Query Search Basics

Suggest Edits

Integrations

To start using Query's Federated Search platform, you need to configure integrations. See Add a Data Source.

Search Interface

Search Interface -

Our search interface features a three-part query system, empowering you to construct precise and targeted searches with ease.

Entity Selection: Begin by choosing an entity from the first field. This dropdown menu includes options such as IP Address, Hostname, Email Address, Username, and more, allowing you to define the context of your search.

Operator Specification: Next, select an operator from the second field to specify the nature of your search. Whether you're looking for an exact match with 'equals to', a broader scope with 'contains', or something that 'starts with' or 'ends with' specific characters, our operators ensure your search is as broad or as pinpointed as you need it to be.

Value Input: In the third field, enter the value for your search criterion. This could be a specific IP address, a partial email address, or any other relevant information that aligns with your chosen entity and operator.

Query Builder (Click to enlarge)

Query Builder (Click to enlarge)

Data Sources - By default the Query platform will search all relevant data sources to complete a search. The Data Sources list allows you limit select the ones of interest. All are selected by default.

If there are no integrations configured, see Add a Data Source

Connected Platforms (Click to enlarge)

Connected Platforms (Click to enlarge)

Query's Federated Search platform allows you to search in all configured integrations or in specific ones. By default, Query's platform will search all integrations for relevant searches.

For example: if an index does not have fully qualified domain names (FQDN's) in the data, Query's intelligent platform will only search those products or integrations that contain FQDN's, thus limiting the number of integrations necessary to complete the search.

Search Time Frame - By default, searches are configured to the last 24 hours. Click the "Last 24 Hours" clock icon in the top right hand corner to view the various options for searching.

Date Time in Query Builder (Click to enlarge)

Date Time in Query Builder (Click to enlarge)

Connections The connections page shows all of the integrations configured, if any. If you are a Query Admin, you may add or update connections. Click "Add Connection" then see the Add a Connection Source section on specific integration help.

Settings & Help In the lower left you will find your initials. Clicking this will allow you to change your profile settings and logout.

Search Syntax

Search parameters are comprised of a key (IP, domain, user, etc), then an operator (equals, contains, not equal, etc) and the value. All of these are in the OCSF objects format. For example: if searching for an device by its hostname, you would use "Hostname". This will search any device that contains the hostname searched for.

While we continue to expand the list of entities, here is the current list of supported entities:

Operators

Depending on the key selected, you will have the option of different operators. For example: when searching for an IP Address, you can choose only "equals". However, if searching for an Hostname, you may choose equals, contains, starts with and ends with. The Query Federated search will translate each of these operators to the syntax necessary to complete the search.

Search operators (Click to enlarge

Search operators (Click to enlarge

Updated 5 months ago

What’s Next

Next, take a look at how results are shown here.