As the Defense.com SIEM platform runs on Elasticsearch, log searches are run using the Lucene Query Language. To run a query:

This will display the SIEM Query page.

By default, this page will show you all of the logs we've received in the last 15 minutes, with no filters. To widen your search, click on the Last 15 Minutes button and you'll be able to choose from a wider range of dates/times.

If you click on any of the log on this page, a dropdown will open and you'll see that the log contains lots of different fields, for example, host, port or type. These fields form the basis of most Lucene queries.

Towards the top of the page, you should see a box titled Search Query. This is where you'll enter your queries. By default, this box contains a star symbol (*). This is the Lucene Query that shows you all of your logs. The below examples will show you how to narrow this down, so you're only seeing the logs you want to see.

Generally, with Lucene, you'll be searching for a particular pattern of text and/or numbers in a specific field. For example, if you want to view all of the logs from a specific host, let's call it server.defense.com for example, you'd run the below Lucene query:

Looking at the above, we've specified the field we'd like to search for, followed by a colon, followed by what we'd like to search for in this field. This will filter out any logs that don't match this pattern.

Note: Not all log sources contain the same fields. Some may use host to denote a hostname, whilst others may use hostname or something completely different. By clicking on an example log as we did before, you can see the list of fields available to you.

Note: You don't actually have to specify a field when running a Lucene query. If you just type in what you want to search for (e.g. server.defense.com or "Delete user"), all fields will be searched.

The above syntax applies to search terms that don't contain any spaces. But what if the pattern you're looking for contains spaces? In this case, just wrap your search term in quotation marks. For example, if we only want to view the logs where the field action, contains the string Delete user, use the below query:

If it's the field, rather than the pattern that contains a space, this is handled differently. For example, if the field you're searching in is called host name, insert a backslash (\) just before the space as below:

If you can see multiple fields that start with a common string, like article.title, article.content and article.date, you can search within all of these fields at the same time by using a Wildcard. To do this, start your query with the text that each has in common, then add a backslash (\), followed by a star (*). For example, to search all of these fields for the string "test123", do:

Another use case is if you want to search for multiple different strings at the same time. For example, if you want to search for all logs from several hosts, we encase the search terms in brackets and use the OR operator:

This will return any logs where the host field contains either server.defense.com or server1defense.com. You can do this for more than two strings, for example:

This has been a brief introduction to Lucene to get you started. It can be used to create some quite complex queries and there's much more to learn for those who are interested. More information is available in the Official Elasticsearch Documentation.