End-of-Life (EoL)

How to Search in Cortex XSOAR

Cortex XSOAR comes with a very powerful search capability. You can search for data in Cortex XSOAR in the following ways:
  • Using the search query: searches for information using the Lucene query syntax. The search query appears in the Indicators, Incidents, Jobs, Playbooks, Automation, and the Evidence Board pages. For example, to search for all incidents that have the status as pending and are critical, type
    status:Pending and severity:Critical
  • Using the search box: searches for incidents, entries, evidence, investigations, and indicators in Cortex XSOAR. The search box appears in the top right hand corner in every page. You can either type free text or search using the search query format (use the arrow keys to assist you in the search). For example,
    searches for all incidents that have
    in the severity category.
  • Using a general search. For example, when searching for a table in the
    tab, searching for a widget, or a task in a playbook, etc.

Using the Search Query

The search follows the Lucene query syntax. The search is performed on certain pages such as incidents, indicators, etc, or the entire data (titles, entries, chats, etc.).
Basic syntax of the search
You can add some of the following inputs, when searching for data:
Add text
Type any text. The results show all data where one of the words appears. For example, the search
low virus
returns all data where either the string,
or the string,
Searches for data where all conditions are met. For example,
status:Active and severity:High
finds all incidents with an active status that has an high severity.
Searches for data where either conditions are met. For example,
status:Pending and severity:High or severity:Critical
finds for all incidents with a pending status and with severity high or critical.
Wildcard search:
should be used when searching for partial strings. For example, when searching for all scripts that start with AD, use
*. If you need to search for script, which contains "get", search for
An empty value.
Excludes from any search. For example in the
page the
-status:closed -category:job
searches for all incidents that are not closed and for categories other than jobs.
Relative time. For example:
  • “half an hour ago”
  • “1 hour ago”
  • “5 minutes ago”
  • “10 days ago”
  • “five days ago”
  • “5 seconds ago”
  • “two weeks ago”
  • “a month ago”
  • “a few months ago
  • “one year ago”
  • a week ago
Relative time in natural language can be used in search queries. Time filters - < and > can be used when referring to a specified time, such as dueDate:>="2018-03-05T00:00:00 +0200".
When adding some fields, such as
you can enter the date from the calendar. You can also filter the date when the results are displayed.

Recommended For You