Search Page Results - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Creation date
Last date published
User Guide

You can search the content in the Alerts and Incidents tables.

Cortex Xpanse supports the ability to search the content in alert and incident tables. On the Alerts page, Cortex Xpansesearches key alert fields and fields for assets related to the alert, including Alert Name, Attack Surface Rule, Country, City, IP/IP Prefix/ CIDR, Domain Name, certificate characteristics, and specific pieces of scan data such as banners, version information, and other details on the service and website (i.e. service classification and web technologies). On the Incidents page, Cortex Xpanse searches incident fields and fields for related alerts and assets.

To perform a search, navigate to the Alerts or Incidents page, enter a search term in the search bar above the table, and hit enter. Note the following search guidelines:

  • You can use search and filters together. When you use both search and a filter, Cortex Xpanse processes them with an "and" operator. For example, if you search alerts for "RDP" and filter for Resolution Status = New, the search results will have New alerts that contain "RDP".

  • XQL doesn't work in the search bar.

  • The following characters are treated as delimiters:

    [ ] < > ( ) { } | ! ; , ' " * & ? + / = @ - $ % \ _ \n \r \s \t

    If you use these characters in a search string, Cortex Xpanse will separate the string into separate search terms.

  • Partial prefix string matching is supported. That means a search for "micro" will return results for Microsoft, but a search for "soft" will not return results for Microsoft.

  • You can search for IPv4 addresses using CIDR notation, wildcard notation, and exact strings.