Query Search Basics (deprecated)

Suggest Edits

Integrations

To start using Query's Federated Search platform, you need to configure integrations. See Add a Data Source.

Search Interface

Federated Search Page

Federated Search Page

Search Box - If you click within the search box, a dropdown will show you the syntax necessary to complete searches. This will step you through each required field and operator to complete your search.

Data Sources - By default the Query platform will search all relevant data sources to complete a search. The Data Sources list allows you limit select the ones of interest. All are selected by default.

If there are no integrations configured, see Add a Data Source.

Query's Federated Search platform allows you to search in all configured integrations or in specific ones. By default, Query's platform will search all integrations for relevant searches.

For example: if an index does not have fully qualified domain names (FQDN's) in the data, Query's intelligent platform will only search those products or integrations that contain FQDN's, thus limiting the number of integrations necessary to complete the search.

Search Time Frame - By default, searches are configured to the last hour. Click the "Last Hour" clock icon in the top right hand corner to view the various options for searching.

Connections The connections page shows all of the integrations configured, if any. If you are a Query Admin, you may add or update connections. Click "Add Connection" then see the Add a Connection Source section on specific integration help.

Settings & Help In the lower left you will find your initials. Clicking this will allow you to change your profile settings and logout.

Search Syntax

Search parameters are comprised of a key (IP, domain, user, etc), then an operator (equals, contains, not equal, etc) and the value. All of these are in the OCSF objects format. For example: if searching for an IP address, you would use "Network Endpoint IP". This will search any IP address field that contains an IP.

Here are the standard keys:

Operators

Depending on the key selected, you will have the option of different operators. For example: when searching for a Network Endpoint IP, you can choose "equals" or "not equals". However, if searching for an Email, you may choose equals, does not equal, contains, etc. The Query Federated search will translate each of these operators to the syntax necessary to complete the search.

Updated 5 months ago