A field in SnareQL is a word that represents a field within a particular log type.

Events within each logtype log type are guaranteed by the Snare Central collection subsystem to include the following fields:

• DATE

  • In the format YYYY-MM-DD, for example 2020-02-23

• TIME

  • In the format: HH:MM:SS, for example: 16:23:49

• SYSTEM

  • Upper case system name or IP Address.

• TABLE

  • The source log type

Depending on the source log type, events may also include fields such as:

• EventID (eg: “deny packet”, or “login - ssh”, or “512”.

• SourceIP (eg: 193.32.113.12)

• User (eg: AJSmith)

• URL (eg: https://prophecyinternational.com/)

The fields See Log Types for information on fields that are available for each type of log are detailed in a table belowlog type. Note that new log types are added on a regular basis.

An operator in SnareQL is one or more symbols or words that compare the value of a field on its left with one or more values on its right. Some operators may use the negate symbol (!) to reverse the meaning - eg: !=, !REGEX

• =

  • Standard equality. Case insensitive.

• !=

  • Standard inequality. Case insensitive.

• <

  • Less than. Case insensitive in strings.

  • Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979

    • True date/time comparisons would require (DATE < X OR (DATE = X AND TIME < Y))

• <=

  • Less than or equal to. Case insensitive in strings.

  • Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979

    • True date/time comparisons would require (DATE < X OR (DATE = X AND TIME < Y))

• >

  • Greater than. Case insensitive in strings.

  • Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979

    • True date/time comparisons would require (DATE < X OR (DATE = X AND TIME < Y))

• >=

  • Greater than or equal to. Case insensitive in strings.

  • Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979

    • True date/time comparisons would require (DATE < X OR (DATE = X AND TIME < Y))

• LIKE

  • SQL-style like criteria. "%" symbols are considered to be wildcards. Case insensitive.

• !LIKE

  • SQL-style like criteria. "%" symbols are considered to be wildcards. Case insensitive.

• CONTAINS

  • The target string, contains the supplied string. Case insensitive.

  • eg: STRINGS CONTAINS "userid" would be true for a STRINGS of "The following userID logged off: Fred"

• !CONTAINS

  • The target string, does not contain the supplied string. Case insensitive.

  • eg: STRINGS !CONTAINS "userid" would be true for a STRINGS of "This string does not contain the string"

• INCLUDES

  • The value is one of the supplied comma-separated values. Case insensitive.

  • eg: STRINGS INCLUDES "Fred,Barney,Wilma" would be true for the String "Fred", but not "Frederick"

  • The equivalent of (STRINGS = "FRED" OR STRINGS = "BARNEY" OR STRINGS = "WILMA")

• !INCLUDES / EXCLUDES

  • That value contains NONE of the supplied comma-separated values. Case insensitive.

  • EXCLUDES is an alias for !INCLUDES

  • eg: STRINGS EXCLUDES "Fred,Barney,Wilma" would be true for the String "BamBam", and would also be true for "Frederick", but not "Fred"

  • The equivalent of (STRINGS != "FRED" AND STRINGS != "BARNEY" AND STRINGS != "WILMA")

• REGEX

  • The value matches the supplied regular expression.

  • Regex is CASE SENSITIVE

  • Regex is assumed to be a valid RE2 expression.

• !REGEX

  • The value does not match the supplied regular expression.

  • Regex is CASE SENSITIVE

  • Regex is assumed to be a valid RE2 expression (note that Snare Server version 7 uses PCRE).

• REGEXI

  • The value matches the supplied regular expression.

  • Regex is NOT CASE SENSITIVE

  • Regex is assumed to be a valid RE2 expression.

• !REGEXI

  • The value does not match the supplied regular expression.

  • Regex is NOT CASE SENSITIVE

  • Regex is assumed to be a valid RE2 expression.

• HAS

  • Like CONTAINS, but assumes that the supplied match string, are entire words.

  • Significantly more friendly from an index-perspective; queries that use HAS may return significantly faster than queries that use CONTAINS.

  • Case insensitive.

  • eg: STRINGS HAS "Fred" would match: "The user Fred logged in", but not "The user Frederick logged in".

  • eg: STRINGS CONTAINS "Fred" would match: "The user Fred logged in" and "The user Frederick logged in".

A logical element in SnareQL is a word that joins two or more clauses together to forma form a complex SnareQL query

• AND

• OR

• NOT

A string designed to represent the contents of a field in an event within the Snare Central datastore. The value may be a simple string, or a complex regular expression, depending on the operator selected.

Quotations are optional for simple values comprising a single word. Single or double quotes are recommended for more complex values such as regular expressions, and are required for strings that contain whitespace.

• AJSmith

• “Tony Smith”

• “^(AU|US|UK)-[0-9]”

• “Tony%”

• yesterday

A function in SnareQL appears as a word followed by parentheses, which may contain a field.

A function performs a calculation on the contents of the field (the value) and returns the results.

• 15MIN(TIME):

  • Return the number of 15 minute quadrant associated with the supplied time (0-95).

  • The day will be divided into 96 quadrants.

    00:12:03 will become 0
    00:15:01 will become 1
    12:01:00 will become 48
    12:14:59 will become 48
    12:15:01 will become 49
    14:45:00 will become 59

• 15MINFLOOR(TIME)

  • Return the time to the nearest low 15 minute segment of the day

    12:01:00 will become 12:00:00
    12:14:59 will become 12:00:00
    12:15:01 will become 12:15:00
    14:45:00 will become 14:45:00
    15:59:00 will become 15:45:00

• HOUR(TIME)

  • Returns just the hour associated with the supplied time

    12:01:12 will return 12

    17:23:34 will return 17

• HOURMINUTE(TIME)

  • Returns the hour and the minute, with a colon deliminiter
    17:23:49 becomes 17:23

• MINUTE(TIME)

  • Returns just the minute component of the supplied time

    12:01:12 will return 01
    17:23:34 will return 23

• SECONDS(TIME)

  • Returns just the seconds component of the supplied time

    12:01:12 will return 12
    17:23:34 will return 34

• DAYOFWEEK(DATE)

  • Returns the number of the day of the week for a particular date.

  • 1: Sunday

  • 2: Monday

  • 3: Tuesday

  • 4: Wednesday

  • 5: Thursday

  • 6: Friday

  • 7: Saturday