Native Search
To search across all available logs and data in Cortex
XDR, you can use the text-based Native Search. To facilitate simple
and complex text-based queries, you can enter fields based on the
log’s metadata hierarchy (core fields, vendor fields, or log types) the operator, the field value, and the
timeframe. For simplicity, the Native Search provides auto-completion—based
on the known log fields—as you type. You can also use Regex (except
for with IP addresses and ranges) and wildcards in your queries
and can string together multiple queries using
and
or or
.
For examples of text-based queries, see Native Search Examples.
Core Fields for Native Search
When you specify core fields without any other search
criteria, the Native Search queries the field value across all data
and logs that contain that field type. To further refine the results
and specify context, you can combine core fields with other criteria
such as vendor or log type. You can build queries
in Native Search for any of the following core fields:
- ip
- source_ip
- destination_ip
- hash
- host_name
- user_name
- process_name
- process_path
Vendor Fields for Native Search
To search for logs or data from a specific vendor, you
can refine your query by vendor and product. The query fields are
hierarchical. To construct a query, separate each field in the hierarchy
with periods. Examples of vendor fields include:
- Search for results from all Palo Alto Networks products—PANW
- Search for results from Cisco ASA firewalls—Cisco.ASA
Vendor | Product |
|---|---|
PANW | NGFW |
Cortex Agent | |
Checkpoint | FW1/VPN1 |
Cisco | ASA |
Firepower | |
Okta | MFA |
Microsoft | Azure AD |
Corelight | Corelight sensor |
Fortinet | Fortigate |
Log Types for Native Search
You can construct queries for the following types of
logs and log subtypes.
Log Type | Log Subtype |
|---|---|
process_actions |
|
registry_actions |
|
file_actions |
|
network_connections |
|
event_logs |
|
authentication |
|
image_load |
|
Operators
Operator | Description |
|---|---|
= | Show results equal to a value |
!= | Show results that are not equal to a value. |
~= | Show results that are equal to a Regex pattern
match. Not supported with IP addresses or ranges. |
!~= | Show results that are not equal to a Regex
pattern match. Not supported with IP addresses or ranges. |
contains | Show results that contain a value. |
not contains | Show results that do not contain a value. |
in (list, range) | Show results including one or more matches
in a list or range. Not supported with IP addresses or ranges. |
not in (list, range) | Show results excluding one or more matches
in a list or range. Not supported with IP addresses or ranges. |
Native Search Examples
Search |
|---|
logtype = file AND subtype IN ("file create",
"file delete") and hostname contains SF |
network connections AND palo alto networks.app
id = facebook |
okta.sso AND ip != 10.0.* |
palo alto networks.file create.file name =~
”.+?” |
event log AND (palo alto networks.event log
id = 41783 OR hostname =~ la^xcortex xdr agent AND palo alto networks.dst
process name CONTAINS chrome |
logtype IN ("network connections", execution,
injection) AND (palo alto networks.app id = chrome OR process name
= chrome) |
ip = 198.51.100.157 AND palo alto |
ip = 198.51.100.157 and key.name =~ "\wSomestring\w" |
