Guided mode search, an intuitive and flexible search experience, is now available in the Alert Logic® console for Managed Detection & Response Professional and Enterprise, Cloud Defender, and Log Manager customers. Guided mode search supports your ability to quickly understand security incidents and make decisions around response, perform your own investigations on general security events with granular filtering, and easily share data Alert Logic has collected with the use of recurring reports.
The new search experience can be found within the Alert Logic console at (navigation menu) > Investigate > Search > Search for Managed Detection & Response customers, and at Search > Search for Cloud Defender and Log Manager customers.
Note: You will continue to have access to your previous search experiences, OmniBox and Log Search, for the time being.
Simple and Expert Mode Search
This new search experience allows you to toggle between two modes of search – Simple and Expert. At a high level, Simple mode search uses a graphical interface to filter down to results that match all the terms you apply to the search, while Expert mode allows you to write SQL queries to find even more granular results.
You can move between Simple Mode and Expert Mode search easily via the drop-down in the top right corner. Note that while all Simple search queries can be expressed as Expert queries, not all Expert queries can be expressed as Simple queries. Alert Logic best practice recommends that if you believe you may want to switch back and forth during one search query that you begin with Simple and build upon the query as needed in Expert.
Simple Mode Search
Simple Mode search is optimized for the most common types of searches, and results are returned to match all the search terms you apply. You can manipulate the default terms – Time Received and Message – by clicking to negate an expression, adding values to the term, changing a function or aggregator, or removing the condition altogether. You can also manage the time and date of the data being pulled. You can also utilize the search bar to easily identify results that match a term you search on.
When you’ve run a successful search, you can also add terms to the search by clicking on a search result and choosing a token or message type. That condition will now appear in your top search query and when you run the search again will only show results for items that contain that token or message type, plus any of your additional terms.
Expert Mode Search
Expert Mode search utilizes SQL keywords and functions, message fields, strings, and aliases to construct a more complex, but more specific search query. Expert Mode is a great way to build reports summarizing the data Alert Logic collects in your environment.
Using Expert Mode, you can dig deep into change records from Alert Logic File Integrity Monitoring. For example, start with a query to count changes and then group by event type to summarize the types of changes you saw over a time period:
SELECT event_type AS "Event Type",
COUNT(event_type) AS "Count"
GROUP BY event_type
Or, build up more structure to identify the most active file changes in your environment:
-- File hashes seen in FIM events across the most hosts
-- with summary information about hosts, files, owner, and event type
sha1_hash AS "SHA1 Hash",
UCOUNT(asset.dict.asset.host.name as "Asset Name") AS "Host Count",
SET("Asset Name") AS "Hosts",
UCOUNT(CONCAT_WS([path, file_name], '/') AS "File") AS "File Count",
SET("File") AS "Files",
SET(file_owner) AS "Owners",
SET(file_group) AS "Groups",
COUNT(event_type) AS "Events",
SET(event_type) AS "Event Types"
WHERE sha1_hash != NULL
GROUP BY "SHA1 Hash"
ORDER BY "Host Count" DESC, "Events" DESC
This query uses different functions like SET, COUNT, and UCOUNT (unique count) to aggregate data in convenient ways. See the Search and Analytics Language Query Specification in our Developer portal for more details on Expert mode search query options and possibilities.
Managing searches and saved and scheduled searches works the same for both Simple and Expert Mode search.
Choose between common time frames for the search to pull data from with one click, ranging from 1 hour to 30 days. Create a custom range with the calendar feature by either typing in your date range or clicking on the calendar and choosing dates, start times, and end times. You can get as granular on the start and end times as one second.
Note: The time zone defaults to the browser’s time zone, but you can change this using the Settings icon in the top right corner of the Search page.
Use multiple tabs within the search functionality to manage up to five active searches. A tab houses an individual query and results. To open a new tab, click on the plus sign to the right of your initial open tab. These tabs exist independently of any other tabs and search queries you may have open.
Saved and Scheduled Searches
Save and schedule a search you've executed by clicking on the down arrow () to the right of the Search button. To access your previously saved searches, click Saved Searches in the top right corner of the page and a right hand-side panel will appear with all the searches you’ve saved for easy access. Click on a saved search to apply it to your search terms. Here, you can also review recently executed and scheduled searches.
To manage and schedule saved searches, click Saved Searches in the top set of navigation tabs. You can tag your searches with meaningful words or phrases, and then use those tags to quickly identify desired saved searches.
The results of schedule searches are also available in the Downloads tab, for easy access.
You can easily download search results either in bulk or individually with the check boxes to the left of the search results and the Export option. You can also create a manual incident from a handful of results by checking the boxes for those results and clicking Create Incident.
For more technical details on this release, see the following Alert Logic documentation: