Search Capabilities

Secure60’s powerful search interface provides lightning-fast queries across all your ingested data. Whether you’re investigating a specific incident, hunting for threats, or performing routine analysis, our advanced search capabilities give you the tools you need to find answers quickly.


Search Interface

Visual Query Builder


Query Syntax

Open Search (Simple Terms)

# Search across all default fields
error
failed login
"disk full"
malware AND user_name = 'admin'

Field-Specific Searches

# Exact field matches
user_name = 'john.doe'
ip_src_address = '192.168.1.100'
event_type = 'login'

# Contains/partial text matches
host_name : 'web%'
process_name : '%.exe'

# Wildcard searches using % and _
host_name : 'web%'        # Starts with "web"
process_name : '%service%' # Contains "service"
user_name : 'admin_'      # admin followed by single character

Advanced Operators

# Boolean logic
user_name = 'john.doe' AND event_type = 'login'
ip_src_address : '192.168.1.%' OR ip_src_address : '10.0.0.%'
NOT user_name = 'system'

# Grouping
(user_name = 'admin' OR user_name = 'root') AND event_type = 'login'

# Comparison operators
event_count > 100
response_time >= 1000
port_number < 1024

# Field existence
isField('process_hash')
!isField('user_agent')

Time-Based Queries

# Note: Time filtering is typically handled through the UI time picker
# For specific timestamp fields in queries:
event_timestamp > '2024-01-01 00:00:00'
event_timestamp <= '2024-01-31 23:59:59'

# Numeric timestamp comparisons
timestamp > 1704067200    # Unix timestamp

Search Types

Search individual events and log entries:

Search for entities and their associated events:

Perform statistical analysis and grouping:


Visualization Options

Table View

Timeline View

Chart View


Advanced Features

Regular Expressions

# Pattern matching using ~ operator
process_name ~ '.*\.exe$'
email ~ '\w+@example\.com'
ip_address ~ '192\.168\.\d+\.\d+'

# Case-insensitive matching
host_name ~ '(?i)web\d+'

IP Address and Network Functions

# IP address range matching
isIPAddressInRange('ip_src_address', '192.168.1.0/24')
!isIPAddressInRange('ip_dst_address', '10.0.0.0/8')

# List-based matching
isInList('suspicious_ips', 'ip_src_address')
!isInList('known_good_users', 'user_name')

Complex Query Examples

# Multiple conditions with grouping
(user_name = 'admin' OR user_name = 'root') AND event_type = 'login' AND !isInList('allowed_admin_ips', 'ip_src_address')

# Combined field and open search
"failed authentication" AND ip_src_address : '192.168.%' AND event_count > 5

# Using functions and field queries
isField('process_hash') AND process_name ~ '.*\.exe$' AND !isInList('known_processes', 'process_name')

Search Best Practices

Query Optimization

Investigation Workflows

  1. Start Broad - Begin with open search terms to understand scope
  2. Narrow Down - Add field-specific filters to focus on specific aspects
  3. Follow Leads - Use search results to guide next investigation steps
  4. Document Findings - Save important searches and export results

Query Syntax Tips

For detailed query syntax reference, see our Query Syntax documentation.

Back to top