Investigation: Create a Custom Query

Document created by RSA Information Design and Development on Jul 22, 2016
Version 1Show Document
  • View in full screen mode
 

In the Investigation > Navigate view options panel, you can create a query rather than clicking through the meta keys and values to drill down into the meta data. The dialogs for creating a query offer syntax help with drop-down lists of applicable meta keys and operators. When viewing the drop-down list, you can expand and collapse each meta group to view or hide the individual meta keys in that group.

When you select a meta group, Security Analytics generates the complex query equal to a query with all of the meta keys in that group ORed together. So if a meta group contains ip.src and ip.dst, the query generated is ip.src = <value> OR ip.dst = <value>. If the meta group contains meta keys that have different meta value types, the value input is disabled and the query uses exists statements. For example, a meta group that contains ip.src, ip.dst, and alias.host includes meta keys that have different value types; ip.src and ip.dst are ip addresses and alias.host is text. The generated query is ip.src exists OR ip.dst exists OR alias.host exists.

A basic query is in the following form:

<metakey> <operator> [<metavalue>]

These are a few examples:

action exists
action = 'get'
alias.host = '10.25.55.115'
extension = 'exe'
orig_ip != "10.0.0.0" - "10.255.255.255"

Create a Query Using the Basic Method

When you create a query using the basic method, Security Analytics provides drop-down lists of meta and operators.

  1. In the Navigation view toolbar, select Query.
    The Query dialog is displayed, with the Simple option selected.
    QueryDDSimple.png
  2. In the Select Meta field, click to display the drop-down list. The drop-down list has two sections: Meta Groups and All Meta.
  3. Select a single meta key under All Meta or select a meta group under Meta Groups. You can also type in a meta key or meta group in the field.
  4. In the Operator field, type an operator or click on the drop-down list to select a valid operator.
  5. (Optional) If you selected an operator that requires a value, for example, begins, in the third field type the value for the meta key.
  6. In the Network and Log checkboxes, choose the type of data to query. Do one of the following:
    1. To limit the query to packets select Network and de-select Log. In the query medium 1 = packet.
    2. To limit the query to logs, select Log and de-select Network. In the query, medium 32 = logs.
    3. To apply the query to both packets and logs, select both Network and Log.
  7. Do one of the following:
    1. Click OK.
      The window is closed and the view is updated with the results of the new query. The query is displayed in the breadcrumb.
    2. Click Cancel.
      The window is closed and no changes are made to the view or current query.

Create a Query Using the Advanced Method

  1. In the Navigate view toolbar, select Query.
    The Query dialog is displayed.
    QueryDDSimple.png
  2. Select Advanced.
    The advanced query field is displayed.
    QueryDDAdv.png
  3. In the field, create a query, which can include the meta key, operator, and value. When you begin typing a meta key in the field a drop-down list of available meta keys for the selected service is displayed.
  4. Select the meta key for your query.
    The display is updated. If the expression is not yet complete, the status indicates that the query is invalid.
  5. Continue with an operator, from the drop-down list, then a value if necessary. The display is updated as you continue to enter the query. If you enter an operator, such as exists or !exists, which does not use the value field, the value field is disabled and the invalid status is cleared. If you enter an operator, such as =, which requires the value field, the invalid status remains until you enter a value. When the query is valid the invalid status is no longer displayed.
    InvalidQuery.png
  6. Do one of the following:
    1. Click OK.
      The window is closed and the view is updated with the results of the new query. The query is displayed in the breadcrumb.
    2. Click Cancel.
      The window is closed and no changes are made to the view or current query.

Apply a Recent Query

You can view recent queries and select one to apply to the current service being investigated. To select a recent query:

  1. In the Navigate view toolbar, select Query.
    The Query dialog is displayed, with the Simple option selected.
    QueryDDSimple.png
  2. Select the Recent option.
    The list of recent queries is displayed in the bottom portion of the dialog.
    QryDDRecent.png
  3. In the list of recent queries, click to select a query.
  4. Do one of the following:
    1. Double-click a query.
    2. Select a query and click OK.
      The window is closed and the view is updated with the results of the new query. The query is displayed in the breadcrumb.
    3. Click Cancel.
      The window is closed and no changes are made to the view or current query.
You are here: Conduct an Investigation > Query Data in the Navigate View > Create a Custom Query

Attachments

    Outcomes