Use Cases for Search Operators

The following are just a few examples of the flexibility and power of search operators.

• General Search Operator Use Cases

• Operator Chaining Use Cases

You may need to adjust a query to work with your own fieldsets.

For more information about working with operator chaining see Use an Operator in the Query and Chaining Search Operators.

General Search Operator Use Cases

I want to see where possible brute force password guessing is happening.

Additional Information: To determine this, I want to see the top 10 devices that are responsible for the most number of failed logins.
Operator used: top

#FailedLogin | top 10 deviceEventClassId

 

I want to know the hourly amount of data transfer on MyWebserver.

Operators used: chart, sum, by, span

sourcehostname = MyWebserver.com | chart sum(bytesIn), sum(bytesOut) by deviceVendor, deviceProduct span 1h

 

I want to see a sum of events, grouped by hostname and day.

Operator used: chart
Aggregate function: sum (This summarizes the values passed as an input, grouped by the "by" clause.)
Time bucket: 1h (Events are grouped in time increments of one hour.)

| chart sum(baseEvents) by hostName span 1h

 

I want to determine all account lockouts, grouped by user name.

Operators used: wheresql, top

(deviceVendor="Microsoft" and deviceProduct="Microsoft Windows") or deviceProduct="Unix" | wheresql  deviceEventClassId in ["Security:539","Security:644","arcsight:66:0","Microsoft-Windows-Security-Auditing:4740","Microsoft-Windows-Security-Auditing:6279"] and  destinationUserName is not null |top destinationUserName

 

Operator Chaining Use Cases

I want to identify the rare occurrences of Firewall events.

Additional Information: I want to determine this from 3 specific fields' data (device vendor, category device group, and name).
Operators used: rename, rare (bottom)

#Firewall Events | rename deviceVendor as DV | rename category device group as CDG | rare DV , name , CDG

 

I want to isolate vulnerabilities.

Additional Information: I will base this on data from 3 significant fields (device vendor, category technique, and device group), then determine the most common occurrences found in those categories.
Operators used: rename, rare (bottom)

#Vulnerabilities | rename deviceVendor as DV | rename category technique as CT | rename category device group as CDG | rare DV , name , CDG , CT

 

I want to apply filters to a set of fields and then to extract the top-50 most common occurrences of those events.

Operators used: where, top

source address is not null | where Bytes In >= 3000 | where Category Outcome = /Success | top 50 source address , Category Outcome

 

I want to determine the top insecure processes on devices in my company.

Operators used: top, rename

destinationProcessName in ["telnetd", "ftpd", "pop3", "rsh" , "imapd","rexec"] | top destinationProcessName  | rename destinationProcessName as  "Process"

deviceVendor = ArcSight | rename sourceUserName USER | top USER

 

Show me all configuration changes by product.

Operators used: top, rename

categoryBehavior = "/Modify/Configuration" and categoryOutcome = "/Success" | top deviceProduct | rename deviceProduct_count_2 as "Changes" | rename deviceProduct as "Product"

 

I want to apply filters to a set of fields and then to extract the top-50 most common occurrences of those events.

Operators used: where, top

source address is not null | where Bytes In >= 3000 | where Category Outcome = /Success | top 50 source address , Category Outcome