...
This query will search for logins by AJSmith, in the first 15 minutes of each hour of the current day.
Precedence and Grouping in Queries
Snare query components are evaluated in the order specified in the query; prioritise ANDs over NOTs, and NOTs over ORs - however precedence can be explicitly specified using brackets……Note: See Atlassian doco for sample.brackets.
Reference
...
Description
...
Reference
...
Field
...
A field in SnareQL is a word that represents a field within a particular log type.
...
| Code Block |
|---|
SYSTEM=EMU OR SYSTEM=MAGPIE AND SYSTEM=FROGMOUTH |
In this case, the following query components will be evaluated first: SYSTEM=MAGPIE AND SYSTEM=FROGMOUTH
This will return no data (no systems can be both MAGPIE and FROGMOUTH), and the final query element (OR SYSTEM=EMU) will be evaluated, resulting in events that have a system name of EMU being returned.
| Code Block |
|---|
(SYSTEM=EMU OR SYSTEM=MAGPIE) AND SYSTEM=FROGMOUTH |
This will select any events that have a SYSTEM name of either EMU or MAGPIE, and then attempt to find events in that group that ALSO have a system name of FROGMOUTH
Since events cannot have a system name that is both FROGMOUTH and something else, no data will be returned.
| Code Block |
|---|
SYSTEM=EMU OR SYSTEM=MAGPIE AND TABLE=WinSecurity |
Since our AND will be evaluated first, this will look for Windows Security events for MAGPIE, and then ALSO introduce all events for EMU, regardless of whether the table was Windows, Solaris or Firewall logs.
| Code Block |
|---|
(SYSTEM=EMU OR SYSTEM=MAGPIE) AND TABLE=WinSecurity |
This will ONLY look for Windows security logs - from either EMU or MAGPIE
| Code Block |
|---|
USERNAME='AJSMITH' AND EVENTID LIKE '%login' AND SYSTEM REGEX '^(AU|US|UK)-' AND ((DATE='WEEKDAY' AND (TIME < '08:00:00' OR TIME > '17:00:00')) OR DATE='WEEKEND') |
Multiple levels of brackets are supported - in this case, we are looking for login events by AJSmith from systems that start with AU, US or UK, on either the weekend, or out of normal work hours during the week.
Restricted words and characters
The range of characters you can use in your search values depends significantly on the operator you have chosen.
For all operators, the space, single quotes (') and double quotes (“) characters are considered special. If you wish to use these as part of your search, the following rules apply:
Content that includes space characters must be surrounded by EITHER single or double quotes.
EVENTID=login
EVENTID=”login failed”
If you wish to use single or double quotes as part of your search criteria, they must be escaped with the backslash character (\)
The INCLUDES operator uses commas to separate potential values. If you wish to use the comma as part of your search criteria, it is recommend that you use regular expressions instead.
The LIKE operator uses the percent sign “%” to represent an arbitrary number of characters.
The REGEX operators (REGEX, !REGEX, REGEXI, !REGEXI) have a range of reserved characters that represent particular features within a regular expression. These characters must be escaped with the backslash character (\) when used as a literal value, in most instances.
Reference
| Description | Reference |
|---|
Field | A field in SnareQL is a word that represents a field within a particular log type. | Events within each logtype are guaranteed by the Snare Central collection subsystem to include the following fields: Depending on the source log type, events may also include fields such as: EventID (eg: “deny packet”, or “login - ssh”, or “512”. SourceIP (eg: 193.32.113.12) User (eg: AJSmith) URL (eg: https://prophecyinternational.com/)
The fields available for each type of log are detailed in a table below. Note that new log types are added on a regular basis. |
|---|
Operator | An operator in SnareQL is one or more symbols or words that compare the value of a field on its left with one or more values on its right. Some operators may use the negate symbol (!) to reverse the meaning - eg: !=, !REGEX | Function | A function in SnareQL appears as a word followed by parentheses, which may contain a field. A function performs a calculation on the contents of the field (the value) and returns the results. | < Less than. Case insensitive in strings. Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979
<= Less than or equal to. Case insensitive in strings. Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979
> Greater than. Case insensitive in strings. Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979
>= Greater than or equal to. Case insensitive in strings. Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979
LIKE !LIKE !LIKE CONTAINS
CONTAINS The target string, contains the supplied string. Case insensitive. eg: STRINGS CONTAINS "userid" would be true for a STRINGS of "The following userID logged off: Fred"
!CONTAINS The target string, does not contain the supplied string. Case insensitive. eg: STRINGS !CONTAINS "userid" would be true for a STRINGS of "This string does not contain the string"
INCLUDES The value is one of the supplied comma-separated values. Case insensitive. eg: STRINGS CONTAINS "useridINCLUDES "Fred,Barney,Wilma" would be true for a STRINGS of "The following userID logged off: Fred"
!CONTAINS The target string, does not contain the supplied string. Case insensitive. eg: STRINGS !CONTAINS "userid" would be true for a STRINGS of "This string does not contain the string"
INCLUDES The value is one the String "Fred", but not "Frederick" The equivalent of (STRINGS = "FRED" OR STRINGS = "BARNEY" OR STRINGS = "WILMA")
!INCLUDES / EXCLUDES That value contains NONE of the supplied comma-separated values. Case insensitive. EXCLUDES is an alias for !INCLUDES eg: STRINGS INCLUDES EXCLUDES "Fred,Barney,Wilma" would be true for the String "FredBamBam", and would also be true for "Frederick", but not "FrederickFred" The equivalent of (STRINGS STRINGS != "FRED" OR STRINGS AND STRINGS != "BARNEY" OR AND STRINGS != "WILMA")
!INCLUDES / EXCLUDES That value contains NONE of the supplied comma-separated values. Case insensitive. EXCLUDES is an alias for !INCLUDES eg: STRINGS EXCLUDES "Fred,Barney,Wilma" would be true for the String "BamBam", and would also be true for "Frederick", but not "Fred" The equivalent of (STRINGS != "FRED" AND STRINGS != "BARNEY" AND STRINGS != "WILMA")
REGEXI The value matches the supplied regular expression. Regex is NOT CASE SENSITIVE Regex is assumed to be a valid RE2 expression (note that Snare Server version 7 uses PCRE).
!REGEXREGEXI The value does not match the supplied regular expression. Regex is NOT CASE SENSITIVE Regex is assumed to be a valid RE2 expression (note that Snare Server version 7 uses PCRE).
REGEXI The value matches the supplied regular expression. Regex is NOT CASE SENSITIVE Regex is assumed to be a valid RE2 expression (note that Snare Server version 7 uses PCRE).
!REGEXI The value does not match the supplied regular expression. Regex is NOT CASE SENSITIVE Regex is assumed to be a valid RE2 expression (note that Snare Server version 7 uses PCRE).
HAS Like CONTAINS, but assumes that the supplied match string, are entire words. Significantly more friendly from an index-perspective; queries that use HAS may return significantly faster than queries that use CONTAINS. Case insensitive. eg: STRINGS HAS "Fred" would match: "The user Fred logged in", but not "The user Frederick logged in". eg: STRINGS CONTAINS "Fred" would match: "The user Fred logged in" and "The user Frederick logged in".
|
|---|
Logical Element | A logical element in SnareQL is a word that joins two or more clauses together to forma a complex SnareQL query | |
|---|
Value | A string designed to represent the contents of a field in an event within the Snare Central datastore. The value may be a simple string, or a complex regular expression, depending on the operator selected. Quotations are optional for simple values comprising a single word. Single or double quotes are recommended for more complex values such as regular expressions, and are required for strings that contain whitespace. | AJSmith “Tony Smith” “^(AU|US|UK)-[0-9]” “Tony%” yesterday
|
|---|
HAS Like CONTAINS, but assumes that the supplied match string, are entire words. Significantly more friendly from an index-perspective; queries that use HAS may return significantly faster than queries that use CONTAINS. Case insensitive. eg: STRINGS HAS "Fred" would match: "The user Fred logged in", but not "The user Frederick logged in". eg: STRINGS CONTAINS "Fred" would match: "The user Fred logged in" and "The user Frederick logged in".
|
Logical Element | A logical element in SnareQL is a word that joins two or more clauses together to forma a complex SnareQL query | |
|---|
Value | A string designed to represent the contents of a field in an event within the Snare Central datastore. The value may be a simple string, or a complex regular expression, depending on the operator selected. Quotations are optional for simple values comprising a single word. Single or double quotes are recommended for more complex values such as regular expressions, and are required for strings that contain whitespace. | AJSmith “Tony Smith” “^(AU|US|UK)-[0-9]” “Tony%” yesterday
|
|---|
Function | A function in SnareQL appears as a word followed by parentheses, which may contain a field. A function performs a calculation on the contents of the field (the value) and returns the results. | 15MIN(TIME): Return the number of 15 minute quadrant associated with the supplied time (0-95). The day will be divided into 96 quadrants. 00:12:03 will become 0
00:15:01 will become 1
12:01:00 will become 48
12:14:59 will become 48
12:15:01 will become 49
14:45:00 will become 59
15MINFLOOR(TIME) Return the time to the nearest low 15 minute segment of the day 12:01:00 will become 12:00:00
12:14:59 will become 12:00:00
12:15:01 will become 12:15:00
14:45:00 will become 14:45:00
15:59:00 will become 15:45:00
HOUR(TIME) HOURMINUTE(TIME) MINUTE(TIME) SECONDS(TIME) DAYOFWEEK(DATE)
|
|---|
Log Type / Table | Fields |
|---|
ACF2Log | DATE TIME SYSTEM TABLE USERNAME RESOURCE LOGTYPE EVENTID RETURN DATA
|
AgentHeartBeat | DATE TIME SYSTEM TABLE AGENTTYPE VERSION ACTION STRINGS
|
AIXAudit | DATE TIME SYSTEM TABLE EVENTID EVENTCOUNT RUID EUID PROCESS PID PPID RETURNCODE STRINGS TARGET
|
ApacheLog | DATE TIME SYSTEM TABLE HOSTNAME USERNAME URL RETURNCODE BYTES REFERRER AGENT PROTOCOL LOGTYPE CATEGORY STRINGS
|
AppleBSM | DATE TIME SYSTEM TABLE EVENTCOUNT EVENTID AUID EUID EGID RUID RGID PID RETURNCODE STRINGS TARGET
|
Browser | DATE TIME SYSTEM TABLE SOURCE USERNAME EVENT MESSAGE REFERRER LENGTH RESPONSE
|
CarbonBlack | DATE TIME SYSTEM TABLE TYPE STRINGS
|
CISCORouterLog | DATE TIME SYSTEM TABLE CRITICALITY ACTION PROTO SRCADDR SRCPORT DSTADDR DSTPORT STRING
|
CuramAuthenticationLog | DATE TIME SYSTEM TABLE USERNAME LOGINFAILURES LASTLOGIN LOGINSTATUS LOGID VERSIONNO LASTWRITTEN
|
CuramAuthorisationLog | DATE TIME SYSTEM TABLE USERNAME LOGID IDENTIFIERNAME LASTWRITTEN
|
CuramOpAuditLog | DATE TIME SYSTEM TABLE USERID PROGRAMNAME TRANTYPE LASTWRITTEN
|
CyberGuardFirewallLog | DATE TIME SYSTEM TABLE ACTION PROTO SRCINT SRCADDR SRCPORT DSTINT DSTADDR DSTPORT
|
DhcpSrvLog | DATE TIME SYSTEM TABLE TYPE ID MACADDR IPADDR HOSTNAME DESCRIPTION
|
Exch2008MTLog | DATE TIME SYSTEM TABLE SOURCE EVENTID USER SOURCEADDR DESTADDR SOURCESYSTEM DESTSYSTEM MESSAGEID BYTES STATUS STRING
|
ExchMTLog | DATE TIME SYSTEM TABLE SOURCE EVENTID USER SOURCEADDR DESTADDR SOURCESYSTEM DESTSYSTEM MESSAGEID BYTES STATUS STRING
|
F5Violations | DATE TIME SYSTEM TABLE MANAGEMENTIPADDRESS HTTPCLASSNAME WEBAPPLICATIONNAME POLICYNAME POLICYAPPLYDATE VIOLATIONS SUPPORTID REQUESTSTATUS RESPONSECODE ROUTEDOMAIN METHOD HTTPPROTOCOL QUERYSTRING XFORWARDEDFORHEADERVALUE SIGIDS SIGNAMES SEVERITY ATTACKTYPE GEOLOCATION IPADDRESSINTELLIGENCE USERNAME SESSIONID SRCADDR SRCPORT DSTADDR DSTPORT PROTO SUBVIOLATIONS VIRUSNAME URI REQUEST STRINGS
|
Firewall1Log | DATE TIME SYSTEM TABLE ACTION INTERFACE SRCADDR SRCPORT DSTADDR DSTPORT PROTO RULE MESSAGE
|
Fortigate | DATE TIME SYSTEM TABLE VERSION ACTION CATEGORY TYPE SUBTYPE RULENAME PROTO USRNAME SERIALNUMBER NATSRCIP NATDSTIP SOURCEUSER DESTINATIONUSER APPLICATION VIRTUALSYSTEM SRCADDR SRCPORT DSTADDR DSTPORT SOURCEZONE DESTINATIONZONE INGRESSINTERFACE EGRESSINTERFACE LOGFORWARDINGPROFILE SESSIONID REPEATCOUNT NATSOURCEPORT NATDESTPORT FLAGS BYTES PACKETS ELAPSEDTIME URLCATEGORY BYTESIN BYTESOUT SEVERITY STRING
|
FWOBJActionsLog | DATE TIME SYSTEM TABLE APPLICATION TRANSID RECTYPE FOLDERCODE USER COMMENT ACTION
|
FWOBJActionsRawLog | DATE TIME SYSTEM TABLE SEQUENCE FILENUMBER CLIENTID CLIENTTYPE ACTIONMETHOD OFFICER OBJNAME OBJMETHOD COMMENTS OBJNAMEMETHOD
|
GauntletFirewallLog | DATE TIME SYSTEM TABLE CRITICALITY PROXY ACTION SRCADDR SRCPORT DSTADDR DSTPORT PROTO STRING
|
GenericLog | DATE TIME SYSTEM TABLE CRITICALITY SOURCE DETAILS
|
IISWebLog | DATE TIME SYSTEM TABLE HOSTNAME USERNAME URL RETURNCODE BYTES REFERRER AGENT PROTOCOL LOGTYPE CATEGORY STRINGS
|
IPTablesFirewall | DATE TIME SYSTEM TABLE ACTION INTERFACE SRCADDR SRCPORT DSTADDR DSTPORT PROTO STRINGS
|
IrixSAT | DATE TIME SYSTEM TABLE EVENTID EVENTTYPE COMMAND AUID EUID EGID TARGET RETURNCODE EVENTCOUNT STRINGS
|
ISAFWSLog | DATE TIME SYSTEM TABLE PROTO ACTION SRCADDR SRCPORT DSTADDR DSTPORT STATUS RULE APPLICATION STRINGS
|
ISAWebLogDVA | DATE TIME SYSTEM TABLE HOSTNAME USERNAME URL RETURNCODE BYTES REFERRER AGENT PROTOCOL LOGTYPE CATEGORY STRINGS
|
ISAWebLog | DATE TIME SYSTEM TABLE HOSTNAME USERNAME URL RETURNCODE BYTES REFERRER AGENT PROTOCOL LOGTYPE CATEGORY STRINGS
|
ISAWebLogImport | DATE TIME SYSTEM TABLE HOSTNAME USERNAME URL RETURNCODE BYTES REFERRER AGENT PROTOCOL LOGTYPE CATEGORY STRINGS
|
LinuxAudit | DATE TIME SYSTEM TABLE EVENTCOUNT EVENTID RUID RGID EUID EGID PROCESS RETURNCODE SUCCESS TARGET STRINGS
|
LinuxKAudit | DATE TIME SYSTEM TABLE EVENTCOUNT EVENTID RUID RGID EUID EGID PROCESS RETURNCODE SUCCESS TARGET STRINGS
|
LotusNotesLog | DATE TIME SYSTEM TABLE SOURCE EVENT
|
MailLog | DATE TIME SYSTEM TABLE SOURCE EVENTID USER SOURCEADDR DESTADDR SOURCESYSTEM DESTSYSTEM MESSAGEID BYTES STATUS STRING
|
MSDNSServer | DATE TIME SYSTEM TABLE STRING DNSNAME
|
MSProxySvr | DATE TIME SYSTEM TABLE HOSTNAME USERNAME URL RETURNCODE BYTES REFERRER AGENT PROTOCOL LOGTYPE CATEGORY STRINGS
|
MSSQLLog | DATE TIME SYSTEM TABLE EVENTID CLASS SPID DBNAME USERNAME OBJECTNAME ROLENAME TARGETUSERNAME DBUSERNAME TARGETLOGINNAME STRINGS
|
MSWinEventLog | DATE TIME DATETIME SYSTEM TABLE EVENTCOUNT EVENTID SOURCE USER SOURCETYPE RETURN DATA STRINGS
|
MSWinEventLog | DATE TIME SYSTEM TABLE EVENTCOUNT EVENTID SOURCE USER SOURCETYPE RETURN DATA STRINGS
|
NCRATMLog | DATE TIME SYSTEM TABLE CRITICALITY EVENTID UID SEQNUM STRINGS
|
NetgearFirewallLog | DATE TIME SYSTEM TABLE ACTION MODULE SRCADDR SRCPORT DSTADDR DSTPORT PROTO MESSAGE
|
NetgearRouterLog | DATE TIME SYSTEM TABLE ACTION SRCADDR SRCPORT DSTADDR DSTPORT PROTO MESSAGE
|
NetscalerLog | DATE TIME SYSTEM TABLE CRITICALITY SOURCE EVENTID USER CLIENTIP EVENTCOUNT EVENT
|
NetScreenFirewall | DATE TIME SYSTEM TABLE ACTION PROTO SRCADDR SRCPORT DSTADDR DSTPORT DURATION SENT RECEIVED DIRECTION DETAILS
|
NortelVPNRouter | DATE TIME SYSTEM TABLE CRITICALITY LOGSOURCE USERID CPU LOGTYPE DETAILS
|
ObjectAccess | DATE TIME SYSTEM TABLE OBJECT OWNER OWNERTYPE ACCESS CAPABILITIES SOURCE
|
ObjectStarLog | DATE TIME SYSTEM TABLE IDGEN_KEY USER USER_CLEARANCE OBJECT OBJECT_CLASSFCTN ACCESS_ALLOWED MESSAGE_NO PARAM1 PARAM2 ACTIVITY OBJECT_TYPE
|
OracleLog | DATE TIME SYSTEM TABLE NODE INSTANCE SESSIONID ENTRYID STATEMENT USERID USERHOST TERMINAL ACTION RETURNCODE COMMENTS OSUSERID PRIV STRINGS
|
OS400Log | DATE TIME SYSTEM TABLE JOURNALCODE JOURNALENTRYCODE JOBNAME JOBUSER JOBNUMBER PROGRAM OFNAME OFLIBRARY OFTYPE STRINGS
|
PIXLog | DATE TIME SYSTEM TABLE CRITICALITY EVENTID ACTION PROTO SRCADDR SRCPORT DSTADDR DSTPORT STRING
|
QUASARSAudit | DATE TIME SYSTEM TABLE IDENTITY ACTION IDTYPE IDVALUE AUDITTABLE FIELD OLDVALUE NEWVALUE
|
RACFLog | DATE TIME SYSTEM TABLE EVENTID JOBNAME SOURCE RESOURCE ACTION USERID USERNAME USERFLAGS GROUPID RETURN RESULT DATA
|
SidewinderFirewallLog | DATE TIME SYSTEM TABLE ACTION PROTO SRCINT SRCADDR SRCPORT DSTINT DSTADDR DSTPORT FAC AREA TYPE PRIORITY PID RUID EUID PGID LOGID COMMAND DOMAIN EDOMAIN CATEGORY ATTACKADDR ATTACKINT SERVICENAME USERNAME AUTHMETHOD ACLID CACHEHIT REASON
|
SidewinderLog | DATE TIME SYSTEM TABLE USERNAME AUTHMETHOD SRCADDR SRCPORT DSTADDR DSTPORT PROTO EVENT TYPE REASON STRINGS
|
SMTPSvcLog | DATE TIME SYSTEM TABLE SOURCE EVENTID USER SOURCEADDR DESTADDR SOURCESYSTEM DESTSYSTEM MESSAGEID BYTES STATUS STRING
|
SnareServerLog | DATE TIME SYSTEM TABLE SOURCE USERNAME RESOURCE ACTION RETURN DETAILS
|
SNMPTrap | DATE TIME SYSTEM TABLE STRINGS
|
Snort | DATE TIME SYSTEM TABLE EVENTID PRIORITY CLASSIFICATION DESCRIPTION SRCADDR SRCPORT DSTADDR DSTPORT PROTO
|
SOCKSLog | DATE TIME SYSTEM TABLE ACTION MESSAGE
|
SolarisBSM | DATE TIME SYSTEM TABLE EVENTCOUNT EVENTID AUID EUID EGID RUID RGID PID RETURNCODE STRINGS TARGET
|
SonicWall | DATE TIME SYSTEM TABLE EVENTID CATEGORY PRIORITY FWADDR PROTO SRCADDR SRCPORT DSTADDR DSTPORT MESSAGE STRINGS
|
SonicWallSSLVPN | DATE TIME SYSTEM TABLE ACTION PRIORITY FWADDR SRCADDR DSTADDR PORTAL DOMAIN USER MESSAGE AGENT STRING
|
SophosDataControlLog | DATE TIME SYSTEM TABLE USERNAME COMPUTER SOURCEPATH DESTINATIONPATH FILENAME DESTTYPE STRINGS
|
SophosWeb | DATE TIME SYSTEM TABLE USERNAME CRITICALITY CATEGORY RULE REASON THREAT DOMAIN METHOD URL PROTOCOL SRCIP DESTIP AGENT OS BYTESIN BYTESOUT REFERRER STRINGS
|
SquidProxyLog | DATE TIME SYSTEM TABLE HOSTNAME USERNAME URL RETURNCODE BYTES REFERRER AGENT PROTOCOL LOGTYPE CATEGORY STRINGS
|
TandemLog | DATE TIME SYSTEM TABLE PSGUSER PSGUSERID PCGUSER POOBJECTTYPE POOPERATION POOWNUSER POOWNUSERID PSTERM PCTERM RETURN
|
TopicLog | DATE TIME SYSTEM TABLE CLIENT USERNAME OPERATION QUERY TITLE COLLECTIONS SERIAL PATH RULE
|
TrendDSM | DATE TIME SYSTEM TABLE CRITICALITY EVENTNUMBER TITLE TARGET ACTIONBY DESCRIPTION TAGS
|
Tru64Audit | DATE TIME SYSTEM TABLE EVENTID USERID AUID RUID EUID PID PPID RETURNCODE STRINGS TARGET
|
VMSLog | DATE TIME SYSTEM TABLE EVENTID EVENTTYPE USERNAME SYSTEMID PID TERMINALNAME PROCESSNAME PROCESSOWNER REMOTEUSERNAME REMOTENODENAME IMAGENAME COMMANDLINE OBJECTCLASSNAME AUDITINGFLAGS ALARMFLAGS STATUS DATA
|
VWActionsLog | DATE TIME SYSTEM TABLE SEQUENCE CLIENTID METHODCODE OFFICERCODE FOLDERCODE CLIENTTYPE
|
WebLog | DATE TIME SYSTEM TABLE HOSTNAME USERNAME URL RETURNCODE BYTES REFERRER AGENT PROTOCOL LOGTYPE CATEGORY STRINGS
|
WinDHCP | DATE TIME SYSTEM TABLE EVENTID DESCRIPTION IPADDRESS HOSTNAME MACADDRESS
|