Page Comparison

...

	Description	Reference
Field	A field in SnareQL is a word that represents a field within a particular log type.	Events within each logtype are guaranteed by the Snare Central collection subsystem to include the following fields: DATE In the format YYYY-MM-DD, for example 2020-02-23 TIME In the format: HH:MM:SS, for example: 16:23:49 SYSTEM Upper case system name or IP Address. TABLE The source log type Depending on the source log type, events may also include fields such as: EventID (eg: “deny packet”, or “login - ssh”, or “512”. SourceIP (eg: 193.32.113.12) User (eg: AJSmith) URL (eg: https://prophecyinternational.com/) The fields available for each type of log are detailed in a table below. Note that new log types are added on a regular basis.
Operator	An operator in SnareQL is one or more symbols or words that compare the value of a field on its left with one or more values on its right. Some operators may use the negate symbol (!) to reverse the meaning - eg: !=, !REGEX	= Standard equality. Case insensitive. != Standard inequality. Case insensitive. < Less than. Case insensitive in strings. Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979 True date/time comparisons would require (DATE < X OR (DATE = X AND TIME < Y)) <= Less than or equal to. Case insensitive in strings. Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979 True date/time comparisons would require (DATE < X OR (DATE = X AND TIME < Y)) > Greater than. Case insensitive in strings. Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979 True date/time comparisons would require (DATE < X OR (DATE = X AND TIME < Y)) >= Greater than or equal to. Case insensitive in strings. Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979 True date/time comparisons would require (DATE < X OR (DATE = X AND TIME < Y)) LIKE SQL-style like criteria. "%" symbols are considered to be wildcards. Case insentitive. !LIKE SQL-style like criteria. "%" symbols are considered to be wildcards. Case insentitive. CONTAINS The target string, contains the supplied string. Case insensitive. eg: STRINGS CONTAINS "userid" would be true for a STRINGS of "The following userID logged off: Fred" !CONTAINS The target string, does not contain the supplied string. Case insensitive. eg: STRINGS !CONTAINS "userid" would be true for a STRINGS of "This string does not contain the string" INCLUDES The value is one of the supplied comma-separated values. Case insensitive. eg: STRINGS INCLUDES "Fred,Barney,Wilma" would be true for the String "Fred", but not "Frederick" The equivalent of (STRINGS = "FRED" OR STRINGS = "BARNEY" OR STRINGS = "WILMA") !INCLUDES / EXCLUDES That value contains NONE of the supplied comma-separated values. Case insensitive. EXCLUDES is an alias for !INCLUDES eg: STRINGS EXCLUDES "Fred,Barney,Wilma" would be true for the String "BamBam", and would also be true for "Frederick", but not "Fred" The equivalent of (STRINGS != "FRED" AND STRINGS != "BARNEY" AND STRINGS != "WILMA") REGEX The value matches the supplied regular expression. Regex is CASE SENSITIVE Regex is assumed to be a valid RE2 expression (note that Snare Server version 7 uses PCRE). !REGEX The value does not match the supplied regular expression. Regex is CASE SENSITIVE Regex is assumed to be a valid RE2 expression (note that Snare Server version 7 uses PCRE). REGEXI The value matches the supplied regular expression. Regex is NOT CASE SENSITIVE Regex is assumed to be a valid RE2 expression (note that Snare Server version 7 uses PCRE). !REGEXI The value does not match the supplied regular expression. Regex is NOT CASE SENSITIVE Regex is assumed to be a valid RE2 expression (note that Snare Server version 7 uses PCRE). HAS Like CONTAINS, but assumes that the supplied match string, are entire words. Significantly more friendly from an index-perspective; queries that use HAS may return significantly faster than queries that use CONTAINS. Case insensitive. eg: STRINGS HAS "Fred" would match: "The user Fred logged in", but not "The user Frederick logged in". eg: STRINGS CONTAINS "Fred" would match: "The user Fred logged in" and "The user Frederick logged in".
Logical Element	A logical element in SnareQL is a word that joins two or more clauses together to forma a complex SnareQL query	AND OR NOT
Value	A string designed to represent the contents of a field in an event within the Snare Central datastore. The value may be a simple string, or a complex regular expression, depending on the operator selected. Quotations are optional for simple values comprising a single word. Single or double quotes are recommended for more complex values such as regular expressions, and are required for strings that contain whitespace.	AJSmith “Tony Smith” “^(AU\|US\|UK)-[0-9]” “Tony%” yesterday
Function	A function in SnareQL appears as a word followed by parentheses, which may contain a field. A function performs a calculation on the contents of the field (the value) and returns the results.	15MIN(TIME) - quadrant 15MINFLOOR(TIME) - time to the 15 minute floor (eg: 17:23:45 will be 17:15:00) HOUR(TIME) - 0-24 HOURMINUTE(TIME) - 17:23 MINUTE(TIME) SECONDS(TIME) DAYOFWEEK(DATE) - 1: Sunday, 2: Monday, .. 7: Saturday

TODO: Consider creating unique pages for each of these.

Log Type / Table	Description	Fields
ACF2Log	Todo	DATE TIME SYSTEM TABLE USERNAME RESOURCE LOGTYPE EVENTID RETURN DATA
AgentHeartBeat		DATE TIME SYSTEM TABLE AGENTTYPE VERSION ACTION STRINGS
AIXAudit		DATE TIME SYSTEM TABLE EVENTID EVENTCOUNT RUID EUID PROCESS PID PPID RETURNCODE STRINGS TARGET
ApacheLog		DATE TIME SYSTEM TABLE HOSTNAME USERNAME URL RETURNCODE BYTES REFERRER AGENT PROTOCOL LOGTYPE CATEGORY STRINGS
AppleBSM		DATE TIME SYSTEM TABLE EVENTCOUNT EVENTID AUID EUID EGID RUID RGID PID RETURNCODE STRINGS TARGET
Browser		DATE TIME SYSTEM TABLE SOURCE USERNAME EVENT MESSAGE REFERRER LENGTH RESPONSE
CarbonBlack		DATE TIME SYSTEM TABLE TYPE STRINGS
CISCORouterLog		DATE TIME SYSTEM TABLE CRITICALITY ACTION PROTO SRCADDR SRCPORT DSTADDR DSTPORT STRING
CuramAuthenticationLog		DATE TIME SYSTEM TABLE USERNAME LOGINFAILURES LASTLOGIN LOGINSTATUS LOGID VERSIONNO LASTWRITTEN
CuramAuthorisationLog		DATE TIME SYSTEM TABLE USERNAME LOGID IDENTIFIERNAME LASTWRITTEN
CuramOpAuditLog		DATE TIME SYSTEM TABLE USERID PROGRAMNAME TRANTYPE LASTWRITTEN
CyberGuardFirewallLog		DATE TIME SYSTEM TABLE ACTION PROTO SRCINT SRCADDR SRCPORT DSTINT DSTADDR DSTPORT
DhcpSrvLog		DATE TIME SYSTEM TABLE TYPE ID MACADDR IPADDR HOSTNAME DESCRIPTION
Exch2008MTLog		DATE TIME SYSTEM TABLE SOURCE EVENTID USER SOURCEADDR DESTADDR SOURCESYSTEM DESTSYSTEM MESSAGEID BYTES STATUS STRING
ExchMTLog		DATE TIME SYSTEM TABLE SOURCE EVENTID USER SOURCEADDR DESTADDR SOURCESYSTEM DESTSYSTEM MESSAGEID BYTES STATUS STRING
F5Violations		DATE TIME SYSTEM TABLE MANAGEMENTIPADDRESS HTTPCLASSNAME WEBAPPLICATIONNAME POLICYNAME POLICYAPPLYDATE VIOLATIONS SUPPORTID REQUESTSTATUS RESPONSECODE ROUTEDOMAIN METHOD HTTPPROTOCOL QUERYSTRING XFORWARDEDFORHEADERVALUE SIGIDS SIGNAMES SEVERITY ATTACKTYPE GEOLOCATION IPADDRESSINTELLIGENCE USERNAME SESSIONID SRCADDR SRCPORT DSTADDR DSTPORT PROTO SUBVIOLATIONS VIRUSNAME URI REQUEST STRINGS
Firewall1Log		DATE TIME SYSTEM TABLE ACTION INTERFACE SRCADDR SRCPORT DSTADDR DSTPORT PROTO RULE MESSAGE
Fortigate		DATE TIME SYSTEM TABLE VERSION ACTION CATEGORY TYPE SUBTYPE RULENAME PROTO USRNAME SERIALNUMBER NATSRCIP NATDSTIP SOURCEUSER DESTINATIONUSER APPLICATION VIRTUALSYSTEM SRCADDR SRCPORT DSTADDR DSTPORT SOURCEZONE DESTINATIONZONE INGRESSINTERFACE EGRESSINTERFACE LOGFORWARDINGPROFILE SESSIONID REPEATCOUNT NATSOURCEPORT NATDESTPORT FLAGS BYTES PACKETS ELAPSEDTIME URLCATEGORY BYTESIN BYTESOUT SEVERITY STRING
FWOBJActionsLog		DATE TIME SYSTEM TABLE APPLICATION TRANSID RECTYPE FOLDERCODE USER COMMENT ACTION
FWOBJActionsRawLog		DATE TIME SYSTEM TABLE SEQUENCE FILENUMBER CLIENTID CLIENTTYPE ACTIONMETHOD OFFICER OBJNAME OBJMETHOD COMMENTS OBJNAMEMETHOD
GauntletFirewallLog		DATE TIME SYSTEM TABLE CRITICALITY PROXY ACTION SRCADDR SRCPORT DSTADDR DSTPORT PROTO STRING
GenericLog		DATE TIME SYSTEM TABLE CRITICALITY SOURCE DETAILS
IISWebLog		DATE TIME SYSTEM TABLE HOSTNAME USERNAME URL RETURNCODE BYTES REFERRER AGENT PROTOCOL LOGTYPE CATEGORY STRINGS
IPTablesFirewall		DATE TIME SYSTEM TABLE ACTION INTERFACE SRCADDR SRCPORT DSTADDR DSTPORT PROTO STRINGS
IrixSAT		DATE TIME SYSTEM TABLE EVENTID EVENTTYPE COMMAND AUID EUID EGID TARGET RETURNCODE EVENTCOUNT STRINGS
ISAFWSLog		DATE TIME SYSTEM TABLE PROTO ACTION SRCADDR SRCPORT DSTADDR DSTPORT STATUS RULE APPLICATION STRINGS
ISAWebLogDVA		DATE TIME SYSTEM TABLE HOSTNAME USERNAME URL RETURNCODE BYTES REFERRER AGENT PROTOCOL LOGTYPE CATEGORY STRINGS
ISAWebLog		DATE TIME SYSTEM TABLE HOSTNAME USERNAME URL RETURNCODE BYTES REFERRER AGENT PROTOCOL LOGTYPE CATEGORY STRINGS
ISAWebLogImport		DATE TIME SYSTEM TABLE HOSTNAME USERNAME URL RETURNCODE BYTES REFERRER AGENT PROTOCOL LOGTYPE CATEGORY STRINGS
LinuxAudit		DATE TIME SYSTEM TABLE EVENTCOUNT EVENTID RUID RGID EUID EGID PROCESS RETURNCODE SUCCESS TARGET STRINGS
LinuxKAudit		DATE TIME SYSTEM TABLE EVENTCOUNT EVENTID RUID RGID EUID EGID PROCESS RETURNCODE SUCCESS TARGET STRINGS
LotusNotesLog		DATE TIME SYSTEM TABLE SOURCE EVENT
MailLog		DATE TIME SYSTEM TABLE SOURCE EVENTID USER SOURCEADDR DESTADDR SOURCESYSTEM DESTSYSTEM MESSAGEID BYTES STATUS STRING
MSDNSServer		DATE TIME SYSTEM TABLE STRING DNSNAME
MSProxySvr		DATE TIME SYSTEM TABLE HOSTNAME USERNAME URL RETURNCODE BYTES REFERRER AGENT PROTOCOL LOGTYPE CATEGORY STRINGS
MSSQLLog		DATE TIME SYSTEM TABLE EVENTID CLASS SPID DBNAME USERNAME OBJECTNAME ROLENAME TARGETUSERNAME DBUSERNAME TARGETLOGINNAME STRINGS
MSWinEventLog		DATE TIME DATETIME SYSTEM TABLE EVENTCOUNT EVENTID SOURCE USER SOURCETYPE RETURN DATA STRINGS
MSWinEventLog		DATE TIME SYSTEM TABLE EVENTCOUNT EVENTID SOURCE USER SOURCETYPE RETURN DATA STRINGS
NCRATMLog		DATE TIME SYSTEM TABLE CRITICALITY EVENTID UID SEQNUM STRINGS
NetgearFirewallLog		DATE TIME SYSTEM TABLE ACTION MODULE SRCADDR SRCPORT DSTADDR DSTPORT PROTO MESSAGE
NetgearRouterLog		DATE TIME SYSTEM TABLE ACTION SRCADDR SRCPORT DSTADDR DSTPORT PROTO MESSAGE
NetscalerLog		DATE TIME SYSTEM TABLE CRITICALITY SOURCE EVENTID USER CLIENTIP EVENTCOUNT EVENT
NetScreenFirewall		DATE TIME SYSTEM TABLE ACTION PROTO SRCADDR SRCPORT DSTADDR DSTPORT DURATION SENT RECEIVED DIRECTION DETAILS
NortelVPNRouter		DATE TIME SYSTEM TABLE CRITICALITY LOGSOURCE USERID CPU LOGTYPE DETAILS
ObjectAccess		DATE TIME SYSTEM TABLE OBJECT OWNER OWNERTYPE ACCESS CAPABILITIES SOURCE
ObjectStarLog		DATE TIME SYSTEM TABLE IDGEN_KEY USER USER_CLEARANCE OBJECT OBJECT_CLASSFCTN ACCESS_ALLOWED MESSAGE_NO PARAM1 PARAM2 ACTIVITY OBJECT_TYPE
OracleLog		DATE TIME SYSTEM TABLE NODE INSTANCE SESSIONID ENTRYID STATEMENT USERID USERHOST TERMINAL ACTION RETURNCODE COMMENTS OSUSERID PRIV STRINGS
OS400Log		DATE TIME SYSTEM TABLE JOURNALCODE JOURNALENTRYCODE JOBNAME JOBUSER JOBNUMBER PROGRAM OFNAME OFLIBRARY OFTYPE STRINGS
PIXLog		DATE TIME SYSTEM TABLE CRITICALITY EVENTID ACTION PROTO SRCADDR SRCPORT DSTADDR DSTPORT STRING
QUASARSAudit		DATE TIME SYSTEM TABLE IDENTITY ACTION IDTYPE IDVALUE AUDITTABLE FIELD OLDVALUE NEWVALUE
RACFLog		DATE TIME SYSTEM TABLE EVENTID JOBNAME SOURCE RESOURCE ACTION USERID USERNAME USERFLAGS GROUPID RETURN RESULT DATA
SidewinderFirewallLog		DATE TIME SYSTEM TABLE ACTION PROTO SRCINT SRCADDR SRCPORT DSTINT DSTADDR DSTPORT FAC AREA TYPE PRIORITY PID RUID EUID PGID LOGID COMMAND DOMAIN EDOMAIN CATEGORY ATTACKADDR ATTACKINT SERVICENAME USERNAME AUTHMETHOD ACLID CACHEHIT REASON
SidewinderLog		DATE TIME SYSTEM TABLE USERNAME AUTHMETHOD SRCADDR SRCPORT DSTADDR DSTPORT PROTO EVENT TYPE REASON STRINGS
SMTPSvcLog		DATE TIME SYSTEM TABLE SOURCE EVENTID USER SOURCEADDR DESTADDR SOURCESYSTEM DESTSYSTEM MESSAGEID BYTES STATUS STRING
SnareServerLog		DATE TIME SYSTEM TABLE SOURCE USERNAME RESOURCE ACTION RETURN DETAILS
SNMPTrap		DATE TIME SYSTEM TABLE STRINGS
Snort		DATE TIME SYSTEM TABLE EVENTID PRIORITY CLASSIFICATION DESCRIPTION SRCADDR SRCPORT DSTADDR DSTPORT PROTO
SOCKSLog		DATE TIME SYSTEM TABLE ACTION MESSAGE
SolarisBSM		DATE TIME SYSTEM TABLE EVENTCOUNT EVENTID AUID EUID EGID RUID RGID PID RETURNCODE STRINGS TARGET
SonicWall		DATE TIME SYSTEM TABLE EVENTID CATEGORY PRIORITY FWADDR PROTO SRCADDR SRCPORT DSTADDR DSTPORT MESSAGE STRINGS
SonicWallSSLVPN		DATE TIME SYSTEM TABLE ACTION PRIORITY FWADDR SRCADDR DSTADDR PORTAL DOMAIN USER MESSAGE AGENT STRING
SophosDataControlLog		DATE TIME SYSTEM TABLE USERNAME COMPUTER SOURCEPATH DESTINATIONPATH FILENAME DESTTYPE STRINGS
SophosWeb		DATE TIME SYSTEM TABLE USERNAME CRITICALITY CATEGORY RULE REASON THREAT DOMAIN METHOD URL PROTOCOL SRCIP DESTIP AGENT OS BYTESIN BYTESOUT REFERRER STRINGS
SquidProxyLog		DATE TIME SYSTEM TABLE HOSTNAME USERNAME URL RETURNCODE BYTES REFERRER AGENT PROTOCOL LOGTYPE CATEGORY STRINGS
TandemLog		DATE TIME SYSTEM TABLE PSGUSER PSGUSERID PCGUSER POOBJECTTYPE POOPERATION POOWNUSER POOWNUSERID PSTERM PCTERM RETURN
TopicLog		DATE TIME SYSTEM TABLE CLIENT USERNAME OPERATION QUERY TITLE COLLECTIONS SERIAL PATH RULE
TrendDSM		DATE TIME SYSTEM TABLE CRITICALITY EVENTNUMBER TITLE TARGET ACTIONBY DESCRIPTION TAGS
Tru64Audit		DATE TIME SYSTEM TABLE EVENTID USERID AUID RUID EUID PID PPID RETURNCODE STRINGS TARGET
VMSLog		DATE TIME SYSTEM TABLE EVENTID EVENTTYPE USERNAME SYSTEMID PID TERMINALNAME PROCESSNAME PROCESSOWNER REMOTEUSERNAME REMOTENODENAME IMAGENAME COMMANDLINE OBJECTCLASSNAME AUDITINGFLAGS ALARMFLAGS STATUS DATA
VWActionsLog		DATE TIME SYSTEM TABLE SEQUENCE CLIENTID METHODCODE OFFICERCODE FOLDERCODE CLIENTTYPE
WebLog		DATE TIME SYSTEM TABLE HOSTNAME USERNAME URL RETURNCODE BYTES REFERRER AGENT PROTOCOL LOGTYPE CATEGORY STRINGS
WinDHCP		DATE TIME SYSTEM TABLE EVENTID DESCRIPTION IPADDRESS HOSTNAME MACADDRESS

Version	Old Version 8	New Version 9
Changes made by	Leigh Purdie	Leigh Purdie
Saved on	Sept 14, 2020	Sept 15, 2020

Versions Compared

Key