Given the database of log records, the analyst could use SQL queries to search for relevant records. SawQL (pronounced SAW-quill) is our extension to SQL designed specifically to express a sysadmin's hypothesis about an attack with maximum flexibility, abstracting the schema and join semantics of the underlying database. SawQL is oriented towards extracting sequences of logged event records correlated either temporally or on variables corresponding to common record fields such as hostnames, IP addresses, ports, and user names.