Create a search query for incidents and save search queries.
Cortex XSOAR comes with powerful search capabilities. You can search for data by:
Using the Search Query: Cortex XSOAR searches for information using the Bleve query syntax. The search query appears on several pages such as Incidents, Indicators, and Playbooks. To search for all incidents that have the status as pending and are critical, type
status: Pending and severity:Critical
. You can save and share queries, as required.Using the search box: Cortex XSOAR searches for incidents, entries, evidence, investigations, and indicators. The search box appears in the top right-hand corner of every page.
By default, the Incidents page displays all open incidents from the last seven days. You can customize which incidents are displayed by creating and saving queries.
When you start typing your search, Cortex XSOAR lists all the indexed fields, such as type and severity, including custom and out-of-the-box fields. The search follows the Bleve query syntax, which is similar to the Lucene query syntax but with some differences, such as query syntax for numeric ranges and date ranges. For more information, see Bleve Query String Query.
The search is performed on certain pages such as incidents, indicators, or the entire data (such as titles, entries, chats).
Note
To explicitly use the following characters in a search query, place them within double quotes. An escape character \
is not required.
&& || ! {} [] () ~ * ?
To explicitly use the following characters in a search query, place them within double quotes and use an escape character \
.
\, \n \t \r " ^ :
and space
For information about using special characters, see Run commands in the CLI.
Note
For precise results when searching for all long text, phase, name, reason, details or type, set the Server Configuration, incident.search.exact.match.only
to true. For example, when doing a search for type:Phish Mail
, if the server configuration is set to true, the results returned include the exact text Phish Mail
and not each word separately. Another option to return exact text, just for name, type and phase, is to add the term "raw" preceding the query in your search. For example, rather than just entering type:Phish Mail
, type rawType:"Phish Mail"
.
You can add inputs when searching for data, such as:
Input | Description |
---|---|
Add text | Type any text. The results show all data where one of the words appears. For example, the search |
| Searches for data where all conditions are met. For example, |
| Searches for data where either conditions are met. For example, |
| Wildcard search: |
| An empty value. |
| Excludes from any search. For example in the Incidents page the |
| Filters incidents by a user’s account. For example, |
Relative time. For example, “today”, “half an hour ago”, “1 hour ago”, “5 minutes ago”, “10 days ago”, “5 seconds ago”, “five days ago”, “a month ago”, "in 1 year". | Relative time in natural language can be used in search queries. Time filters - < and > can be used when referring to a specified time, such as d NoteThe timezone for searches is UTC. The system timezone is not used. When adding some fields, such as |
Search using Regex | To use Regex, you need to use the value |
Search for indicator values | To search for indicator values that contain lower-upper a-z letters and 0-9 numbers with a length of 32, type: |
Timer/SLA fields | To search for Timer/SLA fields in incidents, see Search incidents for Timer/SLAs. |
After defining the search query, you can save it for future use. The search query and the bar charts are saved.
Tip
To edit an existing saved query, create a new query and save it with the exact name of the query you want to replace.
Select the date range to search (next to the Created field).
By default, the date is set to the last 7 days.
In the query bar, type your search criteria.
By default, the query is
-status:closed -category:job
, which searches for categories other than jobs and not those that have been closed. You can add fields like severity or type to narrow your search to critical issues or issues of a certain type.Note
If you change drill down in the bar chart fields, the query also changes. For example, in the Severity bar chart, if you click High,
severity:High
is added to the query.Save the query.
Click .
Type a name for the query.
Save the query.
To view all saved queries, click . The list of saved queries appears. You can mark a saved query as a default, or delete a query.
Shared queries enable you to share your customized configurations with all users. For example, you can define queries for security analysts to help focus them on incidents relevant for them to analyze.
Once you create and save a query, to share it with all users click and then click for that query.
The icon next to the name of the query changes to . Hovering over this icon in the list of saved queries shows that the query is shared. To remove sharing, click and remove the users.
The shared query appears in the users’ Saved queries list. Users see the query with a icon and the name of the shared query owner.
Note
Edits made to shared queries are not saved. To save an edited version of the shared query, make a copy and then edit and save it.
Copying the shared query or clicking Mark Default (to make the query the page default) keeps the shared query in the user’s Saved queries list even if the shared query owner removes the share. Otherwise, the query will disappear from the users’ Saved queries list if the query owner removes the share.
The search box searches for incidents, investigations, and indicators. The search box appears in the top right-hand corner on most pages. You can either type free text or search using the search query format (use the arrow keys to assist you in the search). For example, incident.severity:Low
searches for all incidents that have low
in the severity category.
If using the search box during an investigation, you can select whether to search across all incidents or limit the search to the current incident.
Note
When searching in the current incident, Cortex XSOAR searches only the War Room entries. If a value exists in the incident but is not a War Room entry, no results are returned.
Further information
For more information about how to search for incidents and indicators, see the following video in Live Community: