Query Syntax

Secure60 Platform has a simple and flexible query language that is used in various parts of the platform. The query syntax allows selection of specific fields, matching of partial text, regex and vairous comparison operators. The syntax also allows grouping of conditions to achieve sophisticated matching rules.

Query sytax is used in the following key system components:

• Search Page - All searches are in the query syntax format specified below
• Rule Conditions - Rules that execute in the Secure60 platform are written with a condition statement that is a query in the Secure60 query syntax

Query elements

A basic Secure60 query looks like: fieldname operator value

• An example of a query might be: ip_src_address = '43.53.63.62'

Multiple basic query elements can be joined together with a keyword

• An example of a multiple field query might be: ip_src_address = '43.53.63.62' AND host_name = 'testserver4.example.com'

Query component evaluation can be controlled by using grouping

• An example leveraging grouping fields might be: (ip_src_address = '43.53.63.62' AND host_name = 'testserver4.example.com') OR (ip_src_address = '8.8.8.8')

Element reference

fieldname

• Any alphanumeric value

operator

• = Exact match
• != Not match
• : Contains - Partial text match
  • Expression can contain normal characters and the following metasymbols:
    • % indicates an arbitrary number of arbitrary characters (including zero characters).
    • _ indicates a single arbitrary character.
    • \ is for escaping literals %, _ and \
• !: Not Contains - Partial text not match
• < or <= Less than or Less than equal to
• > or >= Greater than or Greater than equal to
• ~ Regex search
  • Google RE2 syntax
  • Use for smaller time periods (minutes to hours) as will be lower performance across large datasets

value

• Any alpha numeric along with special or escape characters
• When operator is an exact match (eg `=``) text only
• When operator is a text match (eg :) then can include % symbol to indicate wildcard for rest of text stringb(or start)
• When operator is regex match (eg ~``) then can include re regex syntax`

Functions

Instead of a fieldname we make a number of functions available to enhance query feature set

Usage of a function is to state the function, if data evaluates to true then results from this function will be included

Function List:

• isField('fieldname') - Used to look for the presence of a specific field (with any value)
  • fieldname - Any valid Secure60 fieldname
  • Applies to Event and Signal data types
• !isField('fieldname') - Used to exclude a specific field (with any value)
• isIPAddressInRange('fieldname', 'prefix')
  • fieldname - Any valid Secure60 fieldname
  • prefix - String IP address with subnet (Eg. 127.0.0.0/24)
• !isIPAddressInRange('fieldname', 'prefix') - Used to exclude an IP address from matching
• isInList('list_id', 'fieldname') - Applies filtering logic to the query to only return results that have a match between the fieldname provided and a List Item in the list_id provided.
  • fieldname - Any valid Secure60 fieldname
  • list_id - Any valid List ID
• !isInList('list_id', 'fieldname') - Applies filtering logic to the query to exclude results that have a match between the fieldname provided and a List Item in the list_id provided.
  • fieldname - Any valid Secure60 fieldname
  • list_id - Any valid List ID

Notes:

• isInList can also be applied via the parameters list_allow_field and list_allow_id for example. See:
  • Lists for a List overview
  • Rules Documentation for Rule specific information
  • Consult the full API specification for additional detail

Notes on usage

• When using regex match its sometimes necessary to double escape a special character
  • Example
    • To make this statement match: process_target_image ~ '\lsass.exe$'
    • A double escape is required: process_target_image ~ '\\\lsass.exe$'