Get Started with Search

This document is intended for early-access customers and is being updated as Search features are finalized.

The new Search experience in the Alert Logic console is intended to allows you to perform basic and advanced searches for different data types. The Search feature is flexible for structuring advanced search queries, and using fields and predefined expressions to help you find and organize messages most relevant to your investigation. Search now supports a variety of data sources that help you uncover potential threats, discover what data sources are present in an environment, and provide tools for further investigation further with the provided tools.

For example, you can search for messages that have been parsed as "Windows Login Failed,", and then aggregate the search results by “User Name” and “Src Host” to investigate which users are causing the most failed logins. You can then export and share the results, orand create a manual incident in the Incidents page.

To access the Search page, click the menu icon (), and then click Investigate. Click Search.

About Search Modes

You can search in Simple Mode and Expert Mode. Click the drop-down list to alternate between Expert Mode and Simple Mode.

Simple mode

Simple mode allows you to add or remove conditions and fields, aggregate or add a function to predefined expressions, and determine sorting and order. Simple mode is optimized for executing common and simple queries quickly. You can create a simple or common query in Simple Mode, apply filters and grouping, and then switch to Expert mode to add more logic or complex functions. .

Expert mode

Expert mode allows you to create your own SQL searches and aggregations. Expert mode allows you create more complex searches, which you can build from Simple mode when you switch. You can also use the Help feature to quickly find and add fields to your query.

Search data types and examples

You can execute searches for the following data types in both Simple Mmode and Expert Mmode in the Search tab:

  • Log messages
  • File Integrity Monitoring (FIM) data

For detailed information on how to structure your queries, see the Structure Query Language guide.

Log message example

Below is an example of a basic search query to find log messages in a specific deployment.

Copy
SELECT time_recv, asset.dict.asset.deployment.name as "Deployment Name", message
FROM logmsgs
WHERE EXISTS (message)
ORDER BY time_recv DESC

FIM data example

Below is an example of a complex search query to find FIM events with specific information such as time, asset name, file path, size, and host.

Copy
SELECT
    ts AS "Event Time",
    asset.dict.asset.host.name AS "Asset Name",
    event_type AS "Event Type",
    file_type AS "File Type",
    path AS "File Path",
    file_name AS "File Name",
    file_size AS "File Size",
    sha1_hash AS "SHA1",
    asset.dict.asset.host.key AS "Asset Key",
    asset.dict.asset.deployment.name AS "Deployment Name"
FROM fimdata
WHERE EXISTS( "Event Time" )
ORDER BY "Event Time" DESC
LIMIT 1000

Search Features

From the Alert Logic console Search page, you can use the following features in both modes:

In Expert mMode, you can use the Help search fields to search for fields that you can add to the search query.

Other capabilities include that exists in both modes include:

  • Applying settings to all search results
  • Running more than one search at a time, which will keep tabs of eachyour searches open
  • Loading saved searches into the query and immediately downloading search results from the Saved Searches side panel

Narrow search results by date and time range

You can add a date and time range filter to any search you create. Select from the following ranges:

  • Last hour (default)
  • Last 6 hours
  • Last 12 hours
  • Last 24 hours
  • Last 7 days
  • Last 30 days

You can also use the calendar to create a custom date and time range.

The Alert Logic console displays time in your local time zone.

Saved searches and schedule searches

You can save and schedule your searches for repeatedfrequent and later use. After you enter a search, you can save and schedule a search which is shared with others in your same account. Click the down arrow (), and then click Save and Schedule Search to get started. For further instructions on how to save and schedule a search, see Saved and Schedule Searches.

Click Saved Searches to view your recent executed searches and recent scheduleds searches to access the Saved Searches side panel. From the Saved Searches side panel, you can load searches and download search results to a CSV file. To manage your saved searches, click Managed saved searches at the bottom of the list. You will be redirected to the Saved Searches page. To view a list of all your search results from schedules searches, click See More to be redirected to the Downloads page.

You can also click the Saved Searches tab to access the Saved Searches page, where you can view a list of your saved searches, scheduled saved searches, and saved searches not on a schedule. From the Saved Search tab, you can managed your saved searches, including editing the search query, schedule, tags, and recipients, or adding a schedule to a saved search, and deleting searches. For more information, see Saved and Scheduled Searches.

Schedule search notifications

You can set up notifications to alert you and others, or send an alert to a connector, when a scheduled search is complete. The search and notification can help you keep records and track any changes. For more information, see Create a search schedule and notification.

Download search results

You can download search results from completed scheduled searches and recent searches from the Downloads page and from the Search page. Click the Downloads tab in the Search page. Click DOWNLOAD to export the search results to a CSV file. You can also edit the schedule, and input the scheduled search query for search. Click SCHEDULE to edit the search schedule in the Saved Search Schedule form. Click SEARCH to input the scheduled search query for search.

You can also download results from the Search page. Click Saved Searches, and then click the recent search for which you want to download search results. To view a list of all your search results from schedules searches, click See More to be redirected to the Downloads page. For more information, see Downloads.

Help search fields

The Help side panel provides a library of fields organized by data types that you can add to the Expert mode search query. In Search Expert mode, click Help to access the Help side panel. The help fields allow you quickly to create effective searches that address the security concerns and goals for your organization. You can then save your searches for later use with the Save Search feature. For more information, see Search Help Fields.

Work with messages

After you perform a search, you can view the details of messages that appear in the search results. Click a message to:

  • View a summary of the message
  • View the source properties
  • Add tokens to the search query to refine results
  • Export the message summary to a CSV file
  • Create a manual incident from the message

For more information, see Manage Search Results Messages.

Other features

You can execute more than one search at the same time when you need to run multiple searches at one time. You can see the tab of your search at the top of the Search page, and switch between search tabs. Search tabs are not stored, and you can close them when you are done working in them. Your recent executed searches are stored in the Saved Searches side panel.

You can also configure settings to apply to all of your search results. Click Settings on the search page. You have the option to automatically transform the timestamps in data sources to your time zone.