Learn more about the Cortex Query Language search stage that searches for free-text strings.
Syntax
search "<free_text1>"[,"<free_text2>", ...]
Description
The search stage searches for free text strings across single or multiple datasets, including all the dataset fields (columns), that are stored in your Cortex XSIAM tenant. This search is a manual process that isn't meant to be included in any features where you can include Cortex Query Language (XQL) queries, such as rules or widgets. Since this search runs on all your data, it can take time for the query to complete.
Search results are presented differently depending on the number of datasets included in the search query:
Single dataset: All dataset field columns are included in the resulting table.
Multiple datasets: The resulting table includes a limited number of field columns, specifically the
_time,_vendor,_product,_dataset, andraw_datafield columns. Theraw_datafield column includes the JSON with the relevant raw information from the datasets.
Consider the following information:
searchshould be the first stage in the query. Only theconfigstage can precedesearch.You can refine the search to specify datasets.
Only datasets are supported. You can't refine by preset or search the Cortex Data Model (XDM) schema.
Note
If you do not specify a dataset in the query, Cortex XSIAM searches all of the existing datasets on your tenant.
Free text search searches the relevant columns in each dataset. Relevant columns are subject to a change and can vary between datasets.
When more than one dataset is included in the search, a new column called
raw_datais displayed in the Query Results table. This column lists all the fields from the original datasets schema, which you can use to drilldown to specific data in your queries.Queries containing
searchdo not support thebin,comp,top, ordedupstages.Queries using the
searchstage are limited to the last 90 days of data. Specifying a time frame outside of this limitation will cause the query to fail.Some settings for the free text search are dependent on your configuration of this feature. By default, the standard behavior is followed unless you've requested to disable or enable certain configurations for this feature. Here is a list of the default settings that can be configured:
All datasets are included in the search unless you enabled the option to ignore certain datasets.
Forensic datasets are not included in the search by default unless you enable the option to include forensic datasets in the free text search. When forensic datasets are configured to be included in the free text search, the forensic datasets are only searched if all datasets in the search command are forensic. This means that forensic datasets are ignored in mixed dataset searches.
Snapshots are searched by default unless you enabled the option to ignore snapshots. In addition, the search includes all data in the dataset, across all snapshots, unless you enabled the option to limit the free text search to only search for values in the latest snapshot as defined by the Snapshot SQL.
All the rows in the table are searched by default unless you set an XQL
text_search_force_limit_sizethat defines a maximum number of rows per dataset table so only those rows are searched.All JSON fields are searched by default unless you configured the system to skip JSON fields.
Any hidden fields configured to be excluded from the correlation dataset are by default not included in the search.
Examples
Returns instances of "MacOs" in the endpoints dataset.
search "MacOs" dataset = endpoints
Returns instances of "MacOs" or "failed" in the endpoints and agent_auditing datasets.
search “MacOs”,“failed” dataset in (endpoints, agent_auditing)