Alerts Advanced Search
Alerts list page allows you to perform basic and advanced search. Select Basic or Advanced options from the dropdown.
Basic Search
Basic search in alerts allows you to filter the alerts based on the categories provided. In addition, you can filter the alerts based on a specified time period.
Advanced Search
Advanced search in alerts allows you to create custom queries to find the alerts that match the specified criteria and also perform a detailed search using the advanced option over the basic search filters.
While performing the advanced search, note the following points:
- All searches are case-insensitive.
- Spaces between elements of a search query are ignored.
- Searching is supported on fields and case parameters.
- You cannot directly search on comments, but a text search finds text in the case and task comments.
- You can search for standard and custom fields.
To access the advanced alerts search:
- Click on Case Management > Alerts on the left navigation.
- Select Advanced from the top drop-down. By default, the Basic search will be available.
The advanced search field validates the query that you enter.
If the query is valid, a green checkmark is shown. If the search syntax isn't valid, a red alert icon is shown.
Following screenshot shows an invalid syntax error with a red alert icon.
Query Structure
A simple advanced query is of the following form:
Example:
alerttype = "default"
More complex queries can be created with the boolean AND or OR operators with parentheses added as needed.
Example:
created = "2021/02/01 09:40" AND alerttype = "default"
Supported Fields
The following fields are supported for advanced alerts search.
| Field | Description |
|---|---|
| Alert ID | The alert ID. |
| Alert Type | The type of alert (Default). |
| Name | The name of the alert. |
| Alert Source | The playbooks that the alert is linked to. |
| Description | The description of the alert. |
| Time of Creation | The time the alert was created. |
Supported Operators
The following operators are supported for advanced search.
| Operator | Description |
|---|---|
| Contains, ~ | Matches if the field contains the indicated text string. Performing this type of search on a phrase is equivalent to an and search on the individual words in the phrase.For example, the search “text ~ "autoalertname" finds the case with the title “autoalertname”. |
| = | Matches the current state of the case: closed, open, or inprogress. |
| =! | Matches if the current state of the case is not the specified value. |
| >, <, >=, <= | Matches if the indicated comparison is valid. Applies only to the created field (date field). |
| AND | Applies the boolean AND operation. |
| OR | Applies the boolean OR operation. |
Additional Example
The following search finds the alert type, name, and description with the text that contains the words.
alerttype = "detections-alert" AND (name = "delete-10" OR description = "Found delete event from 1.2.4.3 ip")
Updated about 1 year ago