Skip to content

Latest commit

 

History

History
224 lines (186 loc) · 8.61 KB

search-query-guide.md

File metadata and controls

224 lines (186 loc) · 8.61 KB
hide
footer

Search within timeline

Search queries

Timesketch allows full text search within timelines. Good way to get started is by selecting one of pre-set search templates and adjusting them to the data in your timeline.

Simple search queries relies on Query String Query mini-language, but it is also possible to use the full potential of OpenSearch query language in Advanced queries.

Common fields

Data fields will vary depending on the source being uploaded, but here are some that are mandatory, and therefore will be present in any timeline.

Field Description Example query
message String with information about event message:”This is a message”
timestamp Timestamp as microseconds since Unix epoch timestamp:”363420000”
datetime Date and time in ISO8601 format datetime:”2016-03-31T22:56:32+00:00”
timestamp_desc String explaining what type of timestamp it is timestamp_desc:”Content Modification Time”

Additional fields come from the imported Plaso file and depend on source type. You can see which additional fields are available in your timeline by clicking on any event and seeing the detailed list of all fields and their values.

Field Description Example query
data_type Data types present in timeline (depends on source) data_type:"windows:registry:key_value"
filename Search for particular filetypes filename:*.exe
strings: Search for a particular string strings:"PsExec"

Search operators

Query String supports boolean search operators AND, OR and NOT.

Wildcards and regular expressions

Wildcards can be run on individual search terms using ? for a single character and * for zero or more characters. Be aware that wildcards can use a lot of memory.

Regular expression patterns can be embedded in the query string by wrapping them in forward-slashes ("/"):

Syntax:

Some characters are reserved for regular expressions and must be escaped in the pattern

. ? + * | { } [ ] ( ) " \

Below are syntax elements and example regular expressions

Sign Meaning Example
"." Match any character For "aaabbb":

ab... # match
a.c.e # match

"+" One or more For "aaabbb":

a+b+ # match
aa+bb+ # match
a+.+ # match
aa+bbb+ # match

"*" Zero-or-more For "aaabbb":

a*b* # match
a*b*c* # match
.*bbb.* # match
aaa*bbb* # match

"?" Zero-or-one For "aaabbb":

aaa?bbb? # match
aaaa?bbbb? # match
.....?.? # match
aa?bb? # no match

"{}" Min-to-max repetitions For "aaabbb":

a{3}b{3} # match
a{2,4}b{2,4} # match
a{2,}b{2,} # match
.{3}.{3} # match
a{4}b{4} # no match
a{4,6}b{4,6} # no match
a{4,}b{4,} # no match

"()" Forms sub-patterns For "ababab"

(ab)+ # match
ab(ab)+ # match
ab(ab)+ # match
(..)+ # match
(...)+ # no match
(ab)* # match
abab(ab)? # match
ab(ab)? # no match
(ab){3} # match
(ab){1,2} # no match

"|" Acts as "OR" operator For "aabb"

aabb|bbaa # match
aacc|bb # no match
aa(cc|bb) # match
a+|b+ # no match
a+b+|b+a+ # match
a+(b|c)+ # match

"[]". Sets range of potential characters For "abcd":

ab[cd]+ # match
[a-d]+ # match
[^a-d]+ # no match

Date Related Searches

Description Example Query
Date Ranges datetime:[2021-08-29 TO 2021-08-31]
Date prior to datetime:[* TO 2021-08-29]
Dates after datetime:[2021-08-31 TO *]
Either side of a range datetime:[* TO 2021-08-29] OR datetime:[2021-08-31 TO *]

Now that we can handle dates in the query bar, we can start building more complex queries. This query will find all the potential Remote Desktop event log entries in the given date range.

data_type:"windows:evtx:record" AND event_identifier:4624 AND xml_string:"/LogonType\"\>3/" AND datetime:[2021-08-29 TO 2021-08-31]

Advanced search

Advanced search queries are in JSON format, and let you use the full power of OpenSearch. You can view your existing Query String query as an advanced OpenSearch query by clicking "Advanced" button below the query entry field.

Full query DSL guide

Saved Searches

Saved Searches are saved results of your search queries, for easier access later. A saved Search does not only include the query but also specifics like displayed columns.

To save search results, run your search query, apply filters if needed, and click the “Save” button under the query field. Now you can access this Search from “Saved Searches” drop-down menu on Explore page of your sketch.

You can further refine the data in your views by manually hiding certain events. To do it, click a small eye icon next to the icon. If you have hidden events in your view, they can be un-hidden by clicking red button “Show hidden events” in the upper right corner of your timeline.

You can save changes to your views by clicking “Save Changes” button

Search templates

Search templates allow quick creation of most commonly used views. You can browse available templates in the “Search templates” drop-down menu below search query window on “Explore page”

On “Views” page, you can quickly generate and add a view from a template to your sketch. To do so, just scroll down to the template you want to use, and click “Quick add”

Examples

Here are some common searches:

Description Example Query Comment
EventId 4624 and LogonType 5 event_identifier:4624 AND "LogonType">5"
Windows File path "C:\Users\foobar\Download\folder\ whitespace\filename.jpeg"
Events that have a value in a field that contains the name *comm* _exists_:"*comm*" Can be very expensive search

Common questions

There is a frequent question around Windows Event logs and how they are represented in Timesketch when imported from Plaso. For that we recommend reading up on Common misconception about Windows EventLogs