AlienVault® USM Anywhere™

Searching Alarms by Using the Search Field

Use the search field to enter your queries and refine your search. You can enter free text, use wildcards, and use advanced search syntax. When searching, keep in mind the information in this table:

Accepted Query String Syntax
Type of Query Meaning Example
Standard query with a blank space between terms By default, a space between query terms is considered an implicit “OR”. blacklist malicious
Literal, using double quotes Matches entries that contains the exact terms. "blacklist malicious"
Boolean operators, using parentheses They are AND, OR, and NOT. Parentheses can be used to group terms for precedence. Parentheses are also used to designate subsearches.

(http OR tcp) AND ftp

Wildcards, asterisk (*) Matches any number of characters. You can use the asterisk (*) anywhere in a character string. instance*
Wildcards, question mark (?) Matches a single letter in a specific position. qu?ck
Regexp, using /expression/ Regular expression inside forward slash characters. A dialog box opens to confirm the search. /Describe.*Instances/
pulse:ID Pulses are collections of IOCs. You need to insert the word pulse followed by a colon and the pulse pulse:59432536c1970e343ce61bf0

Note: It is not possible to use the wildcards * and ? at the beginning of a term.

Any characters may be used in a query, but certain characters are reserved and must be escaped. The reserved characters are these:

+ - = & | > < ! { } [ ] ^ " ~ : \ /

Use a backslash (for example, "\>") to escape any reserved character (including a backslash).

Note: The characters ", *, ?, (, and ) are special characters included in expressions. If you want to search by these characters, you need to manually escape them by preceding them with a backslash.

To search Alarms using the search field

  1. Enter your query in the search field.
  2. If you want to search for an exact phrase having two or more words, you need to put quotation marks around the words in the phrase.

    Note: Keep in mind that wildcard characters are considered as literals.

  3. Click the icon.
  4. The result of your search displays with the items identified.

Searching Alarms by Using the Pulse ID

You can use the search field to search alarms by pulse identification (ID). Pulses are collections of IOCs, reported by the AT&T Alien Labs™ Open Threat Exchange® OTX™ community, on which other community members review and comment. Pulses provide you with a summary of the threat, a view into the software targeted, and the related IOCs, reported by the OTX community worldwide. See Open Threat Exchange® and USM Anywhere for more information.

To search alarms by using the pulse ID

  1. Go to Activity > Alarms.
  2. Enter your query in the Enter search field. Either paste the full URL or insert the word pulse followed by a colon and the pulse. For example, enter: https://otx.alienvault.com/pulse/59432536c1970e343ce61bf0 or pulse:59432536c1970e343ce61bf0.
  3. Click the icon.
  4. The query submission dialog box opens.

    Search events by pulse ID

  5. Click Accept to continue.
  6. The result of your search displays with the items identified. This result matches entries containing IOCs in your environment.