open-appsec
WebsiteManagement PortalPlaygroundGitHub
Search
K
Links
Comment on page

Event Query Language

Query Language Overview

A powerful query language lets you show only selected records from the log files, according to your criteria. To create complex queries, use Boolean operators, wildcards, fields, and ranges. This section refers in detail to the query language.
The basic query syntax is [<Field>:] <Filter Criterion>.
To put together many criteria in one query, use Boolean operators:
[<Field>:] <Filter Criterion> {AND|OR|NOT} [<Field>:] <Filter Criterion> ...
Most query keywords and filter criteria are not case sensitive, but there are some exceptions. For example, "sourceip:<X>" is case sensitive ("SourceIP:<X>" does not match). If your query results do not show the expected results, change the case of your query criteria, or try upper and lower case.
When you use queries with more than one criteria value, an AND is implied automatically, so there is no need to add it. Enter OR or other boolean operators if needed.

Query Language Usage

Criteria Values
Criteria values are written as one or more text strings. You can enter one text string, such as a word, IP address, or URL, without delimiters. Phrases or text strings that contain more than one word must be surrounded by quotation marks.
One word string examples:
  • Accept
  • Medium
  • 192.168.2.1
  • www.urlexample.com
  • 4a6ad969-398c-4075-bba6-e30f931d0a4f
Phrase examples
  • "My Asset"
  • "Schema Validation"
  • "SQL Injection"
IP Addresses
IPv4 and IPv6 addresses used in log queries are counted as one word. Enter IPv4 address with dotted decimal notation and IPv6 addresses with colons.
Examples:
  • 192.0.2.1
  • 2001:db8::f00:d
You can also use the '*' wildcard character with IP addresses, as well as the standard network suffix, to look for all logs that match IP addresses within a range.
Examples:
  • 192.168.0.0/16 - shows all records for the source IP 192.168.0.0 to 192.168.255.255 inclusive.
  • 192.168.1.0/24 - shows all records for the source IP 192.168.1.0 to 192.168.1.255 inclusive.
  • 192.168.2.* - shows all records for the source IP 192.168.2.0 to 192.168.2.255 inclusive.
  • 192.168.* - shows all records for 192.168.0.0 to 192.168.255.255 inclusive.
NOT Values
You can use NOT <field> values with Field Keywords in log queries to find logs for which the value of the field is not the value in the query.
Syntax:
NOT <field>: <value>
Example
NOT src:10.0.4.10
Wildcards
You can use the standard wildcard characters (* and ?) in queries to match variable characters or strings in log records. You can use more than the wildcard character.
Wildcard syntax:
  • The ? (question mark) matches one character.
  • The * (asterisk) matches a character string.
Examples:
  • MyAsset? - shows MyAsset1 and MyAsset2, but not MyAsset12.
  • MyAsset* - shows MyAsset1, MyAsset12, and MyAsset209-d.
If your criteria value contains more than one word, you can use the wildcard in each word.
For example, “Asset* AZ*” - shows “Asset1 AZ45”, “Asset23 AZ90”, and so on.
Using a single ‘*’ creates a search for a non-empty value string. For example assetname:*
open-appsec Events Field Keywords
You can use predefined field names as keywords in filter criteria. The query result only shows log records that match the criteria in the specified field. If you do not use field names, the query result shows records that match the criteria in all fields.
For a list of all field names that can be used as filter keywords, visit the Events/Logs Schema documentation
Syntax for a field name query:
<field name>:<values>
  • <field name> - One of the predefined field names
  • <values> - One or more filters
Examples:
  • sourceip:192.168.2.1
  • securityaction:(Prevent OR Drop)
You can use the OR Boolean operator in parentheses to include multiple criteria values.
Important - When you search in fields for multiple values, you must:
  • Write the Boolean operator, for example OR.
  • Use parentheses.
Boolean Operators
You can use the Boolean operators AND , OR , and NOT to create filters with many different criteria. You can put multiple Boolean expressions in parentheses.
If you enter more than one criteria without a Boolean operator, the AND operator is implied. When you use multiple criteria without parentheses, the OR operator is applied before the AND operator.
Examples:
  • practicetype:"Threat Prevention" AND securityaction:Prevent
    Shows log records caused by “Threat Prevention” type security practices where traffic was blocked.
  • 192.168.2.133 10.19.136.101
    Shows log entries that match the two IP addresses. The AND operator is presumed.
  • 192.168.2.133 OR 10.19.136.101
    Shows log entries that match one of the IP addresses.
  • (assetname: "MyAsset1" OR assetname: "MyAsset2" AND NOT securityaction:PreventAccept
    Shows all log entries for assets “MyAsset1” and “MyAsset2” that are without the “Accept” security action. The criteria in the parentheses is applied before the AND NOT criterion.
  • sourceip:(192.168.2.1 OR 192.168.2.2) AND destinationip:17.168.8.2
    Shows log entries from the two source IP addresses if the destination IP address is 17.168.8.2. This example also shows how you can use Boolean operators with field criteria.
references - Previous
Agent CLI
Next - references
Writing Snort Signatures
Last modified 1yr ago