¶ Overview
Search allows users to quickly find interesting clusters and thoroughly investigate the underlying data. This functionality allows users to build powerful, no-code queries, based on the different entities and attributes of alert clusters.
For example, a query could return all clusters which contain a certain hostname (supporting forensic analysis), or return all clusters with a specific MITRE ATT&CK® threat type (supporting proactive hunting).
This page explains how to use Basic Search. More complex searches can be carried out using Advanced Search.
¶ The Search Bar
A basic search in SOC.OS can be built using Search 'chips' located in the search bar at the top of the Workbench. The search bar is split into Criteria chips on the left, and Time and Sorting criteria on the right.
Using more search criteria will reduce the number of results as it will be added to the search as a logical AND. If the number of search criteria exceeds the space in the search bar, expand the search bar with the VIEW ALL button which appears:
Once the search has been built or amended, the SEARCH button changes colour and text to UPDATE to indicate the results do not reflect the populated criteria, and must be clicked to carry out the search:
Once the criteria are reflected in the results, the button reverts to REFRESH, which will repeat the search returning current data:
¶ Search Chips
A search query is built using individual chips to represent each field. These can be added, removed and amended to reflect the most common search needs. Search chips are populated either by check boxes for known/limited options such as Assignee or Status, or text based for wider criteria such as Alert Type or Cluster Title. Each search chip will reflect the criteria as populated.
Not all queries can be displayed in the basic mode. Changes made to a query in advanced mode, might not be able to convert to a basic query.
Where a search can not be represented by the basic chip format, the search bar will default to advanced search.
¶ Chip Types
To populate or edit criteria in a search chip, click on the chip to open a pop up window.
Chips are populated either by:
- Check box
- Text matching
- Numeric search
- Kind:Value pairs
¶ Check box
Populated either by radio buttons for single option:
or check boxes where single or multiple options. For extended lists of options - e.g. Tags - there is the option to perform a text search to quickly locate the required option:
¶ Text matching
Enter text to search for matching full search term (see advanced mode for more complex text matching)
¶ Numeric search
e.g. exact number match, > , >=, <. <=, 3 to 4
¶ Kind:Value pairs
e.g. for Entity Attributes. Optionally restricted to a specific Kind, or for a Value across any Kind
(see advanced mode for more complex text matching)
¶ Add and amend chips
Press the ADD button to include this in the search bar:
For any further amendments to a chip, such as Removing, Disabling & Excluding, ensure changes are commited to the search bar with the UPDATE button:
Remember to hit
UPDATEin the search bar to carry out the search with the new criteria.
¶ Remove chips
To remove search criteria, either click the x on a search chip, or by Remove Parameter in the chip pop-up:
Remember to hit
UPDATEin the search bar to carry out the search with the new criteria.
¶ Temporarily disable criteria
To temporarily remove search criteria, click the slider in the chip pop-up. This allows quick comparison of the effect of adding and removing search criteria without rebuilding the search each time. Disabled criteria will show in the chip grayed out and struck-through.
Remember to hit
UPDATEin the search bar to carry out the search with the new criteria.
¶ NOT search
Exclude results from the search by activating the Exclude from results slider. This sets the entire chip to a NOT criteria. NOT criteria are shown with a red NOT chip in the search bar.
Remember to hit
UPDATEin the search bar to carry out the search with the new criteria.
¶ OR search (multiple criteria)
To perform an OR search on criteria with multiple check box options, select multiple criteria to match the field.
For text based and more advanced OR searches, convert to advanced search
Remember to hit
UPDATEin the search bar to carry out the search with the new criteria.
¶ Clear search
To reset to a blank search at any time, select the X alongside the SEARCH / UPDATE / REFRESH button:
¶ Date and Time
By default the search returns all cluster modified in the previous seven days (to the nearest hour):
To amend the Start and End of the search period, click on the respective side of the -> arrow.
Date/Time searches can be performed either relative to the current time or for absolute values, and in relation to either the date the lcuster was last modified, or created. These are by default rounded to the nearest hour. This can be turned off for more granular control.
See also Date Terms for advanced time searches.
¶ Sorting & Ordering Results
The Sort chip can be used to order results by various fields as below:
By default, the search will be returned in descending score order.
See also the Order by Statement in Advanced Search.
¶ List of Search Chips
See also Available Fields.
| Chip | Type | Description |
|---|---|---|
Alert Status |
Single Option | Find clusters by Status of alerts (Actioned/Unactioned/Unknown) |
Alert Attribute |
Kind:Value pair | Find Enrichments and other attributes on alerts in cluster |
Alert Count |
Numeric | The number of alerts within the cluster (approximately) |
Alert Type |
Text | The Alert Type |
Alert Type Count |
Numeric | The number of alert types within the cluster |
Assignee |
Multiple Check box | The name of the user assigned to the cluster |
Entity |
Kind:Value pair | The entity kind such as "ipV4" or "hostname" : The entity value, such as ip address or hostname |
Entity Attribute |
Kind:Value pair | The entity attribute eg Tag or Enrichment type : The attribute value |
Entity Count |
Numeric | The number of entities within the cluster (approximately) |
External Entity Count |
Numeric | The number of internal entities within the cluster (approximately) |
Internal Entity Count |
Numeric | The number of external entities within the cluster (approximately) |
Priority |
Multiple Check box | The priority of the cluster (Not set, P1, P2, P3 or P4) |
Score |
Numeric | The cluster score |
Source Count |
Numeric | Number of Source systems in cluster |
Source |
Multiple Check box | The source systems contained with the cluster |
Status |
Multiple Check box | The cluster status |
Tags |
Multiple Check box (with search) | Any tags, in the form of 'kind:value' that are associated with a cluster |
Title |
Text | The title of the cluster |
Threat Type |
Multiple Check box (with search) | The name of the MITRE threat type for this alert Also shows number of clusters matching each |
¶ Saved Searches
Useful search queries can be saved for re-use and shared with other users. This applies to both basic and Advanced Search cluster queries.
¶ Saving a query
Queries can be saved by toggling the star button on the right-hand side of the search bar:
This will open the Save Search form where the title and location of the query can be set.
The query location specifies who has access to the query. The available options are:
- User - this query will only be visible to the current user.
- Team - this query will be visible to all users within the organisation.
Once the fields have been set, the query can be saved using the Save button.
¶ Loading a query
An existing query can be loaded by selecting the dropdown arrow on the left of the search bar:
This will open the Saved Queries form with a list of user-specific and team queries:
A saved search can be loaded by selecting the corresponding table row. This will cause the search bar to be populated and the search can then be run as normal using the UPDATE button.
¶ Renaming a query
Saved queries can be renamed via the Saved Queries form. Select the vertical ellipsis menu to the right of the query to access a context menu containing available actions.
Select the Rename option and update the name of the query. Changes can be saved using the APPLY CHANGES button.
¶ Deleting a query
Saved queries can be deleted via the Saved Queries form. Select the vertical ellipsis menu to the right of the query to access a context menu containing available actions.
Select the Delete option to remove the query. Changes can be saved using the APPLY CHANGES button.
Deleting a Team query will remove the query for all users in the organisation.
¶ Setting a default query
A default query can be specified via the Saved Queries form. This query will be loaded and run when the Cluster Workbench page is opened. Select the vertical ellipsis menu to the right of the query to access a context menu containing available actions.
Select the Set as default search option. This will cause an orange indicator to be added to the query:
Changes can be saved using the APPLY CHANGES button.