Search

This document is intended for early-access customers and is continually being updated as Search features are finalized.

The new Search experience in the Alert Logic console is intended to allow you to perform basic and advance searches for different log messages data types. The Search feature is flexible for structuring your own search queries or using template, fields, and predefined expressions to help you find and organize messages most relevant to your investigation. Search now supports variety of log sources required to cover potential threats, discover what log sources are present in an environment, and provide tools for further investigation.

For example, you can search for log messages that have been parsed as "Windows Login Failed", and then aggregate the search results by “User Name” and “Src Host” to investigate which users are causing the most failed logins. You can then export and share the results, and create a manual incident for Alert Logic analysts to review in the Incidents page.

To access the Log Search page, click the menu icon (), and then click Investigate. Click Search.

About Search

The Search page is composed of Simple Mode and Expert Mode. Simple mode allows you to add or remove conditions and fields, aggregate or add a function to predefined expressions, and determine sorting and order. . Expert mode allows you to create your own SQL searches and aggregations. You can start a complex query in Simple mode, apply filters and grouping, then convert to Expert mode to add more logic or complex functions. Click the drop-down list to alternate between Expert Mode and Simple Mode.

For detailed information on how to structure your queries, see the Structure Query Language guide.

From the Search page, you can use the following features in both modes:

Search data types and examples

You can execute searches for the following data types in both Simple mode and Expert mode in the Search tab:

  • Log messages
  • File Integrity Monitoring (FIM) data

For detailed information on how to structure your queries, see the Structure Query Language guide.

Log message example

Copy
SELECT time_recv, asset.dict.asset.deployment.name as "Deployment Name", message
FROM logmsgs
WHERE EXISTS (message)
ORDER BY time_recv DESC

FIM data example

Copy
SELECT
    ts AS "Event Time",
    asset.dict.asset.host.name AS "Asset Name",
    event_type AS "Event Type",
    file_type AS "File Type",
    path AS "File Path",
    file_name AS "File Name",
    file_size AS "File Size",
    sha1_hash AS "SHA1",
    asset.dict.asset.host.key AS "Asset Key",
    asset.dict.asset.deployment.name AS "Deployment Name"
FROM fimdata
WHERE EXISTS( "Event Time" )
ORDER BY "Event Time" DESC
LIMIT 1000

Narrow search results by date and time range

You can add a date and time range filter to any log search you create. Select from the following ranges:

  • Last hour (default)
  • Last 6 hours
  • Last 12 hours
  • Last 24 hours
  • Last 7 days
  • Last 30 days

You can also use the calendar to create a custom date and time range.

The Alert Logic console displays time in your local time zone.

Saved searches and schedule searches

The Saved Searches feature allows you to save and schedule your searches for frequent and later use. After you enter a search, you can save and schedule a search which can serve as template. Click the down arrow (), and then click Save and Schedule Search to get started.

Click Saved Searches to view your recent executed searches and recent schedules searches. From the Saved Searches side panel, you can input searches and download search results to a CSV file. To manage your saved searches, click Managed saved searches to be redirected to the Saved Searches page. To view a list of all your search results from schedules searches, click See More to be redirected to the Downloads page.

You can also click the Saved Searches tab to view a list of your saved searches, view which scheduled saved searches and saved searches not on a schedule. From the Saved Search tab, you can managed your saved searches, including editing the search query, schedule, tags, and recipients, or adding a schedule to a saved search, and deleting searches.

Schedule search notifications

You can schedule searches for your different data types, and be notified when the search is complete. The search and notification can help you keep records and track any changes.

Download search results

If you need to download search results from scheduled searches, you can access search results from the Downloads page. Click the Downloads tab in the Search page. Click DOWNLOAD to export the search results to a CSV file. You can also edit the schedule, and input the scheduled search query for search. Click SCHEDULE to edit the search schedule in the Saved Search Schedule form. Click SEARCH to input the scheduled search query for search.

You can also download results from the Search page. Click Saved Searches, and then click the recent search for which you want to download search results. To view a list of all your search results from schedules searches, click See More to be redirected to the Downloads page.

Help search fields and templates

The Alert Logic console provides a library of search templates and fields to help you create effective log searches that address the security concerns and goals for your organization. You can then save your searches for later use with the Save Search feature.

Work with messages

After you perform a search, you can view the details of messages that appear in the search results. Click a message to:

  • View a summary of the message
  • View the source properties
  • Add filters or tokens to the search query to refine results
  • Export the message summary to a CSV file
  • Create a manual incident from the message