How to Search - Administrator Guide - 6.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.5
Creation date
2022-09-28
Last date published
2024-03-21
End_of_Life
EoL
Category
Administrator Guide
Abstract

Search Cortex XSOAR using Lucene query syntax, the search box, or general search.

Cortex XSOAR comes with a very powerful search capability. You can search for data in Cortex XSOAR in the following ways:

  • Using the Search Query: searches for information using the Bleve query syntax, similar to Lucene query syntax. The search query appears in the Indicators, Incidents, Jobs, Playbooks, Automation, and the Evidence Board pages. For example, to search for all incidents that have the status as pending and are critical, type status:Pending and severity:Critical.

    incident-search-advanced.png
  • Using the search box: searches for incidents, entries, evidence, investigations, and indicators in Cortex XSOAR. The search box appears in the top right hand corner in every page. You can either type free text or search using the search query format (use the arrow keys to assist you in the search). For example, incident.severity:Low searches for all incidents that have low in the severity category.

    incident-search.png
  • Using a general search. For example, when searching for a table in the Users tab, searching for a widget, or a task in a playbook, etc.

Using the Search Query

The search follows the Bleve query syntax. Bleve query syntax is similar to Lucene query syntax, but with some differences, such as query syntax for numeric ranges and date ranges. The search is performed on certain pages such as incidents, indicators, etc., or the entire data (titles, entries, chats, etc.).

To explicitly use the following characters in a search query, place them within double quotes. An escape character \ is not required.

&&, ||, !, {, }, [, ], (, ), ~, *, ?

To explicitly use the following characters in a search query, place them within double quotes and use an escape character \.

\, \n, \t, \r, ", ^, :, comma, and space

Basic syntax of the search

You can add some of the following inputs, when searching for data:

Input

Description

Add text

Type any text. The results show all data where one of the words appears. For example, the search low virus returns all data where either the string, low or the string, virus appears.

and

Searches for data where all conditions are met. For example, status:Active and severity:High finds all incidents with an active status that have a high severity.

or

Searches for data where either conditions are met. For example, status:Pending and severity:High or severity:Critical finds all incidents with a pending status and with severity high or critical.

*

?

Wildcard search: * and ? should be used when searching for partial strings. For example, when searching for all scripts that start with AD, use AD**. If you need to search for a script which contains "get", search for *get*.

“”

An empty value.

-

Excludes from any search. For example in the Incidents page the -status:closed -category:job searches for all incidents that are not closed and for categories other than jobs.

“me”

Filters incidents by a user’s Cortex XSOAR account. For example, owner:{me} will display all incidents where I am the owner. It can also be used for other fields such as createdBy:{me} which will display all incidents I created.

Relative time. For example, “today”, “half an hour ago”, “1 hour ago”, “5 minutes ago”, “10 days ago”, “5 seconds ago”, “five days ago”, “a month ago”, "in 1 year", etc.

Relative time in natural language can be used in search queries. Time filters - < and > can be used when referring to a specified time, such as dueDate:>="2018-03-05T00:00:00 +0200".

Note

The timezone for searches is UTC. The system timezone is not used.

When adding some fields, such as Occurred you can enter the date from the calendar. You can also filter the date when the results are displayed.

You can also search using Regex. To use Regex, you need to use the value “//”. For example, to search for indicator values that contain www and end with .com, type: value: "/w{3}..*.com/". This returns values such as www.namecheap.com, www.kloshpro.com, etc.

To search for indicator values that contain lower-upper a-z letters and 0-9 numbers with a length of 32, type: value:"/[a-zA-Z0-9]{32}/". This returns values such as 775A0631FB8229B2AA3D7621427085AD, 87798e30ca72f77abe624073b7038b4e, etc.