Search | About

Searching in EclecticIQ Intelligence Center returns entities and observables from the data that has been ingested.

When searching entities or observables, you can use:

• AI-powered search to turn a natural language question into a machine-readable query.

• Regular Search queries to get results using search syntax.

• Relational queries which returns entities that have the types of relations you choose to other entities or observables.

• Kibana.

• Tokenizations

Tip

Regular search queries your instance’s Elasticsearch indices, whereas a relational query queries your database in ElecticIQ Intelligence Center instead.

Permissions for search

Search results for entities, observables, datasets, and the graph are filtered and made available based on the current user’s set of rights and permissions.

This means that users who have different access rights, and who run identical search queries on the same Intelligence Center instance, can receive different search results.

If a user runs a search query that returns matches, and if the returned results include objects that the current user is not granted access to, they receive a notification message:

Excluded matches

Some matches may be excluded due to access restrictions.

Search results include matches that the current user can access, based on:

• The selected Allowed sources in the group configuration of the group(s) the user belongs to.

• The TLP access level for the specified allowed sources in the group configuration of the group(s) the user belongs to.

• The permissions granted to the role assigned to the user.

Limitations

Searches can only return up to 10,000 results. If your search should return more than 10,000 results, refine your search.

Synching your search database

See Elasticsearch: Sync the search database for more information about synching your search database.