with the "in" operator:

  • SubscriptionGroup
  • UserDefinedGroup
  • DirectoryServiceGroup
  • ConnectorProfileGroup

Unsupported groups:

  • TimeGroup

Since groups do not currently restrict unique names across group types, use the prefix to search for a group

Group Type Prefix




DirectoryServiceGroup DSGroup


The query would be similar to the following:

DetectionIP in UserDefinedGroup.BlockedAddresses

If the name contains non-alphanumerical characters, it would be similar to the following:

DetectionIP in UserDefinedGroup."Auditd Watchers Excludes"


This feature provides suggestions possible query values. The provided "hints" are based on cursor position in the input. As you type, hints are filtered to provide more specific options.

Limitations and restrictions

From previous versions, there is change, that it's not supported having Event Group named same as some Event Type. That will end up not being able to recognize which is which and match first to find.

Queries are limited to 10,000 characters.


Currently, there is a known issue that hinter is a bit horizontally misaligned to the input. On some occasions, the hinter suggestions may be vertically misaligned to the input. To fix the issue, close or open it.