Alerts Advanced Search
- Borja Moro Moreno
Basic Search
Select Basic in the dropdown at the top left of the page to activate the Basic search in alerts, which allows you to filter the alerts based on the categories provided. In addition, you can filter the alerts based on a specified time period.
Advanced Search
Select Advanced in the dropdown at the top left of the page to activate the Advanced search, which allows you to create custom queries to find the alerts that match the specified criteria, and also perform a detailed search using the advanced option over the basic search filters.
While performing the advanced search, note the following points:
All searches are case-insensitive.
Spaces between elements of a search query are ignored.
Searching is supported on fields and case parameters.
You cannot directly search on comments, but a text search finds text in the case and task comments.
You can search for standard and custom fields.
The advanced search field validates the query that you enter.
Invalid query
If the query is valid, a green checkmark is shown. If the search syntax isn't valid, a red alert icon is shown.
Query Structure
A simple advanced query is of the following form:
alerttype = "default"
More complex queries can be created with the boolean AND or OR operators with parentheses added as needed.
created = "2021/02/01 09:40" AND alerttype = "default"
Supported Fields
The following fields are supported for advanced alerts search.
Field | Description |
|---|---|
Alert ID | The alert ID. |
Alert Type | The type of alert (Default). |
Name | The name of the alert. |
Alert Source | The playbooks that the alert is linked to. |
Description | The description of the alert. |
Time of Creation | The time the alert was created. |
Supported Operators
The following operators are supported for advanced search.
Operator | Description |
|---|---|
Contains, ~ | Matches if the field contains the indicated text string. |
Performing this type of search on a phrase is equivalent to an and search on the individual words in the phrase.
For example, the search “text ~ "autoalertname" finds the case with the title “autoalertname”. |
| = | Matches the current state of the case: closed, open, or inprogress. |
| =! | Matches if the current state of the case is not the specified value. |
| >, \<, >=, \<= | Matches if the indicated comparison is valid. Applies only to the created field (date field). |
| AND | Applies the boolean AND operation. |
| OR | Applies the boolean OR operation. |
Additional Example
The following search finds the alert type, name, and description with the text that contains the words.
{text}alerttype = "detections-alert" AND (name = "delete-10" OR description = "Found delete event from 1.2.4.3 ip")