- Search Overview
- Search Home Page
- Performing Searches
- Basic Search
- Advanced Search
- Advanced Search Building Blocks
- Running an Advanced Search Query
- Query Syntax
- Query by Subject
- Query by Vendor and Product
- Query by Field and Value
- Query by Context Table
- Query Using Regex
- Free Text Search
- Query Using Advanced Query Language Operators
- Query Using Aggregation Functions
- Query Using Structured Fields
- Dynamic Field Extraction
- Natural Language Search
- Anomaly Search
- Refine a Search
- Context Tables in Search
- Search Best Practices
- Search Results
- Dashboard Visualizations
Basic Search
In the Basic search mode, you can select search terms and fields from prebuilt lists to build a query that will search your data. You can remove a query term by clicking the cancel icon on the term.
Pre-built Basic Search Lists
Lists specific to your environment:
Subjects, Vendors, and Products — These are specific to your environment, if you do not have any logs from a particular vendor, you will not see that vendor in the list.
Custom fields — These are specific to you, and are a result of a custom parser applied to the ingested logs. These fields start with a
c_and can be used in searches the same way any Common Information Model field would be used.Metadata fields — These are specific to your environment. These fields start with an
m_.Common event fields — This is a list of all default Common Information Model fields that are specific to your environment.
Anomalies — These are specific to your environment, and are a result of anomalies that have been detected.
Lists that are not specific to your environment:
Audit Logs — Audit logs are activity logs for user and asset activity in your organization. Specific activities related to Exabeam product administrators and users are logged, including activities within the UI as well as configuration and server changes. In Basic search mode, you can search these audit logs for key attributes. To search within the Exabeam Audit Logs, first select Audit Log under Exabeam, in the Vendors & Products section, and then select fields from the Audit Logs list.
Building a Basic Search
To build a Basic search:
From the Search Mode drop down menu under the search bar, select the Basic option.
To start building your search, click in the search bar. A dialog box opens displaying lists of search terms and fields.
Note
Use the search box in the upper right corner of the panel to search across subjects, products and vendors, and fields.
Select from the available lists to build your query, as described in the points below.
Note
Hover your curser over any Common Information Model subject or field name to view information about the field, such as data type and description.
Click on Subject, Vendor, or Product terms in the right two columns to add those terms to your query in the search bar. If you select multiple terms, they are joined in the query with an
ANDoperator. You can then click theANDoperator and select a different connector option from the drop down menu.
Find a field name from the tabbed lists on the right: Common event fields, Metadata, Anomalies, Audit Logs , or Custom fields. You can use the Search field in the upper right to quickly find a specific field name.
Tip
.If you search for
geo,rule, ormitrefield names, you can find certain structured fields represented by dot notation, such asgeo_dest_ip.country,rules.rule_source, orrules.mitre_labels_technique.
Click the field name and a panel opens where you can define a value and a connection type as follows:
Select an AND or AND NOT connection operator to define how the selected field will be joined to the query you are building.
Enter one or more values for the selected field. To enter multiple values, click Enter on your keyboard after each value.
If you want to search for values that are located in a specific context table, click Add Context Table and select a table to add to the query. You can add a maximum of two context tables to the query. For more information, see Context Tables in Search.
If you want to search for values that are missing, click the Empty (null) check box. Or conversely, find values that are not null by using the AND NOT option in combination with the check box.
Note
If you type in the value "null" instead of selecting the check box, the query treats the value as a string and the search returns only fields where there is a literal value of "null". Ex.:
activity_type: "null"If you use the Empty (null) check box, the search returns fields where the value is empty. Ex.:
activity_type: nullClick Add to Query to add the selected fields and values to the query in the search bar.
When you are satisfied with your query, click outside of the panel to dismiss the Basic search panel. Click in an empty section of the search bar at any time to return to the Basic search panel.
After your query has been built, it can still be edited.
To delete a term or field from the query, click the X next to it.
To change the operators used in the query, click on the operator in the search bar and select the operator you want to use (
AND,OR,AND NOT,OR NOT).
Note
In the search bar you can only delete sections and change operators, you cannot edit the values you have assigned to fields. To do this, you must delete that field from the query, return to the Basic search panel, and re-add that field with your desired value.
Select a time range for the search results by clicking the time range icon (
) in the top left corner of the search bar. A dialog box opens where you can select various Quick or Absolute time ranges.Click the Search icon (
) to launch your query.