首页 » 扫描策略
1.语法
支持的操作符
操作符描述
class_name过滤到特定事件类别的事件(例如文件活动、进程活动)。每个查询都以此作为起始条件。
and添加包含前一个查询的约束条件。
or添加排除前一个查询的约束条件。
groupby查找指定字段中重复值的计数。
avg返回字段值的平均值。
sd返回指定字段的标准差。
stats返回指定字段的最小值、最大值、平均值、总和、平方和、方差、标准差。
distinct只返回不同(唯一)的值。
count_distinct返回不同值的数量。
count返回匹配查询的日志消息数。
percentile返回指定字段的百分位范围。
having返回符合给定条件的日志消息。
数值操作符
操作符描述
>大于。
<小于。
=等于。
>=大于等于。
<=小于等于。
字符串操作符
操作符描述
=等于。
!=不等于。
contains含有子字符串。
2. 查询语言
使用查询语言搜索,遵循此格式
logtype="edrevents" and class_name="ClassName"and other_conditions
其中,
  • class_name should be one of the supported EDR event classes: File Activity, Process Activity, Network Activity, DNS Activity, Registry Key Activity, Registry Value Activity, or Authentication.
  • other_conditions could be any field condition specific to that event class.
示例
logtype="edrevents" and class_name="File Activity"and file.path contains"\\AppData\\Temp"
In this example, File Activity is the EDR event class and file.path contains"\\AppData\\Temp" is a condition.
3. 查询类型
3a. 日志获取查询 - 用于获取给定条件的日志
模板
logtype="edrevents" and class_name="ClassName"and numericField [>,<,=,<=,>=] "value"or stringField [contains,!=,=] "substring"
示例
logtype="edrevents" and class_name="Network Activity"and traffic.bytes>1000000
logtype="edrevents" and class_name="DNS Activity"and query.hostname endswith".xyz"or query.hostname endswith".top"
logtype="edrevents" and class_name="Authentication"and status_id=2
logtype="edrevents" and class_name="Authentication"and status_id=2and actor.user.name!="svc_backup"
3b. 聚合查询 - 用于对日志进行分组和分类
模板
logtype="edrevents" and class_name="ClassName"and"numericField" [>,<,=,<=,>=] "value"groupby"fieldname"timeslicenumber[h,d,m]
示例
logtype="edrevents" and class_name="Process Activity"and severity_id>=3groupby actor.process.name
logtype="edrevents" and class_name="Network Activity"and traffic.bytes>1000000timeslice 1h
logtype="edrevents" and class_name="Network Activity"histo traffic.bytes 1000000
logtype="edrevents" and class_name="DNS Activity"and rcode_id=3groupby device.hostname timeslice 1h
4. 聚合查询
聚合查询帮助您对数据进行分类和分组,从中获得有意义的洞察。聚合分为两种类型:指标聚合和桶聚合。
4a. 指标聚合
  • max - 查找字段的最大值
  • min - 查找字段的最小值
  • sum - 查找字段所有值的总和
  • avg - 查找字段的平均值
  • sd - 查找字段的标准差
  • stats - 查找字段的最小值、最大值、平均值、总和、平方和、方差、标准差
  • percentile - 查找字段的百分位范围
  • count_distinct - 查找字段唯一值的计数
  • count - 获取给定查询条件匹配的文档数
  • top - 获取字段的示例值
4b. 桶聚合
  • groupby / distinct - 查找字段的唯一值
  • histo - 根据字段值将数据分组为不同或固定大小的区间
  • timeslice - 根据时间区间分组数据
桶聚合选项
5. groupby Operator
  • groupby operator is used to get unique values of a field.
  • groupby operator can be used on a field only when groupby option is enabled for that field.
  • 对于日志类型,可启用分组的字段位于 管理日志类型编辑过滤 “GroupBy” 并选择 “启用”
groupby query format
logtype="edrevents" and class_name="ClassName"groupby fieldname1 sort [_field,_count] [asc,desc] limit [1-1000]
Multiple groupby query format
logtype="edrevents" and class_name="ClassName"groupby fieldname1 sort [_field,_count] [asc,desc] limit [1-1000], fieldname2, fieldname3 sort [_field,_count] [asc,desc] limit [1-1000]
示例
logtype="edrevents" and class_name="Process Activity"and activity_id=1groupby actor.process.name
5a. groupby Options
sort
  • sort can be applied on both field values (_field) and count (_count)
  • 默认结果按计数降序排序。
  • To sort result by values use the keyword _field
logtype="edrevents" and class_name="File Activity"groupby device.hostname sort_fielddesc
  • To sort result by count use the keyword _count
logtype="edrevents" and class_name="File Activity"groupby device.hostname sort_countasc
limit
  • by default limit is 10
  • To get more than 10 results we can specify "limit no_of_results"
  • 最多可获取 1000 条结果
logtype="edrevents" and class_name="Process Activity"groupby actor.process.name limit1000
having
  • 这是一个后结果操作符。
  • having operator is used to apply condition and filter the results of bucket aggregation queries.
  • The condition can also be applied on _count field.
  • having operator can be used after groupby or timeslice operators.
logtype="edrevents" and class_name="File Activity"groupby file.path having_count>1000
5b. groupby Limitations
  • groupby results sorted by document count (_count) cannot be paginated.
  • groupby over string fields is limited to a maximum of 100 characters. The strings which have more than 100 characters will be truncated.
  • 不准确的结果
    • Zoho Logs 内部使用 Elastic Search (ES) 对日志记录进行索引和查询。ES 是分布式的,即数据被分割成多个分片以扩展大量记录。
    • 搜索执行时,查询在所有分片分别执行。然后将各分片的查询响应合并得到最终结果。
    • 这种 ES 的行为会导致两个问题,
      • 顶部值不准确
      • 文档计数不准确
    • For example, consider searching with query logtype="edrevents" and class_name="File Activity" groupby file.ext limit 2. This query will be executed in all the shards and each shard will return the top 2 file extension values for that shard.
    • The total document count of /get is 10 but it is not present in the response. This is because the final response is derived from the response received from each and every shard. By merging the results from each shard we get /post - 9 and /put - 8 as response. Therefore an eligible candidate (field value) may not come in the top of the result.
    • The document count is inaccurate in some cases. The actual document count of the /put is 10 but it is mentioned as 8 in the response. But when we further click the document count to get the logs with request_uri as /put, we will get all the 10 documents that contain /put.
5c. 如何获取超过 1000 个聚合结果?
注意:只有使用 "sort _field" 时,才能检索超过 1000 个值;当使用 "sort _count" 时,无法检索。
第一次查询
logtype="edrevents" and class_name="File Activity"groupby device.hostname sort_fieldasclimit1000
后续查询
logtype="edrevents" and class_name="File Activity"and device.hostname>[LAST_HOSTNAME_IN_PREVIOUS_RESULT] groupby device.hostname sort_fieldasclimit1000
示例
logtype="edrevents" and class_name="File Activity"groupby device.hostname sort_fieldasclimit1000
上述查询获取了前 1000 条结果,您可以得到第 1000 条记录的设备主机名(例如 WORKSTATION-1000)。要获取下一组结果,请使用以下查询
logtype="edrevents" and class_name="File Activity"and device.hostname>"WORKSTATION-1000"groupby device.hostname sort_fieldasclimit1000
依此类推...
即使字段是字符串,此方法也有效。
logtype="edrevents" and class_name="File Activity"and file.path > "C:\\Windows\\Temp\\z"
5d. Matched count vs groupby document count
  • In a groupby query, the total messages match count may not match the sum of document count of each unique remote_service_name (e.g. 10.09k != 27 + 17 + 8 + 8).
  • The total event match count indicates the number of events that matched the given criteria (logtype="edrevents" and class_name="Process Activity" and activity_id=1). This includes events that do not have the field actor.process.name populated.
  • The exact total messages match count can be retrieved by adding a remote_service_name not empty criteria to the query so that it only matches documents that have the remote_service_name field in it. This way, you get the expected total message matched count (60 = 27 + 17 + 8 + 8).
6. histo Operator
histo operator is used to group data into different or fixed-size intervals based on value of field.
示例
logtype="edrevents" and class_name="Network Activity"histo traffic.bytes 1000000sort_countdesc
The above query provides distribution of traffic.bytes with an interval of 1000000 bytes sorted by respective counts in descending order
logtype="edrevents" and class_name="Network Activity"and traffic.bytes<10000000histo traffic.bytes 1000000
The above query provides distribution of traffic.bytes less than 10000000 bytes with an interval of 1000000 bytes
logtype="edrevents" and class_name="Process Activity"histo severity_id 1
The above query provides distribution of severity_id
logtype="edrevents" and class_name="Process Activity"histo severity_id 1sort_fielddesc
The above query provides distribution of status sorted in descending order
6a. Range queries with histo operator
要按流量字节分布查找网络活动事件:小于 1MB,1MB 到 10MB,10MB 到 100MB,及大于 100MB,使用以下查询
logtype="edrevents" and class_name="Network Activity"histo traffic.bytes range(1000000,1000000to10000000,10000000to100000000,100000000)
查找流量小于 1MB,1MB 至 10MB 和大于 10MB 的请求数量
logtype="edrevents" and class_name="Network Activity"histo traffic.bytes range(1000000,10000000)
查找流量为 1MB 到 10MB 和 10MB 到 100MB 的请求数量
logtype="edrevents" and class_name="Network Activity"histo traffic.bytes range(1000000to10000000,10000000to100000000)
7. timeslice Operator
timeslice operator is used to group logs into specified slices of time. Possible timeslice units are d (day), h (hour) and m (minute)
示例
logtype="edrevents" and class_name="File Activity"timeslice 5m
上述查询提供了指定时间片段内日志的分布情况。
7a. Sort queries with timeslice operator
要对时间切片或计数进行排序,使用以下查询
logtype="edrevents" and class_name="File Activity"timeslice 5m sort_count
logtype="edrevents" and class_name="File Activity"timeslice 5m sort_fielddesc
8. 组合查询
我们可以将多个条件组合在一起,如以下示例所示。
简单查询
logtype="edrevents" and class_name="File Activity"and file.path contains"\\AppData\\Temp"and actor.process.user.type_id=3
返回匹配任一条件的值。
logtype="edrevents" and class_name="Process Activity"and (activity_id=1or activity_id=2or activity_id=4)
SUM(), MIN(), MAX(), AVG()
使用这些操作符,您可以查找日志中数字字段的总和、最小值、最大值和平均值。
logtype="edrevents" and class_name="Network Activity"MAX(traffic.bytes) MIN(traffic.bytes) SUM(traffic.bytes) AVG(traffic.bytes)
distinct
在查询中使用 distinct,可获取只包含唯一值的表格。
logtype="access"DISTINCT zuid
sd
要查找字段的标准差,请使用以下查询。
logtype="access"sd(time_taken)
stats
要查找字段的最小值、最大值、平均值、总和、平方和、方差、标准差,请使用以下查询。
logtype="edrevents" and class_name="Network Activity"stats(traffic.bytes)
percentile
百分位是将数据点从小到大排序并分成 100 个相等部分的方法。第 25 百分位是低于此值的数据显示占 25%,第 50 百分位即“中位数”,第 75 百分位是低于此值的数据占 75%。
logtype="edrevents" and class_name="Network Activity"percentile(traffic.bytes)
logtype="edrevents" and class_name="Network Activity"percentile(traffic.bytes percents(5,10,20,25,50,99,100))
By default, percents range is (1, 5, 25, 50, 75, 95, 99, 100).
旧的百分位格式
logtype="edrevents" and class_name="Network Activity"percentile(traffic.bytes) percents(5,25,50)
新的百分位格式
logtype="edrevents" and class_name="Network Activity"percentile(traffic.bytes percents(5,25,50))
注意:从搜索版本 2 起,只支持新的百分位格式。
count_distinct
查询中的 count distinct 只返回唯一值的数量。
logtype="edrevents" and class_name="File Activity"COUNT_DISTINCT(device.hostname)
Note: The results of count_distinct operator is approximate as getting exact value is an expensive process.
count
在查询结尾使用 Count,将返回匹配查询限制的日志消息总数。
logtype="edrevents" and class_name="DNS Activity"and query.hostname contains"malware"count
top
Consider a usecase where you need average of traffic.bytes and a sample dst_endpoint.ip for each network status_id.
logtype="edrevents" and class_name="Network Activity"avg(traffic.bytes) top(dst_endpoint.ip) groupby status_id
logtype="edrevents" and class_name="Network Activity"avg(traffic.bytes) top(dst_endpoint.ip,src_endpoint.ip sort dst_endpoint.ip desclimit2) groupby status_id

注意:

  • To perform top aggregation, the field should have groupby support.
  • Max limit that can be specified for top operator is 10.
  • 使用 limit 选项时,字段值可能会重复,因为多个日志可能具有相同值。
注意:使用此操作符前,请与日志团队沟通。
组合 groupby 和聚合
下面的搜索查询生成一个分组表,并包含聚合值的额外列。
logtype="edrevents" and class_name="Network Activity"MAX(traffic.bytes) MIN(traffic.bytes) GROUPBY device.hostname
组合时间切片和聚合
下面的搜索查询生成一个时间切片表,并包含聚合值的额外列。
logtype="edrevents" and class_name="Network Activity"AVG(traffic.bytes) MIN(traffic.bytes) MAX(traffic.bytes) timeslice 1h
组合 groupby 和时间切片
下面的搜索查询生成一个时间切片表,并包含 groupby 值的额外列。
logtype="edrevents" and class_name="File Activity"groupby file.ext timeslice 1m
多个 groupby
下面的搜索查询生成一个包含多个 groupby 选项的表格。
logtype="edrevents" and class_name="File Activity"GROUPBY device.hostname,class_name,activity_name
组合 groupby 和 having
To filter the URLs with some condition, use the having operator.
Note: having operator won't work with less than operator.
logtype="edrevents" and class_name="Process Activity"groupby actor.process.name having_count>100
logtype="edrevents" and class_name="Process Activity"groupby actor.process.name having_count>100000sort_count
logtype="edrevents" and class_name="Process Activity"groupby actor.process.name having_count>100000sort_fielddesc
9. 指标聚合的别名
为了更易读,指标聚合值可以提供别名。
模板
MetricAggregationName(FieldName (options)) as aliasName
示例
logtype="edrevents" and class_name="Network Activity"avg(traffic.bytes) as average max(traffic.bytes) as"Maximum Bytes"min(traffic.bytes) as"Minimum Bytes"
logtype="edrevents" and class_name="Network Activity"percentile(traffic.bytes percents(100)) as"max"max(traffic.bytes)
logtype="edrevents" and class_name="File Activity"avg(severity_id) as"Average Severity"
别名也可用于桶聚合中的排序。
logtype="edrevents" and class_name="Network Activity"avg(traffic.bytes) as"Average Bytes Transferred"groupby dst_endpoint.ip sort"Average Bytes Transferred"
注意:如果别名以大写字母或数字开头,包含空格,或是保留关键字,请用双引号括起来。
10. 查询约束的限制
  • count operator can only be used at the end of the query. After count operator, no other criteria or aggregate operators can be allowed.
  • count and count_distinct operators cannot be used at the same time.
11. 使用聚合值排序
To sort dst_endpoint.ip with average traffic.bytes, the following query can be used.
logtype="edrevents" and class_name="Network Activity"groupby dst_endpoint.ip sortavg(traffic.bytes) desc
The above query can also be paired with having operator to get more filtered results.
logtype="edrevents" and class_name="Network Activity"groupby dst_endpoint.ip having_count>1000sortavg(traffic.bytes) desc
Sorting can also be applied with multiple groupby
logtype="edrevents" and class_name="Network Activity"groupby status_id sortavg(traffic.bytes), dst_endpoint.ip sortavg(traffic.bytes)
12. 更多搜索查询用例
检索进程活动事件
logtype="edrevents" and class_name="Process Activity"
获取特定应用服务器的访问详情
logtype ="access"and _zl_host="127.0.0.1"and account="sas"
获取特定应用服务器组的访问详情
logtype ="access"and (group_name="Pre-Mail"or group_name="IMAP"or group_name="SMTPIN")
获取特定用户的访问详情
logtype ="access"and zuid="5873965"
计算网络活动中传输的总字节数
logtype="edrevents" and class_name="Network Activity"sum(traffic.bytes)
提取每个设备上唯一进程列表
logtype="edrevents" and class_name="Process Activity"DISTINCT(actor.process.name) GROUPBY device.hostname
获取每个目标 IP 的流量字节总和
logtype="edrevents" and class_name="Network Activity"sum(traffic.bytes) GROUPBY dst_endpoint.ip
检索每个设备的最大和最小流量字节
logtype="edrevents" and class_name="Network Activity"MAX(traffic.bytes) MIN(traffic.bytes) GROUPBY device.hostname
提取每个进程 UID 的唯一文件路径
logtype="edrevents" and class_name="File Activity"DISTINCT(file.path) GROUPBY actor.process.uid
提取访问最频繁的文件扩展名
logtype="edrevents" and class_name="File Activity"COUNT(file.ext) GROUPBY file.ext
提取每个设备的唯一目标主机名
logtype="edrevents" and class_name="Network Activity"DISTINCT(dst_endpoint.hostname) GROUPBY device.hostname
按严重性等级(2-6)提取网络活动事件
logtype="edrevents" and class_name="Network Activity"and severity_id=2 (or) logtype="edrevents" and class_name="Network Activity"and severity_id=3 (or) logtype="edrevents" and class_name="Network Activity"and severity_id=4 (or) logtype="edrevents" and class_name="Network Activity"and severity_id=5 (or) logtype="edrevents" and class_name="Network Activity"and severity_id=6
获取 system32 中访问文件的唯一设备数量
logtype="edrevents" and class_name="File Activity"AND file.path contains"\\system32" COUNTDISTINCT(device.uid)
获取 system32 中访问文件的唯一设备主机名
logtype="edrevents" and class_name="File Activity"AND file.path contains"\\system32"groupby device.hostname
获取高流量连接(traffic.bytes > 10MB)的唯一目标 IP 数量
logtype="edrevents" and class_name="Network Activity"AND traffic.bytes>10000000 COUNTDISTINCT(dst_endpoint.ip)
获取高流量连接(traffic.bytes > 10MB)的唯一目标 IP
logtype="edrevents" and class_name="Network Activity"AND traffic.bytes>10000000groupby dst_endpoint.ip
获取来自 powershell 的网络活动字段统计(traffic.bytes)
logtype="edrevents" and class_name="Network Activity"AND actor.process.name="powershell.exe"MAX(traffic.bytes) MIN(traffic.bytes)
获取进程活动的时间分布。例如:1天,5小时,3分钟
logtype="edrevents" and class_name="Process Activity"AND actor.process.name="powershell.exe"timeslice 1d
高级聚合查询
query_string groupby groupby_field sort sort_over_criteria sorting_order limit limit_value
其中,
  • query_string 是普通查询。
  • groupby_field 是应用 groupby 条件的字段。
  • sort_over_criteria - whether sorting needs to be done on "value" or "value count". use _field to apply sort over value or _count to apply sort over value count.
  • limit_value 是聚合结果的最大限制。
13. 最近和已保存的搜索查询
您可以重复使用最近的搜索查询,您可以在搜索框左侧找到它们。
您还可以保存搜索查询以备将来使用。

受信任的