Skip to main content

Searching Logs - Query Builder

Nate OBrien
  • Updated

Search Capability Summary

Huntress Managed SIEM includes three methods for querying your SIEM data:

  • Keyword Search -  General term searching, searches all parts of all logs within the timeframe.
  • ES|QL - Structured search that allows specific field and combinatorial searching with formatting.
  • Query Builder - Guided search capability that simplifies the process of finding data from logs.

Query Builder

Query Builder provides a structured, guided way to search for data using a refined set of common fields for threat hunting and data exploration. Dropdown fields provide quick access to a list of core, common fields, and basic logic operators can be applied to search for logs containing or not containing the search term.

Here is a basic example searching for logs containing referencing to network traffic or communications to the IP Address, "192.168.1.1".

The available query builder fields are limited to the most commonly used fields, more advanced use cases and all fields are searchable via ES|QL. The available Query Builder fields are shown here:

Additional search criteria can be added using the "+ Add Row" button. Query Builder is limited to AND logic for multiple rows. For example, the query shown below will search for logs where the destination address is 192.168.1.1, and the source address is 192.168.1.222. ES|QL queries allow the use of OR logic for more flexibility.

The number of rows is limited to 6 field searches. ES|QL queries have no limits on the number of logical components in a search. Each fields searchable value is limited to a specific value, comma, or otherwise separated values is not supported.

Each row can choose whether to the searched field IS or IS NOT the searched value. For example, the query shown below will search for logs where the source address IS NOT 192.168.1.1 and the hostname IS "gandalf":

Note that these require exact values and a host.hostname field of gandalf.middleearth.com will not be included in the search results. ES|QL queries allow for the use of the LIKE operator which can search for substrings within a field value.

Summary

Query Builder provides a quick and easy method for searching your logs without having to create a structured ES|QL query. It is not a substitute for the full ES|QL query capability but to increase accessibility to logs without knowing the ES|QL query language. ES|QL queries is the best method for creating complex queries. 

Note: Keyword Searches

The ES|QL search field also includes the ability to do Keyword searches which will search for the text in any part of all data. This is by far the quickest and easiest way to perform a quick, wide-ranging search.

Query Builder Limitations

  • Field-Value logic is limited to IS or IS NOT
  • Multiple field searches are limited to AND. All fields must match in the log to be found.
  • The number of supported fields to search in a single query is limited to 6.

ES|QL has none of these limitations - learn more here.

 

Related articles