Query Syntax

Secure60 Platform has a simple and flexible query language that is used in various parts of the platform. The query syntax allows selection of specific fields, matching of partial text, regex and vairous comparison operators. The syntax also allows grouping of conditions to achieve sophisticated matching rules.

Query sytax is used in the following key system components:

• Search Page - All searches are in the query syntax format specified below
• Rule Conditions - Rules that execute in the Secure60 platform are written with a condition statement that is a query in the Secure60 query syntax

Open Search

Secure60 supports flexible open search functionality that allows you to search for terms across multiple fields without specifying individual field names. This provides a quick and intuitive way to find relevant events.

Open Search Syntax

Single Term Search:

• error - Searches for “error” across all default fields

Multiple Terms (AND logic):

• error timeout - Searches for events containing both “error” AND “timeout” across all default fields

Exact Phrase Search:

• "disk full" - Searches for the exact phrase “disk full” across all default fields

Combining with Field Queries:

• error AND user_name = 'admin' - Combines open search with specific field queries
• (login failed) OR ip_src_address = '192.168.1.100' - Uses grouping with open search

Default Search Fields

By default, open search queries are executed across the following fields for optimal performance:

• message_text - Log message content
• host_name - Source hostname
• ip_src_address - Source IP address
• ip_dst_address - Destination IP address
• user_name - Username associated with the event

Configuration Options

On-premise and custom deployments have additional configuration options available:

• All Fields Search - Search across every field in the event data
• Custom Field Sets - Define specific fields to include in open search queries
• Disable Open Search - Fall back to traditional field=value queries only

Contact your system administrator for information about available configuration options in your deployment.

Query elements

Secure60 supports two main query types:

1. Open Search (described above) - Search terms without field specification
2. Traditional Field Queries (described below) - Explicit field, operator, and value combinations

A basic traditional field query looks like: fieldname operator value

• An example of a query might be: ip_src_address = '43.53.63.62'

Multiple basic query elements can be joined together with a keyword

• An example of a multiple field query might be: ip_src_address = '43.53.63.62' AND host_name = 'testserver4.example.com'

Query component evaluation can be controlled by using grouping

• An example leveraging grouping fields might be: (ip_src_address = '43.53.63.62' AND host_name = 'testserver4.example.com') OR (ip_src_address = '8.8.8.8')

Query element using regex and searching in a case insensitive manner

• An example might be: ip_geo_city_name ~ '(?i)melbourne'

Element reference

fieldname

• Any alphanumeric value

operator

• = Exact match
• != Not match
• : Contains - Partial text match
  • (Polling Rules Only) Expression can contain normal characters and the following metasymbols:
    • % indicates an arbitrary number of arbitrary characters (including zero characters).
    • _ indicates a single arbitrary character.
    • \ is for escaping literals %, _ and \
  • (Streaming Rules) Expression matches text provided exactly (no wildcards)
• !: Not Contains - Partial text not match
• < or <= Less than or Less than equal to
• > or >= Greater than or Greater than equal to
• ~ Regex search (Not available in Streaming Rules)
  • Google RE2 syntax
  • Use for smaller time periods (minutes to hours) as will be lower performance across large datasets

value

• Any alpha numeric along with special or escape characters
• When operator is an exact match (eg `=``) text only
• When operator is a text match (eg :) then can include % symbol to indicate wildcard for rest of text stringb(or start)
• When operator is regex match (eg ~``) then can include re regex syntax`

Functions

Instead of a fieldname we make a number of functions available to enhance query feature set

Usage of a function is to state the function, if data evaluates to true then results from this function will be included

Function List (Not available in Streaming Rules):

• isField('fieldname') - Used to look for the presence of a specific field (with any value)
  • fieldname - Any valid Secure60 fieldname
  • Applies to Event and Signal data types
• !isField('fieldname') - Used to exclude a specific field (with any value)
• isIPAddressInRange('fieldname', 'prefix')
  • fieldname - Any valid Secure60 fieldname
  • prefix - String IP address with subnet (Eg. 127.0.0.0/24)
• !isIPAddressInRange('fieldname', 'prefix') - Used to exclude an IP address from matching
• isInList('list_id', 'fieldname') - Applies filtering logic to the query to only return results that have a match between the fieldname provided and a List Item in the list_id provided.
  • fieldname - Any valid Secure60 fieldname
  • list_id - Any valid List ID
• !isInList('list_id', 'fieldname') - Applies filtering logic to the query to exclude results that have a match between the fieldname provided and a List Item in the list_id provided.
  • fieldname - Any valid Secure60 fieldname
  • list_id - Any valid List ID

Notes:

• isInList can also be applied via the parameters list_allow_field and list_allow_id for example. See:
  • Lists for a List overview
  • Rules Documentation for Rule specific information
  • Consult the full API specification for additional detail

Notes on usage

Query Type Selection

Use Open Search when:

• Doing exploratory searches across logs
• Looking for general terms or phrases
• Unsure which specific field contains the data
• Want fast, intuitive searching similar to Google or Kibana

Use Traditional Field Queries when:

• Need precise field-specific filtering
• Require exact matches or specific operators (>, <, !=)
• Building complex rule conditions
• Need maximum query performance for known field searches

Examples

Open Search Examples:

• failed login - Find any events mentioning failed logins
• "connection timeout" - Find exact phrase across all fields
• malware AND ip_src_address = '10.0.0.1' - Combine approaches

Traditional Field Query Examples:

• user_name = 'admin' - Exact user match
• event_count > 100 - Numeric comparison
• ip_src_address : '192.168.%' - IP subnet search with wildcards

Technical Notes

• When using regex match its sometimes necessary to double escape a special character
  • Example
    • To make this statement match: process_target_image ~ '\lsass.exe$'
    • A double escape is required: process_target_image ~ '\\\lsass.exe$'