Search Capabilities
Secure60’s powerful search interface provides lightning-fast queries across all your ingested data. Whether you’re investigating a specific incident, hunting for threats, or performing routine analysis, our advanced search capabilities give you the tools you need to find answers quickly.
Search Interface
Unified Search Bar
- Single Search Point - Search across all data sources from one interface
- Query History - Access and reuse previous searches
- Saved Searches - Save frequently used queries for quick access
- Share Searches - Collaborate by sharing search queries with team members
Visual Query Builder
- Drag-and-Drop Interface - Build complex queries without memorizing syntax
- Field Browser - Explore available fields and their values
- Filter Chains - Chain multiple filters with visual AND/OR logic
Query Syntax
Basic Search
Open Search (Simple Terms)
# Search across all default fields
error
failed login
"disk full"
malware AND user_name = 'admin'
Field-Specific Searches
# Exact field matches
user_name = 'john.doe'
ip_src_address = '192.168.1.100'
event_type = 'login'
# Contains/partial text matches
host_name : 'web%'
process_name : '%.exe'
# Wildcard searches using % and _
host_name : 'web%' # Starts with "web"
process_name : '%service%' # Contains "service"
user_name : 'admin_' # admin followed by single character
Advanced Operators
# Boolean logic
user_name = 'john.doe' AND event_type = 'login'
ip_src_address : '192.168.1.%' OR ip_src_address : '10.0.0.%'
NOT user_name = 'system'
# Grouping
(user_name = 'admin' OR user_name = 'root') AND event_type = 'login'
# Comparison operators
event_count > 100
response_time >= 1000
port_number < 1024
# Field existence
isField('process_hash')
!isField('user_agent')
Time-Based Queries
# Note: Time filtering is typically handled through the UI time picker
# For specific timestamp fields in queries:
event_timestamp > '2024-01-01 00:00:00'
event_timestamp <= '2024-01-31 23:59:59'
# Numeric timestamp comparisons
timestamp > 1704067200 # Unix timestamp
Search Types
Event Search
Search individual events and log entries:
- Open Search - Search terms across all default fields without specifying field names
- Structured Search - Search specific fields with exact matching
- Pattern Matching - Use regular expressions for complex patterns
Entity Search
Search for entities and their associated events:
- Entity Lookup - Find all events associated with a specific entity
- Entity Timeline - View chronological activity for an entity
- Entity Relationships - Discover connections between entities
- Behavioral Search - Search based on entity behavior patterns
Aggregation Search
Perform statistical analysis and grouping:
- Count Operations - Count events by field values
- Statistical Functions - Sum, average, min, max, percentiles
- Group By - Group results by field values
- Time Histograms - Aggregate data over time buckets
Visualization Options
Table View
- Sortable Columns - Click column headers to sort results
- Column Customization - Choose which fields to display
- Row Details - Expand rows to see full event details
- Export Options - Export table data in various formats
Timeline View
- Chronological Display - View events in time sequence
- Zoom Controls - Zoom in/out on specific time ranges
- Event Clustering - Group related events on timeline
- Multi-Series - Display multiple event types on same timeline
Chart View
- Line Charts - Show trends over time
- Bar Charts - Compare values across categories
- Pie Charts - Show proportional data
- Heat Maps - Visualize data density and patterns
Advanced Features
Regular Expressions
# Pattern matching using ~ operator
process_name ~ '.*\.exe$'
email ~ '\w+@example\.com'
ip_address ~ '192\.168\.\d+\.\d+'
# Case-insensitive matching
host_name ~ '(?i)web\d+'
IP Address and Network Functions
# IP address range matching
isIPAddressInRange('ip_src_address', '192.168.1.0/24')
!isIPAddressInRange('ip_dst_address', '10.0.0.0/8')
# List-based matching
isInList('suspicious_ips', 'ip_src_address')
!isInList('known_good_users', 'user_name')
Complex Query Examples
# Multiple conditions with grouping
(user_name = 'admin' OR user_name = 'root') AND event_type = 'login' AND !isInList('allowed_admin_ips', 'ip_src_address')
# Combined field and open search
"failed authentication" AND ip_src_address : '192.168.%' AND event_count > 5
# Using functions and field queries
isField('process_hash') AND process_name ~ '.*\.exe$' AND !isInList('known_processes', 'process_name')
Search Best Practices
Query Optimization
- Use Specific Fields - Search specific fields rather than open search when possible for better performance
- Limit Time Ranges - Use the UI time picker to limit searches to relevant time periods
- Avoid Leading Wildcards - Avoid
%
at the beginning of search terms when possible
Investigation Workflows
- Start Broad - Begin with open search terms to understand scope
- Narrow Down - Add field-specific filters to focus on specific aspects
- Follow Leads - Use search results to guide next investigation steps
- Document Findings - Save important searches and export results
Query Syntax Tips
- Exact Matches: Use
=
for precise field matching
- Partial Matches: Use
:
with %
wildcards for flexible text searching
- Field Existence: Use
isField('fieldname')
and !isField('fieldname')
functions
- Complex Logic: Use parentheses to group conditions clearly
- Regular Expressions: Use
~
operator for pattern matching with proper escaping
For detailed query syntax reference, see our Query Syntax documentation.