Skip to main content Link Search Menu Expand Document (external link)

Data Selection - Events

Sections
  1. The ‘search’ command
    1. Search ‘time’ parameter
      1. relative time: (< | > or @) (s | m | h | d | w | mon) (+|-)
      2. absolute time
    2. Search ‘query’ parameter
  2. The ‘where’ command

In the FPL, data selection is done via the search command, for normal log (event) data, and the load command, for special ‘resources’ data. The data selection is applied before all other FPL commands.

This following section will focus on the search command. See the following sections “Resources”, for more information on how to use the load command.

The ‘search’ command

The search command uses the following syntax:

  search {time} query

The “query” parameter consists of expressions and boolean operators and, or and not:

  expression1 and expression2 ... expressionN

Example:

  search {time} expression1 and expression2 not expression3 ... expressionN

Search ‘time’ parameter

To search within a specific time window, uses the following syntax:

  search {from="", to=""} 

relative time: (< | > or @) (s | m | h | d | w | mon) (+|-)

  • <d+1h: to last day boundary then add one hour
  • >d+1h: to next day boundary then add one hour
  • -5d<d or -5d@d: five day ago, then align to begin of day

absolute time

  • RFC3339: “2006-01-02T15:04:05Z” OR “2006-01-02T15:04:05+04:00”
  • Local time: “2006-01-02T15:04:05” OR “20220102” OR “20220102_102030”

Note: if no timezone specified, the system timezone is assumed (per site configuration)

Example (searching within the past 3 days):

  search {from="-3d@d",to="@d"}

Search ‘query’ parameter

The query parameter consists of one of more search expressions. The following expressions are supported:

  • sContent(field, value)
    search {from="-3d@d",to="@d"} sContent("@event_type","@azureSignIn")
    
  • sContains(field, value)
    search {from="-3d@d",to="@d"} sContains("@event_type","Sign")
    
  • sStartswith(field, value)
    search {from="-3d@d",to="@d"} sStartswith("@event_type","@azure")
    
  • sEndswith(field, value)
    search {from="-3d@d",to="@d"} sEndswith("@event_type","SignIn")
    
  • sRange(field, from, to)
    search sRange("__size__","1","800")
    
  • sRegexp(field, field, value)

  • sEntityinfo(field, entityname)

The entity information lists can be found in https://demo.cloud.fluencysecurity.com/user/EntityInfo.

Example:

  search {from="-3d@d",to="@d"} sContent("@eventType","nxlogAD") and sEntityinfo("@fields.EventID","AD_EventID")

In this example, “AD_EventID” is the entity name and “@fields.EventID” is the field. Only search within those column whose field values (“@fields.EventID”) match the entity name (“AD_EventID”). Empty table assignment is not supported for this function.

  • sIsnull(field): If all the elements of this field are null or empty, return “true”.

  • sWildcard(field): only keep the non-empty elements of a field

All content search functions start with “s” has two modes: when used in a “search” pipe, the expected field name must be a field name in full path. Otherwise the field argument must be variable (see sContent for examples).

The ‘where’ command

The where command has similar syntax with search, and all the query functions above associated with search can be used after where. The difference between where and search is that where is used after the variables extracted from database. If the query of where returns false, the corresponding columns are discarded. An example of combining two commands is given:

  search {from="-7d@d", to="@d"} sContent("@eventType","nxlogAD")
  let {sourceIPAddress,eventSource,eventName} =f("@cloudtrail")
  where eventSource=="iam.amazonaws.com" and sContains(eventName,"Describe")==false

Page last updated: 2022 Sep 14


Table of contents