Getting started with SOL
This tutorial walks you through writing your first SOL queries. By the end, you'll be able to search events, filter results, and save queries for reuse.
Accessing the Query Builder
- Navigate to Investigate > Queries in the main navigation
- The Query Builder opens in code mode by default, ready for SOL queries
For more details on the Query Builder interface, see Discover the Query Builder.
Selecting a datasource
Every SOL query starts with a datasource name. The datasource determines what data you are querying.
The most commonly used datasources are:
| Datasource | Description |
|---|---|
events |
Security events and logs |
alerts |
Security alerts and detections |
cases |
Security incidents and cases |
For the full list of available datasources and their properties, see the Datasources reference.
Your first query
Let's start with a simple query to retrieve recent events:
events
| limit 10
This returns 10 events without specific order. Now let's add a time filter and select specific columns:
events
| where timestamp > ago(1h)
| select timestamp, host.name, source.ip, event.action
| limit 100
This query:
- Starts from the
eventsdatasource - Filters to events from the last hour using
whereandago() - Selects only the columns we care about with
select - Limits the output to 100 rows
Click Run (or press the keyboard shortcut) to execute your query.
Adding conditions
You can combine multiple conditions with and and or:
events
| where timestamp > ago(24h) and (event.category == 'authentication' or event.category == 'network')
| where action.outcome == 'failure'
| select timestamp, source.ip, user.name, event.category, action.outcome
| order by timestamp desc
| limit 100
This query filters events from the last 24 hours where the category is either authentication or network, and the outcome is failure. Note that chaining multiple where operators on separate lines is equivalent to combining them with and.
Counting rows
Use the count operator to get the total number of matching rows:
events
| where timestamp > ago(24h) and event.category == 'authentication'
| count
This returns a single row with the total number of authentication events in the last 24 hours.
Aggregating data
Use aggregate to group rows by a column and perform calculations per group:
events
| where timestamp > ago(24h)
| aggregate count() by source.ip
| order by count desc
| limit 20
Unlike count which returns one total, aggregate count() by groups rows and returns a count for each unique value. Here, it counts events per source IP over the last 24 hours, sorted by the most active IPs:
| source.ip | count |
|---|---|
| 192.168.1.42 | 1204 |
| 10.0.0.15 | 873 |
| 172.16.5.8 | 412 |
| 10.0.0.22 | 98 |
For more aggregation patterns, see How to aggregate data.
Filtering your results
The where operator is the primary way to filter data in SOL. You can use:
- Comparison operators:
==,!=,>,<,>=,<= - String operators:
contains,startswith,endswith(add~for case-insensitive) - Set membership:
inwith a list of values - Negation:
notbefore any condition
events
| where timestamp > ago(24h)
| where user.name contains 'admin'
| where not source.ip in ['10.0.0.1', '10.0.0.2']
| limit 100
For the complete list of operators, see the Operators reference.
Saving and reusing queries
Once you've written a useful query, you can save it for later reuse:
- Edit the query title to give it a descriptive name
- Click Save in the Query Builder toolbar
- Your saved queries are accessible from the Queries list
Saved queries can also be used as the basis for dashboard widgets.
For more details, see Create and manage queries.
Related articles
Getting Started & Overview
- SOL Overview: Sekoia Operating Language overview.
- SOL Best Practices: Best practices to use SOL effectively.
User Guides
- Create and Manage Queries: Create and manage queries using SOL.
- SOL How-to Guides: Learn how to use the main functions of SOL to reach your goals (aggregate data, join tables, use external data, build a query library...).
- SOL Query Examples: Get inspiration from our examples.
- SOL Datasets: Discover the CSV import feature that enables SOC analysts to enrich security investigations by importing external data sources directly into the SOL query environment.
Technical Reference
- SOL Data Sources Reference: Technical references to access security data within the Sekoia platform thanks to SOL.
- SOL Functions Reference: Reference article regarding functions used in SOL.
- SOL Operators Reference: Reference article regarding operators used in the SOL language.