Search Capabilities

Secure60’s powerful search interface provides lightning-fast queries across all your ingested data. Whether you’re investigating a specific incident, hunting for threats, or performing routine analysis, our advanced search capabilities give you the tools you need to find answers quickly.

Search Interface

Unified Search Bar

• Single Search Point - Search across all data sources from one interface
• Query History - Access and reuse previous searches
• Saved Searches - Save frequently used queries for quick access
• Share Searches - Collaborate by sharing search queries with team members

Visual Query Builder

• Drag-and-Drop Interface - Build complex queries without memorizing syntax
• Field Browser - Explore available fields and their values
• Filter Chains - Chain multiple filters with visual AND/OR logic

Query Syntax

Basic Search

Open Search (Simple Terms)

# Search across all default fields
error
failed login
"disk full"
malware AND user_name = 'admin'

Field-Specific Searches

# Exact field matches
user_name = 'john.doe'
ip_src_address = '192.168.1.100'
event_type = 'login'

# Contains/partial text matches
host_name : 'web%'
process_name : '%.exe'

# Wildcard searches using % and _
host_name : 'web%'        # Starts with "web"
process_name : '%service%' # Contains "service"
user_name : 'admin_'      # admin followed by single character

Advanced Operators

# Boolean logic
user_name = 'john.doe' AND event_type = 'login'
ip_src_address : '192.168.1.%' OR ip_src_address : '10.0.0.%'
NOT user_name = 'system'

# Grouping
(user_name = 'admin' OR user_name = 'root') AND event_type = 'login'

# Comparison operators
event_count > 100
response_time >= 1000
port_number < 1024

# Field existence
isField('process_hash')
!isField('user_agent')

Time-Based Queries

# Note: Time filtering is typically handled through the UI time picker
# For specific timestamp fields in queries:
event_timestamp > '2024-01-01 00:00:00'
event_timestamp <= '2024-01-31 23:59:59'

# Numeric timestamp comparisons
timestamp > 1704067200    # Unix timestamp

Search Types

Event Search

Search individual events and log entries:

• Open Search - Search terms across all default fields without specifying field names
• Structured Search - Search specific fields with exact matching
• Pattern Matching - Use regular expressions for complex patterns

Entity Search

Search for entities and their associated events:

• Entity Lookup - Find all events associated with a specific entity
• Entity Timeline - View chronological activity for an entity
• Entity Relationships - Discover connections between entities
• Behavioral Search - Search based on entity behavior patterns

Aggregation Search

Perform statistical analysis and grouping:

• Count Operations - Count events by field values
• Statistical Functions - Sum, average, min, max, percentiles
• Group By - Group results by field values
• Time Histograms - Aggregate data over time buckets

Visualization Options

Table View

• Sortable Columns - Click column headers to sort results
• Column Customization - Choose which fields to display
• Row Details - Expand rows to see full event details
• Export Options - Export table data in various formats

Timeline View

• Chronological Display - View events in time sequence
• Zoom Controls - Zoom in/out on specific time ranges
• Event Clustering - Group related events on timeline
• Multi-Series - Display multiple event types on same timeline

Chart View

• Line Charts - Show trends over time
• Bar Charts - Compare values across categories
• Pie Charts - Show proportional data
• Heat Maps - Visualize data density and patterns

Advanced Features

Regular Expressions

# Pattern matching using ~ operator
process_name ~ '.*\.exe$'
email ~ '\w+@example\.com'
ip_address ~ '192\.168\.\d+\.\d+'

# Case-insensitive matching
host_name ~ '(?i)web\d+'

IP Address and Network Functions

# IP address range matching
isIPAddressInRange('ip_src_address', '192.168.1.0/24')
!isIPAddressInRange('ip_dst_address', '10.0.0.0/8')

# List-based matching
isInList('suspicious_ips', 'ip_src_address')
!isInList('known_good_users', 'user_name')

Complex Query Examples

# Multiple conditions with grouping
(user_name = 'admin' OR user_name = 'root') AND event_type = 'login' AND !isInList('allowed_admin_ips', 'ip_src_address')

# Combined field and open search
"failed authentication" AND ip_src_address : '192.168.%' AND event_count > 5

# Using functions and field queries
isField('process_hash') AND process_name ~ '.*\.exe$' AND !isInList('known_processes', 'process_name')

Search Best Practices

Query Optimization

• Use Specific Fields - Search specific fields rather than open search when possible for better performance
• Limit Time Ranges - Use the UI time picker to limit searches to relevant time periods
• Avoid Leading Wildcards - Avoid % at the beginning of search terms when possible

Investigation Workflows

1. Start Broad - Begin with open search terms to understand scope
2. Narrow Down - Add field-specific filters to focus on specific aspects
3. Follow Leads - Use search results to guide next investigation steps
4. Document Findings - Save important searches and export results

Query Syntax Tips

• Exact Matches: Use = for precise field matching
• Partial Matches: Use : with % wildcards for flexible text searching
• Field Existence: Use isField('fieldname') and !isField('fieldname') functions
• Complex Logic: Use parentheses to group conditions clearly
• Regular Expressions: Use ~ operator for pattern matching with proper escaping

For detailed query syntax reference, see our Query Syntax documentation.