Quick Start

Your first FSQL query

Your First FSQL Query

Every FSQL query follows this structure:

QUERY
[SHOW <fields to return>]
[WITH <filter conditions>]
[SINCE <start time>]
[UNTIL <end time>]
[FROM <connector list>]
[ORDER BY <attribute> [ASC|DESC] [, ...]]
[LIMIT <record limit>]

Here's a query that finds failed login attempts from the last 24–48 hours across Active Directory and Okta (adjust the FROM clause to match connectors in your environment, or omit it to search all connectors):

QUERY
SHOW authentication.user.username, authentication.src_endpoint.ip
WITH authentication.status_id = FAILURE
SINCE 48hrs UNTIL 24hrs
FROM 'Active Directory', 'Okta'
LIMIT 1000

Each result is a hierarchical JSON object following the OCSF schema. Here's what a single result looks like (most fields omitted for brevity):

{
  "user": {
    "name": "jsmith",
    "email_addr": "[email protected]",
    "uid": "a1b2c3d4-5678-90ab-cdef-1234567890ab"
  },
  "src_endpoint": {
    "ip": "203.0.113.42",
    "hostname": "WORKSTATION07"
  },
  "time": "2026-03-30T02:14:33.000000+00:00",
  "status_id": "FAILURE",
  "activity_id": "LOGON",
  "severity_id": "INFORMATIONAL",
  "metadata": {
    "product": {
      "name": "Active Directory",
      "vendor_name": "Microsoft"
    },
    "version": "1.5.0"
  },
  "observables": [
    {"name": "user.name", "type_id": "USER_NAME", "value": "jsmith"},
    {"name": "src_endpoint.ip", "type_id": "IP_ADDRESS", "value": "203.0.113.42"}
  ]
}

In the Query UI, results appear in a sortable grid with summary columns (severity, message, time, activity, status, event type, connector). You can expand any row to see the full nested event. When using the API, each result is delivered as a complete JSON object — see The FSQL API for details.

Note: Real results contain many more fields than shown here — device info, unmapped connector-specific data, actor details, and more. Use QUERY authentication.** to see the full depth, or select specific fields to focus on what matters.

What each clause does

Clause	Purpose
`QUERY`	Starts every search.
`SHOW`	Lists the fields you want returned. The `SHOW` keyword is optional — you can place field names directly after `QUERY`. If omitted entirely, the fields used in the `WITH` clause are shown.
`WITH`	Filters results (like a `WHERE` clause).
`SINCE` / `UNTIL`	Sets the time window. `SINCE 48hrs` = starting 48 hours ago; `UNTIL 24hrs` = ending 24 hours ago.
`FROM`	Limits the search to specific connectors.
`ORDER BY`	Sorts results by one or more attributes (`ASC` or `DESC`).
`LIMIT`	Caps the number of results returned.

Tip: If you omit SINCE and UNTIL, FSQL defaults to the last 24 hours. If you omit FROM, all enabled connectors are searched.

A broader search

To see all fields for failed authentication events (expanded to full depth), use **:

QUERY
SHOW authentication.**
WITH authentication.status_id = FAILURE

Entity shortcut

Don't know the exact field path? Use an entity shortcut to search across all mapped fields of a given type:

QUERY
WITH %ip = '10.0.0.1'

Because no SHOW clause is specified, the results grid will display the fields from the WITH clause — in this case, whichever IP fields matched.

This finds any event where 10.0.0.1 appears in an IP address field — across all event types and connectors.

Next Steps

Query Syntax Reference — full details on field selection, filtering, time ranges, and more.
FSQL for SPL Users — migrating from Splunk? Start here.
Investigation Patterns — 15 ready-to-use MITRE ATT&CK-tagged query patterns for common security investigations.

Updated about 2 months ago