Build a Search Query
This guide covers the operators that can be used while executing a search, as well as examples of how to build search queries in certain situations.
Query Language
This section covers search operators and separators.
Basic Search Operators
Operator | LogRhythm Operator | Example | Search Result |
|---|---|---|---|
| Equal to (EQ) | = | unattributed.host.ip_address.value = 10.128.65.193 | Includes records where the host IP address value exactly matches 10.128.65.193. |
| Not Equal to (NE) | != | unattributed.host.ip_address.value != 10.128.65.193 | Excludes records where the host IP address value exactly matches 10.128.65.193. This search might be used if you have identified a safe IP in your dataset and want to remove that IP from your search. |
| Greater than (GT) | > | Potential use cases would be byte size, no examples currently available. | N/A |
| Greater than or Equal to (GE) | >= | Potential use cases would be byte size, no examples currently available. | N/A |
| Less than (LT) | < | Potential use cases would be byte size, no examples currently available. | N/A |
| Less than or Equal to (LE) | <= | Potential use cases would be byte size, no examples currently available. | N/A |
| In | IN | unattributed.host.ip_address.value IN [10.128.65.193,127.0.0.1] | Includes records that have host IP address values of 10.128.65.93 and 127.0.0.1.
Requires the square brackets. This is also how you search for a list of values.
|
| To | to | general_information.raw_message contains anything AND general_information.standard_message_time=now-30m to now-15m unattributed.host.ip_address.value = blank AND general_information.standard_message_time = 2022-02-22T21:14:09.116957Z to 2022-03-08T23:00:09.116957Z general_information.raw_message CONTAINS anything AND general_information.standard_message_time = 2020-03-29T10:05:45-07:00 to now | Includes raw messages recorded between 30 minutes and 15 minutes ago. Includes messages where the host IP value is not populated between 2/22/2022 9:14 PM and 3/8/2022 11:00 PM. The times in the search are GMT (Zulu). Includes messages containing anything from 3/29/2020 at 10:05 AM to NOW. The time is normalized with the the subtraction of 7 hours to convert from GMT to MT. |
| Between | BETWEEN | unattributed.host.ip_address.value BETWEEN 192.168.1.1 AND 192.168.1.5 AND general_information.standard_message_time = 2022-08-25T00:00:00-06:00 to 2022-08-26T00:00:00-06:00 | This will look for messages with an unattributed.host.ip.address.value between 192.168.1.1 and 192.168.1.5 |
| Contains | CONTAINS | general_information.raw_message CONTAINS logrhythm | Includes all records.
This is an unrestricted search and is likely to return a high number of entries.
|
| Matches | matches | origin.account.name matches "Jo." | Includes origin.account.name values that start with Jo, such as John Smith, John Davis, Joe Smith, Joseph Davis, etc. This operator is used exclusively with the RegEx search language. |
Operators for Compound Searches
| Operator | LogRhythm Operator | Example | Search Result |
|---|---|---|---|
| And | AND | general_information.raw_message contains user AND unattributed.host.ip_address.value = 10.128.65.193 | Includes records where the raw message contains the word user AND where the host IP address is 10.128.65.193. |
| Not | NOT | general_information.raw_message contains user AND NOT unattributed.host.ip_address.value = 10.128.65.19 | Includes records where the raw message contains the word user and excludes records where the host IP address is 10.128.65.193. |
| Or | OR | general_information.raw_message contains user OR unattributed.host.ip_address.value = 10.128.65.193 | Includes records where the raw message contains the word user OR where the host IP address is 10.128.65.193. |
Separators
| Separator | Function | Example | Search Results |
|---|---|---|---|
| Parenthesis () | Subqueries | No examples currently available. | N/A |
| Curly {} | N/A | No examples currently available. | N/A |
| Quotes "" | Enforces order | general_information.raw_message CONTAINS "accepted password" | Includes records where the general_information.raw_message has accepted password in that order. |
| No Quotes | Order not enforced | general_information.raw_message CONTAINS password accepted | Includes records where the general_information.raw_message have the words password and accepted in no particular order. |
| Square Bracket [] | Used to contain values in array searches | unattributed.host.ip_address.value IN [10.128.65.193, 10.10.10.1, 10.10.10.2] | Includes records that have a host IP address value matching any of 10.128.65.93, 10.10.10.1, or 10.10.10.2. |
| Escaping Characters | N/A | No examples currently available. | N/A |
RegEx Search Operators
Axon supports the use of RegEx (regular expression) language to build search components. Any RegEx search terms must be contained within quotation marks to function correctly, and the "matches" operator must be used to initiate a RegEx search.
The following are standard operators that are commonly used to construct a RegEx search:
| Operator | Function | Example | Search Results |
|---|---|---|---|
| Period . | Matches any included character | origin.account.name matches "Jo." | Includes origin.account.name values that start with Jo, such as John Smith, John Davis, Joe Smith, Joseph Davis, etc. |
| Question mark ? | Used to make the preceding character optional | origin.account.name matches "Dav?" | Includes origin.account.name values that start with Da but optionally include a v, such as David Jones, Darnell Turner, etc. |
| Plus sign + | Include the preceding character one or more times in results | origin.account.name matches "A+" | Includes origin.account.name values that start with one or more of the letter A, such as Alice Murphy, Aaron Jones, etc. |
| Asterisk * | Include the preceding character zero or more times in results | origin.account.name matches "Gr*" | Includes origin.account.name values that start with G but optionally include one or more of the letter R after, such as Gene Smith, Greg Davis, etc. |
| Carrot ^ | Requires search results to start with the term, not just include the term. | origin.account.name matches "^nathan" | Includes origin.account.name values that start with exactly "nathan." |
| Curly brackets {} | Define the minimum and maximum number of times the preceding character can repeat. | origin.account.name matches "a{2,4}" | Includes origin.account.name values that match aa, aaa, and aaaa. |
| Pipe symbol | | The RegEx OR operator. Succeeds if the longest pattern on either the left OR the right of the pipe matches. | origin.account.name matches "Joe|Jon" | Includes origin.account.name values that are either Joe or Jon. |
| Parentheses () | Used to form a group. Combined with the optional operator (?), can treat part of an expression as a single character. | origin.account.name matches "Jon(athan)? | Includes origin.account.name values that match Jon, but also optionally include values with the full name Jonathan. |
| Square bracket [] | The square brackets have multiple uses:
|
|
|
For a more in-depth "cheat sheet" on using RegEx search, refer to this Regular Expression Cheat Sheet.
Note that some items covered on the cheat sheet may not be supported by Axon until a later release.
Operators Not Used in Axon SIEM
- Wild card matching (using CONTAINS covers most searches)
- Proximity matching
- Boost
Build a Query
Syntax for a basic query includes the following elements:
| Element | Examples |
|---|---|
| Searchable Field | User, Origin Host IP, Collector ID |
| Operator | =, CONTAINS, AND |
| Term | John Smith, 10.128.65.193, linux |
Axon is equipped with a navigation suggestion service that provides valid suggestions based on inputs the user supplies while building a search.
Basic Search Rules
Searches are case insensitive.
EXAMPLE
The following search terms return the same results:
- john smith
- John Smith
- JOHn sMith
Quotes enforce order.
EXAMPLE
user = "John Smith"
- The results include users with the order John Smith. A user with the order Smith John is excluded.
user = John Smith
- The results include users with John Smith and Smith John.
Blank or anything can be used as search terms.
EXAMPLE
| Operator and Search Term | Results |
|---|---|
| = Blank or = blank | Includes records where the searchable field has nothing in it. |
| CONTAINS anything | Includes records where the searchable field has any value in it. This is an unrestricted search that is likely to return a large number of records. |
Time fields (such as Standard Time, File Modification Time, File Last Access Time, File Creation Time, Processing Start Time, Processing End Time, Collection Time) can be searched using either the date picker and relative time terms.
Date Picker
Using the date picker on the left side of the search bar you are able to select a time frame for the search query. The date picker lets you select "in the last" value or a customer range with a few clicks. These values will be translated into the query language for you in the background.
EXAMPLE
Use the = operator with relative time terms
| Relative Time Term | Description | Relative Time Options |
|---|---|---|
| now-15m | The last 15 minutes. | The examples in this table are not exhaustive. You can use any relative time. For example, if you want to search the last 24 hours, you can use now-1d, now-24h, or now-1440m. |
| now-30m | The last 30 minutes. | |
| now-1h | The last hour. | |
| now-12h | The last 12 hours. | |
| now-1d | The last day. | |
| now-7d | The last 7 days. | |
| now-1M | The last month. | |
| now-3M | The last 3 months. |
Basic Search Examples
EXAMPLE - Exclude exact term with order enforced
Origin Account Name != "John Smith"
| Searchable Field | Origin Account Name |
|---|---|
| Operator | != |
| Term | "John Smith" |
Search results: Excludes logs with an origin account name field that contains the case insensitive exact phrase "John Smith" in that order. Results containing things such as "Johnson Smith" or "Adam John Smith" are still included.
EXAMPLE - Include exact term in any order
Origin Account Name = john smith
| Searchable Field | Origin Account Name |
|---|---|
| Operator | = |
| Term | john smith |
Search results: Includes logs with an origin account name field that contains case insensitive instances of john smith and smith john.
EXAMPLE - Contains term with order enforced
general_information.raw_message CONTAINS "accepted password"
| Searchable Field | general_information.raw_message |
|---|---|
| Operator | CONTAINS |
| Term | "accepted password" |
Search results: Returns logs where general_information.raw_message contains the phrase "accepted password" in that order and is case insensitive. A phrase such as "accepted your password" does not match and is excluded.
EXAMPLE - Contains term in any order
general_information.raw_message CONTAINS password accepted
| Searchable Field | general_information.raw_message |
|---|---|
| Operator | CONTAINS |
| Term | password accepted |
Search results: Returns logs where general_information.raw_message has the words password and accepted in no particular order and is case insensitive.
Compound Searches
Compound searches include additional requirements using NOT/AND/OR operators. This further narrows the parameters to limit the number of results a user needs to review.
Compound Search Examples
EXAMPLE - Include exact first term with order enforced AND contains second term with order enforced
Origin Account Name = "John Smith" AND raw message CONTAINS "unauthorized access"
| First Searchable Field | Origin Account Name |
|---|---|
| Operator | = |
| First term | "John Smith" |
| Compound Operator | AND |
| Second Searchable Field | raw message |
| Operator | CONTAINS |
| Second Term | "unauthorized access" |
Search results: Includes any logs where the origin account name field matches the exact phrase "John Smith" that also have a raw message with the exact phrase "unauthorized access" in that order anywhere in the body of the message.
EXAMPLE - Contains first term OR contains exact second term
general_information.raw_message CONTAINS user OR unattributed.host.ip_address.value = 10.128.65.193
| First Searchable Field | general_information.raw_message |
|---|---|
| Operator | CONTAINS |
| First term | user |
| Compound Operator | OR |
| Second Searchable Field | unattributed.host.ip_address.value |
| Operator | = |
| Second Term | 10.128.65.193 |
Search results: Includes logs where the raw message contains the word user OR where the Host IP Address is 10.128.65.193.
EXAMPLE - First searchable field from the last day contains any value
general_information.raw_message CONTAINS anything AND general_information.standard_message_time = now-1d
| First Searchable Field | general_information.raw_message |
|---|---|
| Operator | CONTAINS |
| First term | anything |
| Compound Operator | AND |
| Second Searchable Field | general_information.standard_message_time |
| Operator | = |
| Second Term | now-1d |
Search results: Includes logs from the last day where general_information.raw_message has any value in it.
EXAMPLE - Search scans a range of IP addresses
unattributed.host.ip_address.value BETWEEN 192.168.1.1 AND 192.168.1.5
| First Searchable Field | unattributed.host.ip_address.value |
|---|---|
| Operator | BETWEEN |
| First term | 192.168.1.1 |
| Compound Operator | AND |
| Second Term | 192.168.1.5 |
Search results: Includes logs with unattributed Host IP Address values of 192.168.1.1, 192.168.1.2, 192.168.1.3, 192.168.1.4, and 192.168.1.5.
Special Character Search Rules
Searches for logs containing the following special characters must be contained in quotation marks:
- Parentheses ( )
- Brackets [ ]
- Equals =
- Backslash \
- Dollar sign $
Special Character Search Examples
EXAMPLE - Search for raw message contents
general_information.raw_message CONTAINS "[5381]"
| First Searchable Field | general_information.raw_message |
|---|---|
| Operator | CONTAINS |
| Term | "[5381]" |
Search results: Includes all logs with raw message that contains the exact term [5381].
As noted, without the quotation marks around [5381], this search would not execute correctly.
EXAMPLE - Search for raw message contents
general_information.raw_message CONTAINS "()"
| First Searchable Field | general_information.raw_message |
|---|---|
| Operator | CONTAINS |
| Term | "()" |
Search results: Includes all logs with a raw message that contains both opening and closing parentheses.
As noted, without the quotation marks around the parentheses, this search would not execute correctly.
List Search
The Lists created by Axon administrators can be used in building a search query.
With Assisted Search enabled, you can use the operators IN or NOT IN to show list names containing the initial selected fields as potential results when building your query.
For more information, see the Assisted Search section within the Search topic.
List Search Examples
EXAMPLE - Search for logs that have a target host country in the column 'Country' in the list 'Banned Countries'.
target.host.location.country IN LIST;0459172f-772e-45a0-adf8-64f31e238549;0f6e32fb-4192-4318-9860-2328778a000b
| First Searchable Field | Target Host Country |
|---|---|
| Operator | in |
| List Operator | LIST; |
| GUID of List | 0459172f-772e-45a0-adf8-64f31e238549; |
| GUID of List Column | 0f6e32fb-4192-4318-9860-2328778a000b |
The GUID of the list and list column can be found on the Lists page in the administration area.
Search results: Includes any logs where the target host country is in the column "Country" in the list "Banned Countries."
RegEx Search
Axon supports the use of the RegEx language to create searches.
RegEx Search Examples
EXAMPLE - Search for origin.account.name values that match either the name Nathan or Byron.
origin.account.name matches "nathan|byron"
| First Searchable Field | Origin Account Name |
|---|---|
| Operator | matches |
| Term | "nathan|byron" |
Search results: Includes all origin.account.name values of Nathan or Byron.
EXAMPLE - Search for origin.account.name values that match "mal," but do not include values that match "mald."
origin.account.name matches "mal[^d]"
| First Searchable Field | Origin Account Name |
|---|---|
| Operator | matches |
| Term | "mal[^d]" |
Search results: Includes all origin.account.name values of "mal," excluding those that include "mald."
Common Event Search
Common Events are a distinguishing feature of the Axon parsing process, and they allow you to search for logs that all have the same classifications. To see a list of Axon's default Common Events, refer to Axon Common Events List.
Common Event Search Examples
EXAMPLE - Search for logs that are classified under the Network Common Event that have been collected in the last 24 hours.
general_information.common_event_name = network AND general_information.standard_message_time = now-24h
| First Searchable Field | general_information.common_event_name |
|---|---|
| Operator | = |
| Term | network |
| Compound Operator | AND |
| Second Searchable Field | general_information.standard_message_time |
| Operator | = |
| Term | now-24h |