Search for incidents - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2025-01-15
Category
Administrator Guide
Solution
On-prem
Abstract

Create a search query for incidents and save search queries.

Cortex XSOAR comes with powerful search capabilities. You can search for data by:

  • Using the Search Query: Cortex XSOAR searches for information using the Bleve query syntax. The search query appears on several pages such as Incidents, Indicators, and Playbooks. To search for all incidents that have the status as pending and are critical, type status: Pending and severity:Critical. You can save and share queries, as required.

  • Using the search box: Cortex XSOAR searches for incidents, entries, evidence, investigations, and indicators. The search box appears in the top right-hand corner of every page.

By default, the Incidents page displays all open incidents from the last seven days. You can customize which incidents are displayed by creating and saving queries.

When you start typing your search, Cortex XSOAR lists all the indexed fields, such as type and severity, including custom and out-of-the-box fields. The search follows the Bleve query syntax, which is similar to the Lucene query syntax but with some differences, such as query syntax for numeric ranges and date ranges. For more information, see Bleve Query String Query.

The search is performed on certain pages such as incidents, indicators, or the entire data (such as titles, entries, chats).

Note

To explicitly use the following characters in a search query, place them within double quotes. An escape character \ is not required.

&& || ! {} [] () ~ * ?

To explicitly use the following characters in a search query, place them within double quotes and use an escape character \.

\, \n \t \r " ^ : and space

For information about using special characters, see Run commands in the CLI.

Note

For precise results when searching for all long text, phase, name, reason, details or type, set the Server Configuration, incident.search.exact.match.only to true. For example, when doing a search for type:Phish Mail, if the server configuration is set to true, the results returned include the exact text Phish Mail and not each word separately. Another option to return exact text, just for name, type and phase, is to add the term "raw" preceding the query in your search. For example, rather than just entering type:Phish Mail, type rawType:"Phish Mail".

You can add inputs when searching for data, such as:

Input

Description

Add text

Type any text. The results show all data where one of the words appears. For example, the search low virus returns all data where either the string low or the string virus appears.

and

Searches for data where all conditions are met. For example, status:Active and severity:High finds all incidents with an active status that have a high severity.

or

Searches for data where either conditions are met. For example, status:Pending and severity:High or severity:Critical finds all incidents with a pending status and with severity high or critical.

*

?

Wildcard search: * and ? should be used when searching for partial strings. For example, when searching for all scripts that start with AD, use AD**. If you need to search for a script which contains "get", search for *get*.

“”

An empty value.

-

Excludes from any search. For example in the Incidents page the -status:closed -category:job searches for all incidents that are not closed and for categories other than jobs.

“me”

Filters incidents by a user’s account. For example, owner:{me} will display all incidents where I am the owner. It can also be used for other fields such as createdBy:{me} which will display all incidents I created.

Relative time. For example, “today”, “half an hour ago”, “1 hour ago”, “5 minutes ago”, “10 days ago”, “5 seconds ago”, “five days ago”, “a month ago”, "in 1 year".

Relative time in natural language can be used in search queries. Time filters - < and > can be used when referring to a specified time, such as dueDate:>="2018-03-05T00:00:00 +0200", or when searching for high severity incidents: Severity:High and created:>= "1 hour ago"

Note

The timezone for searches is UTC. The system timezone is not used.

When adding some fields, such as Occurred you can enter the date from the calendar. You can also filter the date when the results are displayed.

Search using Regex

To use Regex, you need to use the value “//”. For example, to search for indicator values that contain www and end with .com, type: value: "/w{3}..*.com/". This returns values such as www.namecheap.com, www.kloshpro.com.

Search for indicator values

To search for indicator values that contain lower-upper a-z letters and 0-9 numbers with a length of 32, type: value:"/[a-zA-Z0-9]{32}/". This returns values such as 775A0631FB8229B2AA3D7621427085AD, 87798e30ca72f77abe624073b7038b4e.

Timer/SLA fields

To search for Timer/SLA fields in incidents, see Search incidents for Timer/SLAs.

After defining the search query, you can save it for future use. The search query and the bar charts are saved.

Tip

To edit an existing saved query, create a new query and save it with the exact name of the query you want to replace.

  1. Select the date range to search (next to the Created field).

    By default, the date is set to the last 7 days.

  2. In the query bar, type your search criteria.

    By default, the query is -status:closed -category:job, which searches for categories other than jobs and not those that have been closed. You can add fields like severity or type to narrow your search to critical issues or issues of a certain type.

    Note

    If you change drill down in the bar chart fields, the query also changes. For example, in the Severity bar chart, if you click High, severity:High is added to the query.

  3. Save the query.

    1. Click save.png.

    2. Type a name for the query.

    3. Save the query.

    To view all saved queries, click market-gear.png. The list of saved queries appears. You can mark a saved query as a default, or delete a query.

Shared queries enable you to share your customized configurations with all users. For example, you can define queries for security analysts to help focus them on incidents relevant for them to analyze.

Once you create and save a query, to share it with all users click market-gear.png and then click share_query_icon.png for that query.

The icon next to the name of the query changes to share_query_icon.png. Hovering over this icon in the list of saved queries shows that the query is shared. To remove sharing, click share_query_icon.png and remove the users.

shared-queries-remove-share.PNG

The shared query appears in the users’ Saved queries list. Users see the query with a shared-queries-group-icon.PNG icon and the name of the shared query owner.

Note

  • Edits made to shared queries are not saved. To save an edited version of the shared query, make a copy and then edit and save it.

  • Copying the shared query or clicking Mark Default (to make the query the page default) keeps the shared query in the user’s Saved queries list even if the shared query owner removes the share. Otherwise, the query will disappear from the users’ Saved queries list if the query owner removes the share.

The search box searches for incidents, investigations, and indicators. The search box appears in the top right-hand corner on most pages. You can either type free text or search using the search query format (use the arrow keys to assist you in the search). For example, incident.severity:Low searches for all incidents that have low in the severity category.

If using the search box during an investigation, you can select whether to search across all incidents or limit the search to the current incident.

Note

When searching in the current incident, Cortex XSOAR  searches only the War Room entries. If a value exists in the incident but is not a War Room entry, no results are returned.

Further information

For more information about how to search for incidents and indicators, see the following video in Live Community:

Searching in XSOAR