Build a Query
Syntax for a basic query includes the following elements:
| Element | Examples |
|---|---|
| Searchable Field | User, Origin Host IP, Collector ID |
| Operator | =, CONTAINS, AND |
| Term | John Smith, 10.128.65.193, linux |
Axon is equipped with a navigation suggestion service that provides valid suggestions based on inputs the user supplies while building a search.
Basic Search Rules
Searches are case insensitive.
EXAMPLE
The following search terms return the same results:
- john smith
- John Smith
- JOHn sMith
Quotes enforce order.
EXAMPLE
user = "John Smith"
- The results include users with the order John Smith. A user with the order Smith John is excluded.
user = John Smith
- The results include users with John Smith and Smith John.
Blank or anything can be used as search terms.
EXAMPLE
| Operator and Search Term | Results |
|---|---|
| = Blank or = blank | Includes records where the searchable field has nothing in it. |
| CONTAINS anything | Includes records where the searchable field has any value in it. This is an unrestricted search that is likely to return a large number of records. |
Time fields can be searched using relative time terms.
EXAMPLE
Use the = operator with relative time terms:
| Relative Time Term | Description | Relative Time Options |
|---|---|---|
| now-15m | The last 15 minutes. | The examples in this table are not exhaustive. You can use any relative time. For example, if you want to search the last 24 hours, you can use now-1d, now-24h, or now-1440m. |
| now-30m | The last 30 minutes. | |
| now-1h | The last hour. | |
| now-12h | The last 12 hours. | |
| now-1d | The last day. | |
| now-7d | The last 7 days. | |
| now-1M | The last month. | |
| now-3M | The last 3 months. |
Basic Search Examples
EXAMPLE - Exclude exact term with order enforced
Origin Account Name != "John Smith"
| Searchable Field | Origin Account Name |
|---|---|
| Operator | != |
| Term | "John Smith" |
Search results: Excludes logs with an origin account name field that contains the case insensitive exact phrase "John Smith" in that order. Results containing things such as "Johnson Smith" or "Adam John Smith" are still included.
EXAMPLE - Include exact term in any order
Origin Account Name = john smith
| Searchable Field | Origin Account Name |
|---|---|
| Operator | = |
| Term | john smith |
Search results: Includes logs with an origin account name field that contains case insensitive instances of john smith and smith john.
EXAMPLE - Contains term with order enforced
general_information.raw_message CONTAINS "accepted password"
| Searchable Field | general_information.raw_message |
|---|---|
| Operator | CONTAINS |
| Term | "accepted password" |
Search results: Returns logs where general_information.raw_message contains the phrase "accepted password" in that order and is case insensitive. A phrase such as "accepted your password" does not match and is excluded.
EXAMPLE - Contains term in any order
general_information.raw_message CONTAINS password accepted
| Searchable Field | general_information.raw_message |
|---|---|
| Operator | CONTAINS |
| Term | password accepted |
Search results: Returns logs where general_information.raw_message has the words password and accepted in no particular order and is case insensitive.
Compound Searches
Compound searches include additional requirements using NOT/AND/OR operators. This further narrows the parameters to limit the number of results a user needs to review.
Compound Search Examples
EXAMPLE - Include exact first term with order enforced AND contains second term with order enforced
Origin Account Name = "John Smith" AND raw message CONTAINS "unauthorized access"
| First Searchable Field | Origin Account Name |
|---|---|
| Operator | = |
| First term | "John Smith" |
| Compound Operator | AND |
| Second Searchable Field | raw message |
| Operator | CONTAINS |
| Second Term | "unauthorized access" |
Search results: Includes any logs where the origin account name field matches the exact phrase "John Smith" that also have a raw message with the exact phrase "unauthorized access" in that order anywhere in the body of the message.
EXAMPLE - Contains first term OR contains exact second term
general_information.raw_message CONTAINS user OR unattributed.host.ip_address.value = 10.128.65.193
| First Searchable Field | general_information.raw_message |
|---|---|
| Operator | CONTAINS |
| First term | user |
| Compound Operator | OR |
| Second Searchable Field | unattributed.host.ip_address.value |
| Operator | = |
| Second Term | 10.128.65.193 |
Search results: Includes logs where the raw message contains the word user OR where the Host IP Address is 10.128.65.193.
EXAMPLE - First searchable field from the last day contains any value
general_information.raw_message CONTAINS anything AND general_information.standard_message_time = now-1d
| First Searchable Field | general_information.raw_message |
|---|---|
| Operator | CONTAINS |
| First term | anything |
| Compound Operator | AND |
| Second Searchable Field | general_information.standard_message_time |
| Operator | = |
| Second Term | now-1d |
Search results: Includes logs from the last day where general_information.raw_message has any value in it.
EXAMPLE - Search scans a range of IP addresses
unattributed.host.ip_address.value BETWEEN 192.168.1.1 AND 192.168.1.5
| First Searchable Field | unattributed.host.ip_address.value |
|---|---|
| Operator | BETWEEN |
| First term | 192.168.1.1 |
| Compound Operator | AND |
| Second Term | 192.168.1.5 |
Search results: Includes logs with unattributed Host IP Address values of 192.168.1.1, 192.168.1.2, 192.168.1.3, 192.168.1.4, and 192.168.1.5.
Special Character Search Rules
Searches for logs containing the following special characters must be contained in quotation marks:
- Parentheses ( )
- Brackets [ ]
- Equals =
- Backslash \
- Dollar sign $
Special Character Search Examples
EXAMPLE - Search for raw message contents
general_information.raw_message CONTAINS "[5381]"
| First Searchable Field | general_information.raw_message |
|---|---|
| Operator | CONTAINS |
| Term | "[5381]" |
Search results: Includes all logs with raw message that contains the exact term [5381].
As noted, without the quotation marks around [5381], this search would not execute correctly.
EXAMPLE - Search for raw message contents
general_information.raw_message CONTAINS "()"
| First Searchable Field | general_information.raw_message |
|---|---|
| Operator | CONTAINS |
| Term | "()" |
Search results: Includes all logs with a raw message that contains both opening and closing parentheses.
As noted, without the quotation marks around the parentheses, this search would not execute correctly.
Searching using lists
The lists created by in the admin area of axon can be used in building a search query.
List Search Examples
EXAMPLE - Search for logs using that have a target host county in the column 'Country' in the list 'Banned Countries'.
target.host.location.country IN LIST;0459172f-772e-45a0-adf8-64f31e238549;0f6e32fb-4192-4318-9860-2328778a000b
| First Searchable Field | Target Host Country |
|---|---|
| Operator | in |
| List Operator | LIST; |
| GUID of List | 0459172f-772e-45a0-adf8-64f31e238549; |
| GUID of List Column | 0f6e32fb-4192-4318-9860-2328778a000b |
The GUID of the list and list column can be found on the list page in the administration area
Search results: Includes any logs where the target host county is in column 'Country' in the list 'Banned Countries'.