Search Cortex XSOAR using Lucene query syntax, the search box, or general search.
Cortex XSOAR comes with a very powerful search capability. You can search for data in the following ways:
Using the Search Query: searches for information using the Bleve query syntax, similar to Lucene query syntax. The search query appears in the Indicators, Incidents, Jobs, Playbooks, Scripts, and the Evidence Board pages. For example, to search for all incidents that have the status as pending and are critical, type
status:Pending and severity:Critical
.Note
For precise results when searching for all long text, phase, name, reason, details or type, set the Server Configuration,
incident.search.exact.match.only
to true. For example, when doing a search fortype:Phish Mail
, if the server configuration is set to true, the results returned include the exact textPhish Mail
and not each word separately. Another option to return exact text, just for name, type and phase, is to add the term "raw" preceding the query in your search. For example, rather than just enteringtype:Phish Mail
, typerawType:"Phish Mail"
.Using the search box: searches for incidents, entries, evidence, investigations, and indicators in Cortex XSOAR. The search box appears in the top right hand corner in every page. You can either type free text or search using the search query format (use the arrow keys to assist you in the search). For example,
incident.severity:Low
searches for all incidents that havelow
in the severity category.Using a free text search: Free text search is used in the Playbooks and Scripts pages. You can search using part or all of the component's name. The component tag or description is included in the search. You can also search for an exact match of the component name by putting quotation marks around the search text. For example, searching for
"AddEvidence"
returns the script with that name. You can search for more than one exact match by including the logical operator "or" in between your search texts in quotation marks. For example, searching for"AddEvidence" or "AddKeyToList"
returns the two scripts with those names. Wildcards are not supported in free text search.Note
The search function for playbooks and scripts does not search within the contents of playbooks and scripts. Only the names and metadata of playbooks or scripts are searched.
Using a general search. For example, when searching for a table in the Users tab, searching for a widget, or a task in a playbook, etc.
Using the Search Query
The search follows the Bleve query syntax. Bleve query syntax is similar to Lucene query syntax, but with some differences, such as query syntax for numeric ranges and date ranges. The search is performed on certain pages such as incidents, indicators, etc., or the entire data (titles, entries, chats, etc.).
To explicitly use the following characters in a search query, place them within double quotes. An escape character \ is not required.
&&, ||, !, {, }, [, ], (, ), ~, *, ?
To explicitly use the following characters in a search query, place them within double quotes and use an escape character \.
\, \n, \t, \r, ", ^, :,
comma, and space
Basic syntax of the search
You can add some of the following inputs, when searching for data:
Input | Description |
---|---|
Add text | Type any text. The results show all data where one of the words appears. For example, the search |
| Searches for data where all conditions are met. For example, |
| Searches for data where either conditions are met. For example, |
| Wildcard search: |
| An empty value. |
| Excludes from any search. For example in the Incidents page the |
| Filters incidents by a user’s account. For example, |
Relative time. For example, “today”, “half an hour ago”, “1 hour ago”, “5 minutes ago”, “10 days ago”, “5 seconds ago”, “five days ago”, “a month ago”, "in 1 year", etc. | Relative time in natural language can be used in search queries. Time filters - < and > can be used when referring to a specified time, such as dueDate:>="2018-03-05T00:00:00 +0200". NoteThe timezone for searches is UTC. The system timezone is not used. When adding some fields, such as |
You can also search using Regex. To use Regex, you need to use the value “//”
. For example, to search for indicator values that contain www and end with .com, type: value: "/w{3}..*.com/"
. This returns values such as www.namecheap.com, www.kloshpro.com, etc.
To search for indicator values that contain lower-upper a-z letters and 0-9 numbers with a length of 32, type: value:"/[a-zA-Z0-9]{32}/"
. This returns values such as 775A0631FB8229B2AA3D7621427085AD, 87798e30ca72f77abe624073b7038b4e
, etc.