Query Syntax

Secure60 Platform has a simple and flexible query language that is used in various parts of the platform. The query syntax allows selection of specific fields, matching of partial text, regex and vairous comparison operators. The syntax also allows grouping of conditions to achieve sophisticated matching rules.

Query sytax is used in the following key system components:

Search Page - All searches are in the query syntax format specified below
Rule Conditions - Rules that execute in the Secure60 platform are written with a condition statement that is a query in the Secure60 query syntax

Query elements

A basic Secure60 query looks like: fieldname operator value

An example of a query might be: ip_src_address = '43.53.63.62'

Multiple basic query elements can be joined together with a keyword

An example of a multiple field query might be: ip_src_address = '43.53.63.62' AND host_name = 'testserver4.example.com'

Query component evaluation can be controlled by using grouping

An example leveraging grouping fields might be: (ip_src_address = '43.53.63.62' AND host_name = 'testserver4.example.com') OR (ip_src_address = '8.8.8.8')

Element reference

`fieldname`

Any alphanumeric value

`operator`

= Exact match
!= Not match
: Contains - Partial text match
- (Polling Rules Only) Expression can contain normal characters and the following metasymbols:
  - % indicates an arbitrary number of arbitrary characters (including zero characters).
  - _ indicates a single arbitrary character.
  - \ is for escaping literals %, _ and \
- (Streaming Rules) Expression matches text provided exactly (no wildcards)
!: Not Contains - Partial text not match
< or <= Less than or Less than equal to
> or >= Greater than or Greater than equal to
~ Regex search (Not available in Streaming Rules)
- Google RE2 syntax
- Use for smaller time periods (minutes to hours) as will be lower performance across large datasets

`value`

Any alpha numeric along with special or escape characters
When operator is an exact match (eg `=``) text only
When operator is a text match (eg :) then can include % symbol to indicate wildcard for rest of text stringb(or start)
When operator is regex match (eg ~``) then can include re regex syntax`

Functions

Instead of a fieldname we make a number of functions available to enhance query feature set

Usage of a function is to state the function, if data evaluates to true then results from this function will be included

Function List (Not available in Streaming Rules):

isField('fieldname') - Used to look for the presence of a specific field (with any value)
- fieldname - Any valid Secure60 fieldname
- Applies to Event and Signal data types
!isField('fieldname') - Used to exclude a specific field (with any value)
isIPAddressInRange('fieldname', 'prefix')
- fieldname - Any valid Secure60 fieldname
- prefix - String IP address with subnet (Eg. 127.0.0.0/24)
!isIPAddressInRange('fieldname', 'prefix') - Used to exclude an IP address from matching
isInList('list_id', 'fieldname') - Applies filtering logic to the query to only return results that have a match between the fieldname provided and a List Item in the list_id provided.
- fieldname - Any valid Secure60 fieldname
- list_id - Any valid List ID
!isInList('list_id', 'fieldname') - Applies filtering logic to the query to exclude results that have a match between the fieldname provided and a List Item in the list_id provided.
- fieldname - Any valid Secure60 fieldname
- list_id - Any valid List ID

Notes:

isInList can also be applied via the parameters list_allow_field and list_allow_id for example. See:
- Lists for a List overview
- Rules Documentation for Rule specific information
- Consult the full API specification for additional detail

Notes on usage

When using regex match its sometimes necessary to double escape a special character
- Example
  - To make this statement match: process_target_image ~ '\lsass.exe$'
  - A double escape is required: process_target_image ~ '\\\lsass.exe$'