Searching Events by Using the Search Field

Use the search field to enter queries and refine your search. You can enter free text, use wildcards, and use advanced search syntax. When searching, keep in mind the accepted query string syntax list in this table.

Accepted Query String Syntax
Type of Query Meaning Example
Standard query with a blank space between terms By default, a space between query terms is considered an implicit “OR”. denylist malicious

Literal, using double quotes

" "

Matches fields that contain the full term. Literal searches are case-sensitive.

Note: This type of query will not match any searches in the raw log because raw logs are tokenized.

Note: IP addresses and FQDNs are considered literal searches, so they don't require quotation marks.

"Event from asset not received"

Boolean operators or using parentheses

AND, OR, NOT, ( )

Including AND or OR between two search terms will search for results that match both of those terms.

Including NOT between two search terms will exclude results that match the second term, even though they otherwise match your query.

Parentheses can be used to group terms for higher precedence relative to the rest of your query. Parentheses are also used to designate subsearches.

(http OR tcp) AND ftp

Wildcards, asterisk

*

Appending an asterisk to the end of a term within your query will search for results that begin with your search term.

An asterisk cannot be used at the beginning of a search query.

instance*

Wildcards, question mark

?

Embedding a question mark in the middle of a term will search for results that otherwise match your query, no matter the value in the position held by the question mark in your search term.

A question mark cannot be used at the beginning of a search query.

qu?ck
Regular expression (regex), using /expression/

Regular expression inside forward slash characters. A dialog box opens to confirm the search.

Note: The characters ", *, ?, (, and ) are special characters included in expressions. If you want to search by these characters, you need to manually escape them by preceding them with a backslash.

/Describe.*Instances/
OTX pulse Pulses are collections of Indicators of Compromise (IOCs). You need to insert the word pulse followed by a colon and the pulse ID or URL. pulse:59432536c1970e343ce61bf0

Any characters may be used in a query, but certain characters are reserved and must be escaped. The reserved characters are these:

+ - = & | > < ! { } [ ] ^ " ~ : \ /

Use a backslash (for example, "\>") to escape any reserved character (including a backslash).

To search for Events using the search field

  1. Go to Activity > Events.
  2. Enter your query in the search field.
  3. If you want to search for an exact phrase having two or more words, you need to put quotation marks around the words in the phrase. This includes email addresses (for example, "bob@mycompany.com").

    Important: The indexed fields are Event Name, Raw Log, Rep Device Asset ID, Source Asset ID, and Destination Asset ID.

    Note: Wildcard characters are considered as literal characters.

  4. Click the icon.

Events Search Field

The result of your search displays with the identified matches.

Example: Using Search Queries

In this example, we have an event named Process Create with a message raw log that states Process Create operation has been executed on this instance. The following table shows different search query examples and their behavior based on these circumstances.

Search Query Examples
Search Example Search Match Explanation
"Process Create" Yes

Using double quotes will perform a case-sensitive search that will look for the exact string across any keyword field. There will only be a match if "Process Create" appears exactly in a keyword field. "Process Create" appears exactly in the Event Name, so there will be a match.

Since the message raw log is tokenized and positional term data is not kept, it will not match this search.

"process create"

No

Using double quotes will perform a case-sensitive search that will look for the exact string across any keyword field. There will only be a match if "process create" appears exactly in a keyword field. In this case, "process create" does not exist in a keyword field, so there will not be a match.

Process Create
and
process create

Yes

Searching either of these without quotes will tokenize the input query string. It will perform a case-insensitive search for any document that contains "Process", "process", "Create", or "create" in any order. In this case, there will be a match.

/Process Create/

No This will not match any result because regex are only used against the raw log value. Since it is tokenized based on the different words, this search will not match "Process" or "Create".

/Pro.*/

Yes This will match against the log because "Process" in the raw log matches the expression.

Example: Using Regex to Search for IP Addresses in a Network

You can use regex to broaden your search in a number of ways. See Using Regular Expressions in USM Anywhere for more information. One of the most common applications for regex in a search is to search for an IP address range in a network.

As an example, to search for hosts in the 25. network range, enter the following regex into the search field:

/25.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/

Here is a more detailed anatomy of this example:

  • / ... /: The regex search is indicated by the expression contents being contained between forward slashes.

  • 25.: Indicates the network range being searched.
  • [0-9]: This set of brackets in the expression is a variable number range.
  • {1,3}: The numbers in this set of braces indicates that the search will look for any pattern using the preceding number range a minimum one time, to a maximum three times.
  • [0-9]{1,3}:Because an IPv4 address consists of four sets of numbers, from 0-255, separated by periods, the [0-9]{1,3} part of this regular expression is used to include any possible number from that range.

Searching Events by Using the Pulse ID

You can use the search field to search events by pulse identification (ID). Pulses are collections of IOCs, reported by the AT&T Alien Labs™ Open Threat Exchange® OTX™ community, on which other community members review and comment. Pulses provide you with a summary of the threat, a view into the software targeted, and the related IOCs, reported by the OTX community worldwide. See Open Threat Exchange® and USM Anywhere for more information.

To search events by using the pulse ID

  1. Go to Activity > Events.
  2. Enter your query in the Enter search field. Either paste the full URL or insert the word pulse followed by a colon and the pulse. For example, enter: https://otx.alienvault.com/pulse/59432536c1970e343ce61bf0 or pulse:59432536c1970e343ce61bf0.
  3. Click the icon.
  4. The Query Submission dialog box opens.

    Search events by pulse ID

  5. Click Confirm to continue.
  6. The result of your search displays with the items identified. This result matches entries containing IOCs in your environment.