How to search in Cortex XSOAR - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2025-02-10
Category
Administrator Guide
Solution
On-prem
Abstract

Search Cortex XSOAR using Lucene query syntax, the search box, or general search.

Cortex XSOAR comes with a very powerful search capability. You can search for data using the following:

  • The search query

  • The search box

  • Free text search

  • General search

The Search Query

The search follows the Bleve query syntax. Bleve query syntax is similar to Lucene query syntax, but with some differences, such as query syntax for numeric ranges and date ranges. The search is performed on certain pages such as incidents, indicator, or the entire data (such as titles, entries, chats).

You can add some of the following inputs when searching for data:

Input

Description

Add text

Type any text. The results show all data where one of the words appears. For example, the search low virus returns all data where either the low or the virus string appears.

and

Searches for data where all conditions are met. For example, status:Active and severity:High finds all incidents with an active status and high severity.

or

Searches for data where either conditions are met. For example, status:Pending and severity:High or severity:Critical finds all incidents with a pending status and high or critical severity.

*

?

Wildcard search: * and ? should be used when searching for partial strings. For example, when searching for all scripts that start with AD, use AD**. If you need to search for a script that contains "get", search for *get*.

“”

An empty value.

-

Excludes from any search. For example on the Incidents page the -status:closed -category:job searches for all incidents that are not closed and for categories other than jobs.

“me”

Filters incidents by a user’s account. For example, owner:{me} displays all incidents where you are the owner. It can also be used for other fields such as createdBy:{me} that displays all incidents you created.

Relative time. For example, “today”, “half an hour ago”, “1 hour ago”, “5 minutes ago”, “10 days ago”, “5 seconds ago”, “five days ago”, “a month ago”, "in 1 year".

Relative time in natural language can be used in search queries. Time filters - < and > can be used when referring to a specified time, such as dueDate:>="2024-03-05T00:00:00 +0200", or when searching for high severity incidents: Severity:High and created:>= "1 hour ago"

Note

The timezone for searches is UTC. The system timezone is not used.

When adding some fields, such as Occurred you can enter the date from the calendar. You can also filter the date when the results are displayed.

If using "months ago" you are limited to 12 months.

Search using Regex

You need to use the value “//”, when searching for Regex values. For example, to search for indicator values that contain www and end with .com, type: value: "/w{3}..*.com/". This returns values such as www.namecheap.com, www.kloshpro.com.

Search for indicator values

To search for indicator values that contain lower-upper a-z letters and 0-9 numbers with a length of 32, type: value:"/[a-zA-Z0-9]{32}/". This returns values such as 775A0631FB8229B2AA3D7621427085AD, 87798e30ca72f77abe624073b7038b4e.

Timer/SLA fields

To search for Timer/SLA fields in incidents, see Search incidents for Timer/SLAs.Search incidents for Timer/SLAs

Special characters

To explicitly use the following characters in a search query, place them within double quotes. An escape character \ is not required.

&& || ! {} [] () ~ * ?

To explicitly use the following characters in a search query, place them within double quotes and use an escape character \.

\, \n \t \r " ^ : and space

For information about using special characters, see Run commands in the CLI.Run commands in the CLI

Note

When searching for incidents, the following fields match any incident containing the searched value:

  • phase

  • name

  • details

  • type

For example, you have several incidents with the idle accounts name. When searching for the name: "idle", it returns any name that contains the word idle (including idle accounts). Other fields return anything that matches the exact world, idle.

Exact matches for name, type, and phase fields, add raw to the search field. For example, enter rawName:"idle".

The search box

The search box searches for incidents, investigations, and indicators. The search box appears in the top right-hand corner on most pages. You can either type free text or search using the search query format (use the arrow keys to assist you in the search). For example, incident.severity:Low searches for all incidents that have low in the severity category.

Note

For precise results when searching for all long text, phase, name, reason, details or type, set the Server Configuration, incident.search.exact.match.only to true. For example, when doing a search for type:Phish Mail, if the server configuration is set to true, the results returned include the exact text Phish Mail and not each word separately. Another option to return exact text, just for name, type and phase, is to add the term "raw" preceding the query in your search. For example, rather than just entering type:Phish Mail, type rawType:"Phish Mail".

Free Text

A free text search is used in the Playbooks and Scripts pages. You can search using part or all of the component's name. The component tag or description is included in the search. You can also search for an exact match of the component name by putting quotation marks around the search text. For example, searching for "AddEvidence" returns the script with that name. You can search for more than one exact match by including the logical operator "or" in-between your search texts in quotation marks. For example, searching for "AddEvidence" or "AddKeyToList" returns the two scripts with those names. Wildcards are not supported in free text search.

General Search

Use a general search. For example, when searching for a table in the Users tab, searching for a widget, or a task in a playbook.