Search for entities

Use the search field to look for entities using literals, Boolean operators, and wildcards.


Search

You can find the search field in the : hover over or click the search icon to run a quick or an advanced search, respectively.

  • Quick search: hover over the search icon , and enter a search query.
    Click ENTER or click the search icon to run the search.

  • Advanced search: click the search icon , and enter a search query.
    Click ENTER or click the search icon to run the search.

Searches you run through this search field are executed Intelligence Center-wide.
You can search for multiple sources of entities.


Search cheatsheet

To access a cheatsheet with search examples using entity types, filters, and for help with the search syntax:

  1. In the side navigation bar click the search icon .

  2. In the Search view, click Help next to the search icon to display thematic drop-down tabs with common search queries:

  • Filters: examples of quick search filters.

  • Help: examples of Boolean, wildcards, and tag search usage.

  • Entities: examples of searchable entity types.


About wildcards

  • Currently supported wildcards: * and ?

  • Escape character: \

  • Avoid starting a wildcard query term with * or ? , as it may result in an extremely slow-running query.
    Search and rules use literal values and regex patterns to look for matching values assigned to the corresponding JSON path fields.


About complex searches

Besides full text search, you can use Boolean operators and wildcards.
You can combine these filtering options to create more refined searches.

Use Boolean operators to combine multiple quick filters, and to create a more complex search query.

Example:
enrichment_extracts.kind:domain AND enrichment_extracts.meta.classification:high

For more information, see Search for enrichment observables.


Search by index fields

For reference, in Kibana you can look up a list of the available Elasticsearch index fields:

  1. To access Kibana, in the web browser address bar append /private/kibana/app/kibana# to the Intelligence Center base URL: https://${platform_host} + /private/kibana/app/kibana#
    Example: https://${platform_host}/private/kibana/app/kibana#

  2. In the side navigation bar click Management.

  3. Under the Kibana category, click Index Patterns.

  4. In the Index Patterns view, on the index list under Create index pattern, click stix*.

  5. The resulting view lists all available fields in the stix* index or indices, along with additional information such as field type and searchability, as recorded in Elasticsearch.

  6. Use the Filter input field to look for specific index fields.

If the index pattern list is empty, no index patterns have been defined in Kibana, yet.
You can proceed to define index patterns as necessary.

images/download/attachments/33589420/kibana-index-stix-fields.png

After looking up an index field, you can search for specific values or data patterns:

  1. In the side navigation bar click Discover.

  2. From the drop-down menu select the stix* index field:

    images/download/attachments/33589415/kibana-index-stix-select.png

  3. In the search input field, you can run queries on index fields by specifying literals, wildcards, ranges, and Boolean operators using the Lucene query syntax.

    images/download/attachments/33589410/kibana-index-field-search.png


Search timeout

By default, Elasticsearch search queries that do not resolve time out after 20 seconds.
To set a different search timeout value:

  1. Open the /etc/eclecticiq/platform_settings.py configuration file.

  2. Browse to the ELASTICSEARCH_QUERY_TIMEOUT = '20s' line.

  3. Replace the default value with a custom one, for example ELASTICSEARCH_QUERY_TIMEOUT = '30s'.
    The ELASTICSEARCH_QUERY_TIMEOUT parameter value represents seconds.

  4. Save the configuration file.