Advanced search options
Use the Advanced Search field to enter an Ariel Query Language (AQL) that specifies the fields that you want and how you want to group them to run a query.
XFORCE_IP_CONFIDENCE
function does not work in AQL
advanced searches in languages other than English. The Advanced Search field has auto completion and syntax highlighting.
Use auto completion and syntax highlighting to help create queries. For information about supported web browsers, see Supported web browsers
Accessing Advanced Search
Access the Advanced Search option from the Search toolbar that is on the Network Activity and Log Activity tabs to type an AQL query.
Select Advanced Search from the list box on the Search toolbar.
- Drag the expand icon that is at the right of the field.
- Press Shift + Enter to go to the next line.
- Press Enter.
You can right-click any value in the search result and filter on that value.
Double-click any row in the search result to see more detail.
All searches, including AQL searches, are included in the audit log.
AQL search string examples
Description | Example |
---|---|
Select default columns from events. Select default columns from flows. |
SELECT * FROM events SELECT * FROM flows |
Select specific columns. | SELECT sourceip, destinationip FROM events |
Select specific columns and order the results. | SELECT sourceip, destinationip FROM events ORDER BY destinationip |
Run an aggregated search query. | SELECT sourceip, SUM(magnitude) AS magsum FROM events GROUP BY sourceip |
Run a function call in a SELECT clause. | SELECT CATEGORYNAME(category) AS namedCategory FROM events |
Filter the search results by using a WHERE clause. | SELECT CATEGORYNAME(category) AS namedCategory, magnitude FROM events WHERE magnitude > 1 |
Search for events that triggered a specific rule, which is based on the rule name or partial text in the rule name. | SELECT LOGSOURCENAME(logsourceid), * from events where RULENAME(creeventlist) ILIKE '%suspicious%' |
Reference field names that contain special characters, such as arithmetic characters or spaces, by enclosing the field name in double quotation marks. | SELECT sourceip, destinationip, "+field/name+" FROM events WHERE "+field/name+" LIKE '%test%' |
Description | Example |
---|---|
Check an IP address against an X-Force category with a confidence value. | select * from events where XFORCE_IP_CONFIDENCE('Spam',sourceip)>3 |
Search for X-Force URL categories associated with a URL. | select url, XFORCE_URL_CATEGORY(url) as myCategories from events where XFORCE_URL_CATEGORY(url) IS NOT NULL |
Retrieve X-Force IP categories that are associated with an IP. | select sourceip, XFORCE_IP_CATEGORY(sourceip) as IPcategories from events where XFORCE_IP_CATEGORY(sourceip) IS NOT NULL |
For more information about functions, search fields and operators, see the Ariel Query Language guide.