About search
Search functionality relies on Elasticsearch indices. When you run a search query, the Intelligence Center searches for matches in the content that has been ingested and indexed until then.
About non literal searches
Search with Booleans
Besides full text search, you can use Boolean operators and wildcards.
You can combine these filtering options to create more refined searches.
Use Boolean operators to combine multiple quick filters, and to create a more complex search query.
Example:
enrichment_extracts.kind:domain AND enrichment_extracts.meta.classification:high
Search with wildcards
Currently supported wildcards: * and ?
Escape character: \
Avoid starting a wildcard query term with * or ? , as it may result in an extremely slow-running query.
Search and rules use literal values and regex patterns to look for matching values assigned to the corresponding JSON path fields.
Search with regular expressions
The regex syntax this field accepts is the Elasticsearch regular expression syntax.
The main peculiarities of the Elasticsearch DSL query syntax are:
Anchors – ^ and $ – are implied at the beginning and at the end of the regex.
Do not include them in the regex pattern input.If you insert explicit anchor characters in the value input field, they are interpreted as literal values.
Escape special characters:
( . ? + | { } [ ] ( ) " \ / )
To escape a special character, prepend a backslash \ to it.
Example: \{ \}At the moment, Elasticsearch regular expression syntax optional operators are not supported.
Although the regex syntax used in the UI of the Intelligence Center is that of ElasticSearch, the regex syntax used by the Intelligence Center's ingestion engine is Python regex. In the vast majority of cases this does not lead to conflicts, but if your discovery rule is not working the way you want it to, this may be the reason.
Here are two differences that commonly cause problems:
ElasticSearch searches for whole strings, while Python searches everywhere in a string. For example,
Input: Cert-BUND
Pattern: ert
ES result: <none>
Python: will matchElasticSearch regex syntax requires you to leave out anchors, whereas Python regex syntax requires you to include them.
If you are experiencing problems in this area, contact Customer Support for help in writing the discovery rule you want.
Search in specific JSON fields
You can also specify JSON paths to search for the corresponding values in specific JSON fields of an entity data structure.
To do so, in the search input field enter the JSON path to the field whose value you want to look up, a semicolon, and the literal or data pattern to look up.
Format:
json.path:${search_string}
Example:
data.types.value:"IP Watchlist"
Search for observable properties
For example, the following JSON paths point to JSON fields holding observable values:
Field |
Description |
Example |
extracts.kind |
Search for a specific observable type. |
extracts.kind:ipv4 |
extracts.meta.classification |
Search for observables based on maliciousness classification:
|
extracts.meta.classification:bad |
extracts.meta.confidence |
Search for observables based on source reliability:
|
extracts.meta.confidence:high |
extracts.meta.blacklisted |
Search for observables based on blacklist status:
|
extracts.meta.blacklisted:false |
enrichment_extracts.kind |
Search for a specific enrichment observable type. |
enrichment_extracts.kind:ipv4 |
enrichment_extracts.meta.classification |
Search for enrichment observables based on maliciousness classification:
|
enrichment_extracts.meta.classification:unknown |
enrichment_extracts.meta.confidence |
Search for enrichment observables based on source reliability:
|
enrichment_extracts.meta.confidence:medium |
enrichment_extracts.meta.blacklisted |
Search for enrichment observables based on blacklist status:
|
enrichment_extracts.meta.blacklisted:true |