Work with the Search Editor

Use the search editor to perform both simple and complex searches based on one or more artifacts. The search editor has a range of features for customizing and executing searches. For details on navigating and using the search results (including adding artifacts to your search as you go), Drill Down in Search Results.
  • Open the search editor.
    search-start.png
    AutoFocus defaults to the last search mode used by the user.
  • Begin a new simple mode search.
    If the search is in advanced mode, you can switch to
    Simple Mode
    .
    search-switch-simple-mode.png
    To create a simple mode search condition, simply select from the frequently used conditions in the drop-down menus. Should you need to run a search using other variables, you must define the scope and value in the
    Advanced
    search:
    1. Configure your search by selecting the desired search variables from the drop-down menus. You can select from the following categories:
      Verdict
      ,
      Seen
      ,
      Source
      ,
      Tags
      , and
      IOC
      (indicators of compromise).
      AutoFocus automatically refreshes after each variable is selected or modified.
      • Search by Verdict—Select from
        Malware
        ,
        Grayware
        ,
        Benign
        ,
        Phishing
        , and
        Any Verdict
        to search the data set based on a verdict.
      • Search by
        First Seen
        and
        Time
        —First configure the search to include samples based on when it was
        First Seen
        (the time stamp of when the sample was first forwarded or uploaded to WildFire for analysis) or by
        Time
        (the time stamp of when the session started), then set the search to display data for the last 1, 7, 30, 90, or 180 days. You can also set the search to display all data by default by setting the time range to
        Any Time
        .
        The time setting does not filter the scope (My Samples, (private), Public Samples, or All Samples (private and public samples)) of the sample data set.
      • Search by
        Source
        —Select from
        Firewall
        ,
        Proofpoint
        ,
        Traps
        ,
        Magnifier
        ,
        Manual API
        ,
        Traps Android
        ,
        WF Appliance
        , and
        Any Source
        to filter the data set based on the upload source.
      • Search by
        Tag
        —Select from a list of tags, tag classes, or tag groups. Alternatively, you can filter the list of tags by entering a keyword to search for samples associated with a tag.
      • Search by
        IOC
        —Search based on the following indicators of compromise:
        Hash
        ,
        IP Address
        ,
        Domain
        ,
        URL
        ,
        User Agent
        ,
        Email Address
        , and
        Filename
        .
      • Apply a
        Saved Search
        —Select a
        Saved Search
        setting to quickly execute a search based on preconfigured saved search conditions.
      simple_mode-search-menu.png
    2. If you want to add other conditions to the search, you can switch to
      Advanced
      mode. Switching to advanced mode retains the condition values selected from the simple search mode. From here, you can add additional search conditions that are not available in simple search mode. For more details on using the advanced mode search, refer to Begin a new advanced search.
      advanced_mode-retain-conditions.png
      If you add search conditions that are not available in Simple mode, you will be prompted to reset your search.
  • Begin a new advanced search.
    search-begin-selector.png
    To create a search condition, choose the type of artifact you want to find and define the scope and value:
    1. Select one of the Artifact Types from the drop-down to perform a search of global threat data based on that artifact type.
      Start typing the name of the artifact type to narrow down the list of options.
    2. Select an operator for the search condition.
      The operator determines the scope of search results; you can use the operator to limit or expand potential results, or to return exact match results. Search Operators and Values vary depending on the type of artifact you select.
      search-begin-container.png
      You can use the operator to create negative search conditions. Use negative operators such as
      is not
      or
      is not in the list
      to return more granular search results that exclude samples or sessions that match the negative condition.
    3. Enter or select a value to define the search condition. Depending on the artifact type and operator selected, you may be able to choose from predefined values, or you might be required to enter an exact value to perform the search.
      Learn more about Search Operators and Values.
      search-begin-value.png
      If you are attempting to select a value from a pre-populated drop-down, and the drop-down appears to be loading for a long period of time, try clearing your browser cache.
  • Add more search conditions.
    search-add-condition.png
    • search-plus.png Add conditions to your search.
      You can add up to 300 search conditions to a single search.
    • search-minus.png Remove conditions from your search.
  • Narrow or broaden your search.
    search-all-any.png
    Match results to all or any of the defined search conditions:
    • Narrow search results by selecting
      All
      . Search results are only returned for samples that match all conditions.
    • Broaden search results by selecting
      Any
      . Search results are returned for samples that match one or more conditions.
  • Add a child query.
    search-child-query.png
    A
    child query
    is a condition or a set of conditions nested within and used to qualify a parent query. A child query is evaluated only against the parent query to which it is added. Add a child query to return more granular search results, where the results must match both the parent query and the child query.
    The example search below shows a child query added to the Email Subject condition. Search results will be returned for samples where the following is true:
    • The sample was first seen before March 13, 2015.
    • The email subject for the sample file contained the word
      test
      and
      received a WildFire verdict of either malware
      or
      grayware.
      search-nested.png
    You can only add up to 4 levels of child queries nested under parent queries.
  • Add a parent query.
    search-parent-query.png
    Click
    Add Parent Query
    to nest a search condition under the preceding condition. AutoFocus then only evaluates the nested search condition against the parent condition.
    In the example below, click
    Add Parent Query
    to nest the First Seen condition under the WildFire Verdict condition. Search results will be returned for samples where any of the following conditions is true:
    • The sample received a WildFire verdict of malware
      and
      was first seen before July 1, 2016.
    • The sample is an Adobe Flash file.
      search-parent-query-example.png
  • Adjust search condition placement.
    search-move-up-down.png
    Move Up
    or
    Move Down
    search conditions to move conditions to or from a child query. Depending on the placement of a condition, you can move it up or down to include it in a child query. You can also move a condition up or down to remove it from a child query so that it is no longer a nested condition.
    Alternatively, you can move a search condition using the keyboard. Placing the cursor over the left edge of a condition displays a directional icon. Click on the icon next to the condition or condition group you want to move and then use the keyboard arrows to change the placement. Depending on the location of the condition, you can also create child and parent queries by pressing the right arrow key. Exit the keyboard movement mode by pressing the escape key or by clicking the selected condition.
    search-move-kb.png
  • Disable a search condition.
    search-disable-item.png
    Disable
    a condition to temporarily remove it from a search. This option provides the flexibility to temporarily adjust your search parameters, and then quickly and easily add the condition back to your search if necessary.
    Disabled search conditions are grayed out:
    search-disabled-condition.png
    To enable a search condition that was previously disabled, select the ellipses icon for that condition and select
    Enable
    :
    search-condition-enable.png
  • Start a new search from your current search.
    search-new-search.png
    Start a
    New Search
    for any of the search conditions of an existing search. The new search launches in a separate browser window.
  • Add a search condition to a remote search.
    search-remote-search.png
    This is one way to add search conditions that define which artifacts to find remotely in a Palo Alto Networks® next-generation firewall, Panorama, or third-party log management system when you Set Up Remote Search.
    This option is only available for SHA256 hash, IP address, user agent, filename, or URL search conditions.
  • Add recent or frequently-used conditions to a search.
    show-search-history.png
    Select the
    Show Search History
    icon and add
    Recently used
    or
    Most used
    search conditions to your search.
    add-past-search-criteria-to-search.png
  • Save a search.
    save-search.png
    Save searches that you might be performing on a regular basis, or to quickly recreate useful search settings:
    Click the
    Save Search
    icon, enter a name and description to identify the saved search when using it later, and save the search.
  • Use a saved search.
    open-saved-search.png
    Open Saved Search
    to view an alphabetical list of previously saved searches, and click the spyglass icon to add a saved search to the search editor.
    search-saved-example.png
  • Tag a search.
    tag-search-results.png
    Click
    Tag Results
    to create a tag based on search conditions. Tags can be used to define a set of conditions that indicate an important network event or a possible or known threat.
    Tag a search so you can easily identify and track any existing or future samples that match the search.
    When you Create a Tag, give the tag a recognizable name and description. Select
    Tags
    on the navigation pane to manage tags you have created and to view all tags.
  • Export a search.
    export-search.png
    You can export a search to share the search between support accounts or with another AutoFocus security expert.
    • After setting up a search and viewing search results, select
      Export Search
      .
    • Copy the search filters.
    • Paste the search filters to a local file send the filters to another user.
  • Import a search.
    import-search.png
    Click
    Import Search
    to paste and import a previously exported query or a query shared by another AutoFocus security expert.
  • Start a remote search.
    remote-search-open.png
    Start a
    Remote Search
    to look for artifacts in a Palo Alto Networks firewall, Panorama, or third-party log management system. View more details on how to Set Up Remote Search.
    This feature is supported with firewalls running PAN-OS 7.1 or later release versions.
  • Create a MineMeld miner based on the search.
    samples-miner-button.png
    When the MineMeld app is running,
    Create MineMeld Miner
    to send artifacts from the sample search results to MineMeld (refer to Forward AutoFocus Indicators to MineMeld).
  • View the API request for a sample or session search.
    api-search.png
    Click the
    >_API
    link in the Samples or Sessions tab of the search editor to view the API request for initiating the current search. The API request is formatted in Curl URL Request Library (cURL) and Python (see more information about using the AutoFocus API to perform a search).
  • Choose from the following next steps:

Related Documentation