Skip to main content Link Menu Expand (external link) Document Search Copy Copied

Data Search - Events / Metaflow

Sections
  1. The ‘search’ command
    1. Search ‘options’
    2. Search ‘time’ parameter
      1. relative time: (< | > or @) (s | m | h | d | w | mon) (+|-)
      2. absolute time
    3. Search ‘query’ parameter
  2. The ‘where’ command

In the FPL, data selection is done via the search command, for normal log (event/metaflow) data, and the load command, for special ‘resources’ data. The data selection is applied before all other FPL commands.

This following section (Data Load) will focus on the search command. See the following sections “Resources”, for more information on how to use the load command.

The ‘search’ command

The search command uses the following syntax:

  search {options} query

Search ‘options’

The available ‘options’ are for data ‘type’, and time selection parameters (‘from’ and ‘to’).

search {type="", from="", to=""} query

Possible options for type are ‘event’ and ‘metaflow’. Note: If the ‘type’ option is not specified, the default value is ‘event’.

Search ‘time’ parameter

To search within a specific time window, uses the following syntax:

  search {from="", to=""}

relative time: (< | > or @) (s | m | h | d | w | mon) (+|-)

  • <d+1h: to last day boundary then add one hour
  • >d+1h: to next day boundary then add one hour
  • -5d<d or -5d@d: five day ago, then align to begin of day

absolute time

  • RFC3339: “2006-01-02T15:04:05Z” OR “2006-01-02T15:04:05+04:00”
  • Local time: “2006-01-02T15:04:05” OR “20220102” OR “20220102_102030”

Note: if no timezone specified, the system timezone is assumed (per site configuration)

Example (searching within the past 3 days):

  search {from="-3d@d",to="@d"}

Search ‘query’ parameter

The “query” parameter consists of one or more search expressions and the boolean operators and, or and not:

Example:

  search {options} expression1 and expression2 not expression3 ... expressionN

The following expressions are supported:

  • sContent(field, value) 
    search {from="-3d@d",to="@d"} sContent("@event_type","@azureSignIn")
  • sContains(field, value) 
    search {from="-3d@d",to="@d"} sContains("@event_type","Sign")
  • sStartswith(field, value) 
    search {from="-3d@d",to="@d"} sStartswith("@event_type","@azure")
  • sEndswith(field, value) 
    search {from="-3d@d",to="@d"} sEndswith("@event_type","SignIn")
  • sRange(field, from, to) 
    search sRange("__size__","1","800")
  • sRegexp(field, field, value) 
    search sRegexp("@fields.isprime","y.*")
  • sEntityinfo(field, entityname) 
    search sEntityinfo("@fields.EventID","AD_EventID")

  • sIsnull(field): If all the elements of this field are null or empty, return “true”.

  • sWildcard(field): only keep the non-empty elements of a field

All content search functions start with “s” has two modes: when used in a “search” pipe, the expected field name must be a field name in full path. Otherwise the field argument must be variable (see sContent for examples).

The ‘where’ command

The where command has similar syntax with search, and all the query functions above associated with search can be used after where. The difference between where and search is that where is used after the variables extracted from database. If the query of where returns false, the corresponding columns are discarded. An example of combining two commands is given:

load resource sentinelOneAgent
let {agentID, asset, username} = f("@sentinelOneAgent.translation")
let {computerName, modelName, mitigationMode, infected, appsVulnerabilityStatus} = f("@sentinelOneAgent")
where infected==true or appsVulnerabilityStatus=="patch_required"

Page last updated: 2022 Oct 27

Table of contents