Use the search field to enter queries and refine your search. You can enter free text, use wildcards, and use advanced search syntax. When searching, keep in mind the accepted query string syntax list in this table:
Type of Query | Meaning | Example |
---|---|---|
Standard query with a blank space between terms | By default, a space between query terms is considered an implicit “OR”. | blacklist malicious |
Literal, using double quotes |
Matches entries that contain the same exact terms. Note: IP addresses and FQDNs are considered literal searches, so they don't require quotation marks. |
"blacklist malicious" |
Boolean operators, using parentheses | They are AND, OR, and NOT. Parentheses can be used to group terms for precedence. Parentheses are also used to designate subsearches. |
(http OR tcp) AND ftp |
Wildcards, asterisk (*) |
Matches any number of characters. Cannot be used at the beginning of a search query. |
instance* |
Wildcards, question mark (?) |
Matches a single letter in a specific position. Cannot be use at the beginning of a search query. |
qu?ck |
Regexp, using /expression/ |
Regular expression inside forward slash characters. A dialog box opens to confirm the search. Note: The characters ", *, ?, (, and ) are special characters included in expressions. If you want to search by these characters, you need to manually escape them by preceding them with a backslash. |
/Describe.*Instances/ |
pulse:ID | Pulses are collections of IOCs. You need to insert the word pulse followed by a colon and the pulse | pulse:59432536c1970e343ce61bf0 |
Any characters may be used in a query, but certain characters are reserved and must be escaped. The reserved characters are these:
+ - = & | > < ! { } [ ] ^ " ~ : \ /
Use a backslash (for example, "\>") to escape any reserved character (including a backslash).
To search for
- Go to Activity > Events.
- Enter your query in the search field.
- Click the
icon .
If you want to search for an exact phrase having two or more words, you need to put quotation marks around the words in the phrase. This includes email addresses (for example, "bob@mycompany.com").
Important: The indexed fields are Event Name, Raw Log, Rep Device Asset ID, Source Asset ID, and Destination Asset ID.
Note: Wildcard characters are considered as literals.
The result of your search displays with the items identified.
Example: Search for IP Addresses in a Network with Regex
You can use regular expressions (regex) to broaden your search in a number of ways. See Using Regular Expressions in USM Anywhere for more information. One of the most common applications for regex in a search is to search for an IP address range in a network.
As an example, to search for hosts in the 25. network range, enter the following regex into the search field:
/25.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/
Here is a more detailed anatomy of this example:
-
/ ... /: The regex search is indicated by the expression contents being contained between forward slashes.
- 25.: Indicates the network range being searched.
- [0-9]: This set of brackets in the expression is a variable number range.
- {1,3} The numbers in this set of braces indicates that the search will look for any pattern using the preceding number range a minimum 1 time, to a maximum 3 times.
- [0-9]{1,3}Because an IPv4 address consists of 4 sets of numbers, from 0–255, separated by periods, the
[0-9]{1,3}
part of this regular expression is used to include any possible number from that range.
Note: Because the search field does not search all fields in an event, the results will be limited to IP addresses in the Event Name, Raw Log, Rep Device Asset ID, Source Asset ID, and Destination Asset ID fields.
Searching Events by Using the Pulse ID
You can use the search field to search
To search
- Go to Activity > Events.
- Enter your query in the Enter search field. Either paste the full URL or insert the word pulse followed by a colon and the pulse. For example, enter: https://otx.alienvault.com/pulse/59432536c1970e343ce61bf0 or pulse:59432536c1970e343ce61bf0.
- Click the
icon.
- The query submission dialog box opens.
- Click Confirm to continue.
The result of your search displays with the items identified. This result matches entries containing IOCs in your environment.