About search

Search functionality relies on Elasticsearch indices. When you run a search query, the Intelligence Center searches for matches in the content that has been ingested and indexed until then.

About non literal searches

Search with Booleans

Besides full text search, you can use Boolean operators and wildcards.
You can combine these filtering options to create more refined searches.

Use Boolean operators to combine multiple quick filters, and to create a more complex search query.

Example:
enrichment_extracts.kind:domain AND enrichment_extracts.meta.classification:high

Search with wildcards

  • Currently supported wildcards: * and ?

  • Escape character: \

  • Avoid starting a wildcard query term with * or ? , as it may result in an extremely slow-running query.
    Search and rules use literal values and regex patterns to look for matching values assigned to the corresponding JSON path fields.

Search with regular expressions

The regex syntax this field accepts is the Elasticsearch regular expression syntax.
The main peculiarities of the Elasticsearch DSL query syntax are:

  • Anchors – ^ and $ – are implied at the beginning and at the end of the regex.
    Do not include them in the regex pattern input.

  • If you insert explicit anchor characters in the value input field, they are interpreted as literal values.

  • Escape special characters:

    ( . ? + | { } [ ] ( ) " \ / )

    To escape a special character, prepend a backslash \ to it.
    Example: \{ \}

    At the moment, Elasticsearch regular expression syntax optional operators are not supported.

    Although the regex syntax used in the UI of the Intelligence Center is that of ElasticSearch, the regex syntax used by the Intelligence Center's ingestion engine is Python regex. In the vast majority of cases this does not lead to conflicts, but if your discovery rule is not working the way you want it to, this may be the reason.

    Here are two differences that commonly cause problems:

    • ElasticSearch searches for whole strings, while Python searches everywhere in a string. For example,
      Input: Cert-BUND
      Pattern: ert
      ES result: <none>
      Python: will match

    • ElasticSearch regex syntax requires you to leave out anchors, whereas Python regex syntax requires you to include them.

    If you are experiencing problems in this area, contact Customer Support for help in writing the discovery rule you want.

Search in specific JSON fields

You can also specify JSON paths to search for the corresponding values in specific JSON fields of an entity data structure.
To do so, in the search input field enter the JSON path to the field whose value you want to look up, a semicolon, and the literal or data pattern to look up.

Format:
json.path:${search_string}

Example:
data.types.value:"IP Watchlist"

Search for observable properties

For example, the following JSON paths point to JSON fields holding observable values:


Field

Description

Example

extracts.kind

Search for a specific observable type.

extracts.kind:ipv4

extracts.meta.classification

Search for observables based on maliciousness classification:

  • good

  • bad

  • unknown

extracts.meta.classification:bad

extracts.meta.confidence

Search for observables based on source reliability:

  • high

  • medium

  • low

extracts.meta.confidence:high

extracts.meta.blacklisted

Search for observables based on blacklist status:

  • true

  • false

extracts.meta.blacklisted:false

enrichment_extracts.kind

Search for a specific enrichment observable type.

enrichment_extracts.kind:ipv4

enrichment_extracts.meta.classification

Search for enrichment observables based on maliciousness classification:

  • good

  • bad

  • unknown

enrichment_extracts.meta.classification:unknown

enrichment_extracts.meta.confidence

Search for enrichment observables based on source reliability:

  • high

  • medium

  • low

enrichment_extracts.meta.confidence:medium

enrichment_extracts.meta.blacklisted

Search for enrichment observables based on blacklist status:

  • true

  • false

enrichment_extracts.meta.blacklisted:true