About search#
Searching in EclecticIQ Intelligence Center returns entities and observables from the data that has been ingested.
When searching entities or observables, you can use a regular Search query to get results using search syntax and the ways of searching described below.
When searching entities you also have the option of using of using Relational query which returns entities that have the types of relations you choose to other entities or observables.
Tip
Regular search queries your instance’s Elasticsearch® indices, whereas a relational query queries your database in ElecticIQ Intelligence Center instead.
Limitations#
Searches can only return up to 10,000 results. If your search should return more than 10,000 results, refine your search.
Search with Booleans#
Besides full text search, you can use Boolean operators and wildcards.
You can combine these filtering options to create more refined searches.
Use Boolean operators to combine multiple quick filters, and to create a more complex search query.
Example:
enrichment_extracts.kind:domain AND enrichment_extracts.meta.classification:high
Search with wildcards#
Currently supported wildcards:
*
and?
Escape character:
\
Avoid starting a wildcard query term with
*
or?
, as it may result in an extremely slow-running query.Search and rules use literal values and regex patterns to look for matching values assigned to the corresponding JSON path fields.
Search with regular expressions#
The regex syntax this field accepts is the Elasticsearch regular expression syntax.
The main peculiarities of the Elasticsearch DSL query syntax are:
Anchors –
^
and$
– are implied at the beginning and at the end of the regex.Do not include them in the regex pattern input.
If you insert explicit anchor characters in the value input field, they are interpreted as literal values.
Escape special characters:
( . ? + | { } [ ] ( ) " \ / )
To escape a special character, prepend a backslash
\
to it.Example:
\{ \}
Note
At the moment, Elasticsearch regular expression syntax optional operators are not supported.
Note
Although the regex syntax used in the UI of the Intelligence Center is that of ElasticSearch, the regex syntax used by EclecticIQ Intelligence Center’s ingestion engine is Python regex. In the vast majority of cases this does not lead to conflicts, but if your discovery rule is not working the way you want it to, this may be the reason.
Here are two differences that commonly cause problems:
ElasticSearch searches for whole strings, while Python searches everywhere in a string. For example,
Input: Cert-BUND
Pattern: ert
ES result:
Python: will match
ElasticSearch regex syntax requires you to leave out anchors, whereas Python regex syntax requires you to include them.
If you are experiencing problems in this area, contact Customer Support for help in writing the discovery rule you want.
Search in specific JSON fields#
You can also specify JSON paths to search for the corresponding values in specific JSON fields of an entity data structure.
To do so, in the search input field enter the JSON path to the field whose value you want to look up, a semicolon, and the literal or data pattern to look up.
Format:
json.path:${search_string}
Example:
data.types.value:"IP Watchlist"
Search for observable properties#
For example, the following JSON paths point to JSON fields holding observable values:
Field |
Description |
Example |
---|---|---|
|
Search for a specific observable type. |
|
|
Search for observables based on classification :
|
|
|
Search for observables based on confidence :
|
|
|
Search for observables based on blacklist status:
|
|
|
Search for a specific enrichment observable type. |
|
|
Search for enrichment observables based on classification :
|
|
|
Search for enrichment observables based on confidence :
|
|
|
Search for enrichment observables based on blacklist status:
|
|